600 likes | 731 Views
LYU9905 Security in Mobile Agent E-Commerce Systems. Prepared by : Wong Ka Ming, Caris Wong Tsz Yeung, Ah Mole Supervisor : LYU Rung Tsong Michael. Outline (1). Introduction What is mobile agent? Project Overview Overview of SIAS – Shopping Information Agent System System Details
E N D
LYU9905Security in Mobile Agent E-Commerce Systems Prepared by : Wong Ka Ming, Caris Wong Tsz Yeung, Ah Mole Supervisor : LYU Rung Tsong Michael
Outline (1) • Introduction • What is mobile agent? • Project Overview • Overview of SIAS – Shopping Information Agent System • System Details • Implementation of SIAS • Security Measure of SIAS • Security Attack and Defense Scenarios in SIAS
Outline (2) • Agent Encryption Technique • Diffie-Hellman Key Exchange • Fault Tolerance of SIAS • Monitor Program • Connection Availability Detection • Security Analysis of SIAS • Trade-off between security & performance in SIAS • Project Review & Conclusion • Q & A Session
Introduction (1) • What is mobile agent? • A mobile agent is a software which can autonomously do the job for us. • For e-commerce, the aim of mobile agent technology is to provide an autonomous buying and selling environment. • Unlike the traditional client/server paradigm, which require continuous network connection, mobile agent make use of the mobile code paradigm, which can closed the connection once the agent is launched.
Introduction (2) • What is mobile code paradigm? • Consider the applet • The code is downloaded from the web server to the client side and runs in the client side through the web browser • Such strategy is called code on demand, which means the code are moving across the machine passively when demanded • Mobile code paradigm is little bit different in which the code will actively move from one host to another
Introduction (3) • What is the advantage of mobile agent? • It can be able to communicate with other agents, so it is suitable for some system, such as Stock Broker System. • It is mobile and able to travel from one host to another, so it is very suitable for mobile computing, in which the machine cannot be always connected to the network. • It reduces the network load and it also overcome network latency. • It is autonomous, has control over its own actions, which means it can adapt to changes dynamically. • Thus, it is robust and fault-tolerant
Project Overview (1) • Our project is aimed on designing a web-based e-commerce system building on top of mobile agent technology. • In the last semester, we have developed the SIAS system • SIAS is a web-based e-commerce mobile agent system • It provides users with information of products for sale in an electronic marketplace • It is written in Java programming language and on top of the Concordia API, which is developed by Mitsubishi Electric Research Lab
Project Overview (2) • What’s System does?
Implementation of SIAS (1) • 4 main objects in implementation • Agent • Database Server • Launch Server • Client Program
Implementation of SIAS (2) • Agent • Retrieves products information from Database Server to clients • Launch Server • A gateway between Agent System and Client Program • Instantiates and launches Agent whenever receives client requests • Receives Agent whenever Agent travels back
Implementation of SIAS (3) • Database Server • Receives incoming Agent whenever an Agent arrives • Retrieves product information for the incoming Agent • Client Program • A Java Applet runs on Web Browser • Sends requests to Launch Server • A Multi-threaded program, can handle multiple requestssimultaneously
Implementation of SIAS (4) • System Configuration • One Launch Server • 26 Database Servers • Client Program uses Netscape Communicator 4.5 or above
client request return result to client Implementation of SIAS (5) Database Server 1 Database Server 2 Database Server N Agent retrieves product information from Database Server N Agent travels through the network until it arrives at Database Server N Database Server 2 receives Agent and Agent retrieves product information Agent retrieves product information from Database Server 1 Agent calculates the cheapest price combination Database Server 1 sends out Agent Launch Server initializes the Agent Agent arrives at Database Server 1 Agent goes to Database Server 1 Launch Server sends out Agent Launch Server create an Agent Agent travels back to Launch Server Launch Server
Attacks and Defenses on SIAS (1) • Scenario 1 - Modification of query products ID • The list of products specified by user is stored as plain text • Malicious host can easily spy out the data and change it • Later hosts will response to such changes, and report wrong information • This violates the integrity of queries
Attacks and Defenses on SIAS (2) • Scenario 2 - Modification of query quantities • Similar to scenario 1 • This leads the later host to report wrong information
Attacks and Defenses on SIAS (3) • Scenario 3 - Spying out and modification of query results • Agents carry query results in plain text • Malicious hosts can spy out and modify the results that the agent has collected from previous hosts • Such changes can favor the malicious hosts • For example, a malicious host raises all the prices reported from previous hosts
