8/6/2019 p21-vuong

1/10

A Secu r it y Arch i tec t u re and Des i gnfo rMobi le In te l l igent Agent Systems

A B S T R A C TAlthough mobile intelligent agent technology greatly promisesto provide an elegant and efficient way of solving complexdistributed problems as well as offering a new approach tohuman-compute~-interaction, the general lack of securitymeasures in existing mobile intelligent agent systems severelyrestricts their scope of applicability. In this paper, we focus onthe security design issues for mob ile intelligent systems. W epropose a security architecture and implement a security systembased on th e architecture for a novel m obile intelligent system,Actigen. This security system makes use of a rich securitymodel that provides an identification capability to each principaland supports system resource access control to a v ery fine levelof granularity. The security syste m also offers some m ethods todetect if the behavior or data of an Actigen agent is tampered.Although the security architecture was developed for Actigen,its applicability can be generally suited to any mobile intelligentsystems.K e y w o r d sM obi le in te l l igen t agen t s , f au l t to le rance , agen t s ecur i ty ,ce r t i f i c a te s , and au then t i ca t ion .1 I N T R O D U C T I O NM o b i l e i n t e l l i g e n t a g e n t t e c h n o l o g y h a s d r a w n at r e m e n d o u s a m o u n t o f a t t e n t i o n f r o m t h e r e s e a r c h e r s i nd i s t r i b u t e d c o m p u t i n g i n t h e p a s t s e v e r a l y e a r s a s i tg r e a t l y p r o m i s e s t o p r o v i d e a n e l e g a n t a n d e f f i c i e n t w a yo f s o l v i n g c o m p l e x d i s t r i b u t e d p r o b l e m s a s w e l l a so f f e r i n g a n e w a p p r o a c h t o h u m a n - c o m p u t e r - i n t e r a c t i o n .T h e w o r d " a g e n t " h a s b e e n u s e d i n a v a r i e t y o f c o n t e x t s ,r a n g i n g f r o m r o b o t i c s t o n e t w o r k i n g t o a r t i f i c i a li n t e l li g e n c e t o h u m a n - c o m p u t e r - i n t e r a c t i o n t o d i s t r ib u t e ds y s t e m s . T h e f o l l o w i n g a t tr i b u te s a re o f t e n a s so c i a te dwi th agen t s : awarenes s , r eac t iv i ty , mob i l i ty , coope ra t ion ,i n t e l l i g e n c e , a n d p e r s o n a l i t y ( a u t o n o m y ) . O t h e r s y s t e m st h a t a r e a s s o c i a t e d w i t h t h e t e r m " a g e n t " i n c l u d ei n t e l li g e n t ro u t e r s , w e b s e a r c h i n g t o o l s, e - c o m m e r c ea p p l ic a t io n s , r o b o t s a n d m a n y m o r e .U n l i k e t r a d i ti o n a l m o b i l e i n t e l li g e n t a g e n t s y s t e m s w h e r ea s m a l l s e t o f A P I s a r e p r o v i d e d t o s u p p o r t l i m i t e d a g e n t( c o d e ) m o b i l i t y a n d c o o p e r a t i o n c a p a b i l i t i e s , a n o v e la g e n t s y s t e m , c a l l e d A c t i g e n , o f f e r s a c o m p l e t e h i g h - l e v e ll angu age tha t i s , de s p i t e i t s f a i r ly s imple s yn tax , r i ch ins e m a n t i c s a n d m e c h a n i s m s f o r i n t e g r a t i o n , c o n t r o l a n d

S on T . Vuong a nd Pe ng F uDepartment of Computer ScienceThe University of British ColumbiaVancouver, B.C. V6T lZ4 , CanadaEm ai l: vu ong @cs.ubc.ca