Attacks and Defenses on SIAS (4) • Scenario 4 - Modification of itinerary of agent • Itinerary of an agent is accessible to hosts • Malicious hosts can change the itinerary of an agent • Agents may go to hosts that are not specified in itinerary • Agents may skip hosts that are specified in itinerary
Attacks and Defenses on SIAS (5) • Hybrid Attacks • Can mix the above 4 attacks
Attacks and Defenses on SIAS (6) • Solution to Attack Scenario 1 & 2 • We introduce encryption on the whole list of product IDs as well as the list of product quantities • {Product ID list} changed to: EA(Product ID list) • {Product Quantity list} changed to: EA(Product Quantity list) Key: Ex(Y) = CipherText of Plain Text Y encrypted by private key of entity X; Dx(Y) = Plain Text of CipherText Y decrypted by public key of entity X; A = Agent;
Attacks and Defenses on SIAS (7) • Solution to Attack Scenario 3 • We introduce RSA encryption algorithm on the results obtained from the Database Server • {Query result} changed to: EH(Query result)
Attacks and Defenses on SIAS (8) • Solution to Attack Scenario 4 • The Database Server will sign the path of the agent to ensure the agent goes the right path New attribute for Agent: Encrypted_Itinerary Encrypted_Itinerary = EH1(Next Host at Host H1) + EH2(Next Host at Host H2)+ ... + EHn(Next Host at Host Hn); At Launch Server, we compare original itinerary to : DH1(EH1(Next Host at Host H1)) + DH2(EH2(Next Host at Host H2))+ ...+ DHn(EHn(Next Dost at Host Hn))
Attacks and Defenses on SIAS (9) • Introduce 2 objects to support security measures • RSA object ; and • Key Server object
Attacks and Defenses on SIAS (10) • RSA object is the core of Secure SIAS design • It helps to implement a public key infrastructure (PKI) • It can encrypt a character string to ciphertext, and decrypt a ciphertext to a character string
Attacks and Defenses on SIAS (11) • Key Server object acts as a Certificate Authority (CA) of our PKI • It accepts public keys from agents and hosts, and distribute them • It uses RMI in transporting public keys • Why not agent but RMI?? • Endless chain of security measures
Attacks and Defenses on SIAS (12) • A Secure SIAS
Agent Encryption (1) • For Java, the bytecode can easily be decompiled by decompiler such as mochaand any decompiling software. • Therefore we should obscure a mobile agent’s code to make it hard to reverse engineer. • We use agent encryption to encrypt the mobile agent before it travels to one host to another host. • After it reaches the destination host, it will then be decrypted as a normal mobile agent and starts its normal execution.
Because the agent is encrypted, the ability of traveling from host to host will then be done by an envelope agent. An envelope agent is a normal agent will encapsulate the encrypted agent. It travels to hosts on behalf of the buying agent. It aims to protect the buying agent during transmission. Agent Encryption (2)
Agent Encryption (3) • Therefore before envelope agent moves to the next host, it will encrypt the buying agent . • When it reaches the destination host, it will decrypt the buying agent and execution of the agent will then be performed as normal after decryption.
Agent Encryption (4) • We found that our original RSA algorithm cannot encrypt the agent object. • Thus, we have to try another method • we have used symmetric key approach • We make use of the Diffie-Hellman Key Exchange for exchanging the symmetric key between two hosts.
Agent Encryption (5) • Diffie-Hellman Key Exchange • It is a key exchange technique which enables two users to exchange a key securely without actually transmitting the key in the network.. • Therefore attackers cannot get the symmetric key by tapping the network. • It can then be used for subsequent encryption of message. • It depends for its effectiveness on the difficulty of computing discrete algorithm
Diffie-Hellman Key Exchange (con’t) Agent Encryption (6) • Under its scheme, there are two publicly known numbers: a prime number n and an integer g that is a primitive root of n • Suppose hosts A and B wish to exchange a key • Host A selects a random integer x < n and computes X = gxmod n. • Similarly, host B independently selects a random integer y < n and compute Y=gymodn. • Each side keeps x and y be private and makes X and Y available publicly to the other side. • Host A computes the key as K = Yxmodn and host B computes the key as K = Xymodn. • These two calculations produce the same result and act as the symmetric key
Agent Encryption (7) • Thus, the two sides have exchanged a secret key. • Furthermore, because x and y are private, an opponent only has the following ingredients to work with: g, n, X and Y. • Thus, the opponent is forced to take a discrete logarithm to determine the key. • For example, attacking the secret key of host B, the opponent must compute y using Y, g and n which is computationally difficult to do so.