m a n a g e m e n t f o r r a p i d , e f f e c t i v e r e a l i z a t i o n o f s e a m l e s s ,c o o p e r a t i v e d is t r i b u te d a p p l i c a ti o n s . H o w e v e r , l i k e m a n yo t h e r m o b i l e s y s t e m s , t h e l a c k o f s e c u r i t y a n d f a u l tto le rance s uppor t s in Ac t ig en s eve re ly re s t r i c t s it s s copeo f a p p l i c a b i li t y . I n m o s t m o b i l e i n t e l li g e n t a g e n t s y s te m s ,t h e s o f t w a r e a g e n t t ra v e l s a u t o n o m o u s l y w i t h i n th e a g e n te n a b l e d n e t w o r k s , e x e c u t e s i t s e l f i n t h e a g e n t e x e c u t i o ne n v i r o n m e n t , c o l l e c t s u s e f u l i n f o r m a t i o n a n d m a k e s i t so w n d e c i s i o n o n b e h a l f o f i t s o w n e r . I t is t h e a u t o n o m o u sb e h a v i o r o f t h e a g e n t a n d t h e m a l i c i o u s n a t u r e o f t h eI n t e r n e t t h a t g i v e r i s e t o v a r i o u s i m p o r t a n t s e c u r i t y i s su e s ,f o r b o t h t h e s o f t w a r e a g e n t a n d i ts e x e c u t i o n e n v i r o n m e n t .T h r e e k e y s e c u r i t y is s u e s h a v e b e e n i d e n t i f i e d f o r m o b i l ein te l l igen t agen t s ys tem s [2 ] [7] , a s fo l lows :

P r o t e c t t h e a g e n t a g a i n s t m a l i c i o u s h o s t P r o t e c t t h e h o s t a g a i n s t a g e n t P r o t e c t t h e n e t w o r k c o m m u n i c a t i o n

A l l t h e t h r e e i s s u e s h a v e b e e n w i d e l y i n v e s t i g a t e d a n dr e s e a r c h e d . W h e r e a s n o s i g n i f i c a n t s o l u ti o n s h a v e y e tb e e n f o u n d f o r t h e f i r s t p r o b l e m , t h e t h i r d i s s u e ,p r o t e c t i n g t h e n e t w o r k c o m m u n i c a t i o n , c a n b e e a s i l yr e s o l v e d b y s i m p l y a p p l y i n g a s e c u r e c o m m u n i c a t i o np r o t o c o l , e . g . t h e S e c u r i t y S o c k e t L a y e r [ 1 1 ] a s u s e d i nC o n c o r d i a [ 3] . M o s t r e s e a r c h w o r k o n a g e n t s e c u r i t y h a sf o c u s e d o n t h e se c o n d p r o b l e m : p r o t e c t i n g t h e h o s t . T h eS e c u r e A c t i g e n S y s t e m ( S A S ) a r c h i t e c t u r e p r o p o s e d i nt h i s p a p e r a l s o a d d r e s s e s t h i s p r o b l e m o f p r o t e c t i n g t h eh o s t . M e t h o d s o f A c t i g e n s y n t a c t i c i n t e g r i t y c h e c k a n da p p e n d o n l y d a t a l o g a r e i n t r o d u c e d t o d e t e c t i f a n a g e n th a s b e e n c o m p r o m i s e d . T h e r e m a i n d e r o f t h i s p a p e r i so r g a n i z e d a s f o l l o w s . I n S e c t i o n 2 , a n o v e r v i e w o f t h eA c t i g e n s y s t e m i s p r e s e n t ed ; S e c t i o n 3 d e s c r i b es t h eo v e r a l l s t r u c t u r e o f t h e S A S ; S e c t i o n 4 d e s c r i b e s t h eA c t i g e n C e r t i f i c a t i o n I n f r a s t r u c t u r e (A C I ) ; S e c t i o n 5 a n dS e c t i o n 6 d i s c u s s t h e m e t h o d t o p r o t e c t t h e A c t i g e n h o s tsa n d a g e n t s . F i n a l l y , t h e s t a t u s o f a n i m p l e m e n t a t i o n o f t h eS A S a n d s u g g e s t i o n s f o r f u t u r e w o r k a r e p r o v i d e d i n t h ec o n c l u s i o n s e c t io n .

21

8/6/2019 p21-vuong

2/10

2 A C T I G E N - A M O B I L EI N T E L L I G E N T A G E N T S Y S T E M

Aet igen agentP r o c e s s o r .. .-)

l n t e r n e t

Figure 1 . S t ruc tu re o f an Ac tigen hostTh e Actigen mobile agent system, based on Wa ve [I0], isa novel spatial pro gr am min g paradigm, language a ndsys tem for parallel processing of o pen distributedsystems. It mod el s the physical and virtual wor ld as aKn ow le dg e Net wor k ('KN), which resides on a physicalne two rk such as the Internet. T her e is no restriction onthe topology of the K.N; the map pin g betwe en the K N andthe underlying physica l netw ork can be arbitrary. A nActigen program, so-called Actigen agent (or simplyActigen or agent), igrates itself utonomously (under itso w n control) fro m one K N nod e to another and interactswith the local envir onmen t to perf orm the task on behalfof the user wh o injects it. A physical node, whi ch on e ormo re nodes of the Actigen KN arc ma pp ed into, is calledan Actigen host (or simply host). An Actigen hostcontains three major software compon ents: 1) an Actigeni n t e rp re t e r , wh ich execu te s t he Ac t igen agen t and managethe loca l KN nodes ; 2 ) an OS in t e r face p rocessor , whichenab le s t he Ac t igen in t e rp re t e r t o access and upda te t hel o c a l r e so u r c e s a n d 3 ) a c o m m u n i c a t i o n p r o c e s s o r , w h i c hh a n d l e s t h e n e t w o r k c o m m u n i c a t i o n t o a l lo w t h e A c t i g e nagen t t o migra t e f rom an Ac t igen hos t t o ano the r v i a UDPor TCP/ IP . The gene ra l s t ruc tu re o f an Ac t igen hos t i ss h o w n i n F i g u r e 1 .A v a r i e t y o f a p p l i c a t i o n s h a v e b e e n d e v e l o p e d i n W a v e ,t h e A c t i g e n ' s p r e d e c e s s o r , i n c l u d i n g t h e m o d e l i n g a n dc o n t r o l o f m o b i l e t e l e c o m m u n i c a t i o n n e t w o r k s ,i n t eg ra t ion o f d i s t r i bu t ed da t abase s , s imula t ing themobi l e - IP p ro toco l , BGP, and conges t ion con t ro l and

routing protocols [I] [12] [1 3] [113] [6]. Acti gen enjoyssubstantial enh anc eme nts fr om its predecessor in m a n yaspects , includ ing the language, the interpreterdeve lopm ent tools, fault tolerance and, as addressed inthis paper, security. As W a v e is a powerful agent systemwh ich allows the creation and launching of agents ofarbitrary sizes and behavi ors, its lack of the basic securityproperties ma ke s it extr emely vulnerable an d risky to use.For example, an agent can take the full control of a host,che win g up all of its com put ing cycles and accessing alof its resources, or ca n even cha nge the topology of theKN . Wa v e has currently no mec han ism s to prevent orcop e with the agents' malicious behaviors. It is thusessen t i a l t o deve lop and incorpora t e secur i t y mechan i smsi n t o t h e e n h a n c e d a g e n t s y s t e m , A c t i g e n .

Application Application

A g en t A g en tSA S Ope ra t ing . 1 I OperatingS ys te m .. [ [ Sys t em "Figure 2 . Ar chitecture of the Secure Act igenSy s t em

3 A S E C U R I T Y A R C H I T E C T U R E F O RA C T I G E NIn t h i s sec t ion , we d i scuss t he ove ra l l a rch i t ec tu re fo r t heS e c u r e A c t i g e n S y s t e m ( S A S ) , i n c l u d i n g t h e d e s i g nc r i t e ri a and the de sc r ip t ion o f t he p r inc ipa l s i n t he SA S.

3 .1 O v e r v i e w o f the Secure Actigen S y s t e m( S A S ) Design CriteriaI n d e v e l o p i n g t h e S A S , t h e f o l l o w i n g d e s i g n c r i te r ia h a v eb e e n u s e d :

M i n i m a l c h a n g e s : W e m a d e t h e k e y d e s i g n d e c is i o nto keep the changes t o t he o r ig ina l agen t sys t em tothe mini mum . Thus, the SA S was realized byadding a so-called Secure Actigen Add -on (S AA )co mp on en t to the original (insecure) agent syst emand to organize the S A A in a mod ula r structure. Int h i s secur i t y a rch i t ec tu re , i l l u s t r a t ed in F igure 2 , t he