Agent Encryption (8) • Using Diffie-Hellman Key Exchange technique, we can use the symmetric key to encrypt the agent. • We use the bitwise XOR to encrypt and decrypt the agent • When the agent wants to travel to next host, it first get the public key of the next host and generate the symmetric key using the private key of the host that it resides. Then it will encrypt itself using the symmetric key. • When the agent reaches the destination host, it will get the public key of the previous host and decrypt itself using the secret key the destination host.
Agent Encryption (9) • To implement agent encryption for our system SIAS, we have introduce three more objects to our system, namely the Encrypt Agent which is the envelope agent encapsulating the buying agent, the DHKey, and the DHKey Server. • The Encrypt Agent is an agent which contains the encrypted buying agent. It acts as an envelope agent and travel to hosts on behalf of the buying agent. • It aims to protect the buying agent during transmission.
Agent Encryption (10) • Why use Encrypt Agent to enclose buying agent? • Since the buying agent is encrypted during transmission, the agent would then be unable to travel to the next host. • It is because the sending host is unable to recognize the encrypted code of the agent and therefore the agent is not executable at all after encryption. • Encrypt Agent will act on behalf of the buying agent to travel around the hosts. It encapsulates the buying agent and move to the next host. • Hosts will recognize the Encrypt Agent and do the execution (i.e. encryption and decryption).
Agent Encryption (11) • The DHKey contains the private key and the pubic key for Diffie-Hellman Key Exchange. • It has two methods, namely encrypt and decrypt for agent encryption and decryption. • These two methods perform their operation by making use of two internal method – toByteArray and toObject. • The method toByteArray can change the object into byte array which can then be used for symmetric encryption algorithm. • The method toObject can change the byte array back to object which is the decrypted agent.
Agent Encryption (12) • DHKey Server is similar to the Key Server. Instead of storing RSA public keys, it stores the public keys of Diffie-Hellman Key Exchange Algorithm. • When the system start up, each host and server will send a public key to the DHKey Server. The keys are then store in it.
Agent Encryption (13) • When an Encrypt Agent reach a host, it needs the public key of the previous host for agent decryption. It will invoke the method of the DHKey Server for the public key. • Similarly, when an Encrypt Agent want to moved to the next host, it will invoke the same method to get the public key of the next host for agent encryption. • The connection between the Database Servers or Launch Server and the DHKey Server is done by Java RMI.
Reliability of SIAS (1) • Our system is highly dependent on Concordia API • Faults occur in Concordia API cannot be avoided • In Concordia architecture, an agent will lose if anyone of the destinations of agent does not exist • This introduces data loss • To prevent data loss, fault-tolerance design is needed
Reliability of SIAS (2) • Whenever a component fails, we restart it • Component restart strategy: • Database Server fails • restart the failed host • Launch Server fails • A whole system recovery • Launch Server loses backups for security measures • Key / DHKey Server fails • A whole system recovery • Public keys lost due to failures cannot be recovered
Reliability of SIAS (3) • We design two strategies in our fault-tolerance design • Logging System • Connection Availability Detection, CAD
State Error Message Reliability of SIAS (4) • Logging System • Maintain Log File of each component • Each line of a log file contains state as well as message of the component ...... [initialization] Listening to Incoming Agents [handle agent] Agent arrived [handle agent] Error in connecting to SQL Server ......
Reliability of SIAS (5) • With Logging System, we can successfully restart failed components • However, we cannot prevent data loss • Agent can still reach failed components • We need additional features to prevent data loss
Reliability of SIAS (6) • Connectivity Availability Detection, CAD • A mechanism analogous to PING
Reliability of SIAS (7) • Weakness in our design • Data loss if failures occur at Launch Server, Key Server or DHKey Server because of a whole system recovery • Data loss if the component that the agent resides fails
Reliability of SIAS (8) • Implementation I • We introduce a Monitor Program to our system • The Monitor Program is responsible for Logging System as well as CAD
restart signal server ping ping ping ping server Reliability of SIAS (9) Monitor Program If a server fails Server restarts server server server server It does not response to ping signal • A forever loop is used to check the servers
Reliability in SIAS (10) • A Ping signal is a combination of two kinds of inspections • A Log File inspection • It looks for Error Messages in a log file • A RMI binding detection • It looks for a RMI address binding • Each component has to bind a RMI address • Failure will unbind a RMI address
Reliability in SIAS (11) • Implementation II • Modify Launch Server and Database Servers • Embed CAD features in Launch Server and Database Servers