22

8/6/2019 p21-vuong

3/10

S A A c o m p r i s e s a t h i n l a y e r w r a p p i n g ar ound a h o s t( f r o m a b o v e a n d f r o m b e l o w ) t o g u a r d t h e i n t e r a c ti o nb e t w e e n a n a g e n t a n d a h o s t a s w e l l a s b e t w e e n a h o s ta n d t h e u n d e r l y i n g o p e r a t i n g s y s t e m . Secure - Secur i ty i s the bas ic c r i t e r i a and the goa l o ft h e S A S . T h e S A S s h o u l d p r o v i d e a s ec u r e e x e c u t io ne n v i r o n m e n t f o r b o t h t h e a g e n t a n d t h e h o s t .N a t u r a l ly , t h e S A S , w h i c h p e r f o r m s a l l t h e s e c u r i t yf u n c t i o n s f o r t h e o r i g i n a l a g e n t s y s t e m m u s t a l s o b e ,i tse lf , secure . Transparent - Th e a p p l i ca t i o ns i n v o k i n g t h e a g e n t ss h o u l d n o t b e a w a r e o f a n d b u r d e n e d w i t h th eau then t i ca t ion , a cces s con t ro l an d s ecurec o m m u n i c a t i o n , t h a t a r e t a k i n g p l a c e in t h e S A S .L e g a c y a g e n t a p p l i c a t io n s s h o u l d b e a b l e to r u n o nt h e S A S w i t h n o c h a n g e s . Scalab le - A c t i g e n i s a n e m e r g i n g d i s r u p t i v et e c h n o l o g y . A s s u c h , t h e S A S s h o u l d b e f l e x i b l e a n ds c a l a b l e t o s u p p o r t p o t e n t i a l d y n a m i c o p e n - e n d e dg r o w t h i n s i z e a n d c o m p l e x i t y o f t h e K N a n d i n t h en u m b e r a n d s i z e o f t h e a g e n ts t h a t n e e d t o b e i n j e c t e din to the KN fo r l a rge -s ca le d i s t r ibu ted app l i ca t ions ,e . g . the comp ut ing g r id . T h i s s ca lab i l i ty c r i t e r ion , int u rn , r e qu i r e s t h a t t h e S A S n a m i n g a n d i d e n t i f i c a t i o ns c h e m e b e s c a la b l e . Pot able - T h e d e s i g n s h o u l d b e k e p t a s g e n e r a l a sp o s s i b l e s o t h a t o n l y m i n o r c h a n g e s w o u l d b er e q u i r e d t o a p p l y t h e s e c u r i t y a r c h i t e c t u r e t o o t h e rm o b i l e a g e n t s y s t e m s o r to p o r t t h e S A S t o d i f f e r e n to p e r a t i n g s y s t e m s .W e h a v e p r e v i o u s l y m e n t i o n e d t h e t h r e e b r o a d c l a ss e s o fs e c u r i t y c h a l l e n g e s i n m o b i l e a g e n t s y s t e m s : ( i ) protectthe host fro m malicious agen t; ( i0 protec t the agent f rommalicious ho st; and (i i i) prote ct the netw orkcommunicat ion . T he p a r t i a l s o lu t ions fo r the th ree c la s s e so f p r o b l e m s a r e s u m m a r i z e d i n t h e r e m a i n d e r o f t h i ss u b s e c t i o n a n d d e s c r i b e d i n m o r e d e t a i l s i n s u b s e q u e n ts ec t ions .3 . 1 . 1 P r o t e c t i ng t he hos tS o l v i n g t h e p r o b l e m o f p r o t e c t i n g t h e h o s t e n t a i l s t w otasks : authent icat ion and authorizat ion. Authent icat ioni n v o l v e s identification of a l l the en t i t i e s wi th in thes y s t e m . Author i za t ion conce rns wi th the acces s con t ro l o fthe en t i t i e s ba s ed on the i r iden t i t i e s . P rope r acces sp r i v i le g e s s h o u l d b e i d e n t i f ie d b e f o r e t h e a l l o c a t io n o f t h ereSOurCes tO ensure a safe a c c e s s c o n t r o l p r o c e d u r e ,Authent icat ion - The a u t h e n t i c a t i o n p r o c e s s t y p i c a l l yinvo lves a s equence o f two t a s ks : T he f i r s t t a s k i s to g iveiden t i f i c a t ion to a l l the en t i t i e s in SAS; the s econd t a s k i st o a u t h e n t i c a te t h e s e i d e n t it i e s. B e c a u s e S A S w i l l e x i s t i na n o p e n a n d d i s t r ib u t e d n e t w o r k s u c h a s t h e I n t e r n e t , t h ei d e n t i f i c a t i o n a n d t h e a u t h e n t i c a t i o n o f t h e S A S m u s t b e

e n f o r c e a b l e w i t h o u t a n y c e n t r a l k n o w l e d g e . T h e r e f o r e , s i m p l e c e n t r a l i ze d a p p r o a c h u s i n g u s e r i d s a n d p a s s w o r dt o i d e n t i f y en t i t ie s i n t h e s y s t e m w o u l d n o t b e s u i t a b l e. Ad e c e n t r a l i z e d m e t h o d , e . g . u s i n g p u b l i c - k e y c r y p t o g r a p ha n d d i g i t a l s i g n a t u r e , m u s t b e u s e d , i n s te a d . H o w e v e r , te n s u r e t h e q u a l i t y o f s e c u r e s e r v i c e s , t h e r e m u s t b e a l s os o m e l e v e l o f a u t h o r i t i e s t o s u p e r v i s e t h e d i s t r i b u t i o n ot r u st . T h e t r a d e - o f f b e t w e e n u n c o n t r o l l e d d i s tr i b u t e d s ty la n d c e n t r a l c o n t r o l l e d s t y l e m u s t b e t a k e n i n t oc o n s i d e r a t i o n in t h e a u t h e n t i c a ti o n sy s t e m . O u r p r o p o s e ds c h e m e f o r t h e S A S u s e s t h e d i g i t a l c e r t i f i c a t e a n ds i g n a t u r e f o r a u t h e n t i c a t i o n , a n d t h e s e c u r e e x e c u t i o ne n v i r o n m e n t t o a u th o r i z e r e s o u r c e a cc e s s. E v e r y a g e nca r r i e s the ce r t i f i c a te o f i t s in jec to r and i s s igned byh i m / h e r . T h e S H A 1 - D S A a l g o r i t h m i s u s e d f o r t hs i g n a tu r e . A n A c t i g e n C e r t i f i c a t i o n I n f r a s t r u c tu r e ( A C I ) ius ed to d i s t r ibu te and revoke ce r t i f i c a te s .Author i za t ion - A f t er t h e a u t h e n t i c a t i o n o f a n a g e n t , s o m

I AC .cs.ubc.ca I

I I I , , , ...

I user1 @AA l.es .ube .c

" " 1 Iser,@AAl.es.ube.eaFigure 3. N aming Scheme in an S AS Domain

p r o p e r a u t h o r i z a t i o n m u s t b e r e a l i z ed . A c c e s s c o n t r o l iwh a t au thor iza t ion a l l abou t . T ha t i s , i t s pec i f i e s anc o n t r o l s t h e e x t e n t t o w h i c h a n a g e n t w i t h a c e r t a i ni d e n t i t y c a n u s e t h e a g e n t p l a t f o r m ' s r e s o u r c e s a n ds e r v ic e s . T h e a c c e s s c o n t r o l is n o t o n l y m e a n t t o c o n t roacces s to phys ica l re s ources , e . g . a f i l e s ys tem (ha rdd r i v e) , b u t a l so a c c e s s to t h e b e h a v i o r o f a n a g e n t . A s eo f s y s t e m a t i c a cc e s s c o n t r o l r u l e s m u s t b e p r o v i d ed . T h es e c u r i t y p o l i c i e s o n h o w t o a p p l y t h e a c c e s s r u l es s h o u l da l so b e e x p l a in e d . B e f o r e a n A c t i g e n h o s t p r o v id e s a ns e r v ic e s t o a n A c t i g e n a g e n t , a s t r ic t s e c u r i t y c h e c k m u sb e p e r f o r m e d b a s e d o n t h e s e p o l i c ie s a n d r u l e s .3 . 1 . 2 P r o t e c t i n g t h e a g e n tT h e s y s t e m m u s t p r o v i d e t e c h n i q u e s t o p r o t e c t t h e c o da n d d a t a i n t e g r i t y o f a n a g e n t f r o m a m a l i c i o u s h o s tU n l i k e p r o t e c t in g a m a c h i n e f r o m a m a l i c i o u s a g en t , m o sp r o b l e m s i n p r o t e c t i n g t h e a g e n t f r o m t h e h o s t r e m a iu n s o l v a b l e [7 ] . F o r e x a m p l e , a n a g e n t c a n n o t v e r i fwh e the r : ( i ) an in te rp re te r i s un tam pered ; (f i ) a

23

8/6/2019 p21-vuong

4/10

interpreter will run an agent correctly; (iii) a hos t will runan agent to completion; and (iv) a host will transmit anagent as requested [8]. However, we believe some partialsolutions can be developed to protect the agent, i.e. itscode and data. Another important class of problems is toprotect an agent from the attack of other agents. Wereckoned the solution of this problem is analogous to theone of protecting an agent from a malicious host, sincethe interaction between agents is always through a host sothat from an agent's point of view, it cannot tell whoinitiates the interact.In our approach, we do not try to 'hide' the content ofActigen from the interpreter, say, by using codeeneryption [4]; instead, we aim at developing a method todetect when an agent is compromised. In particular, wewant to protect the agent's behavior and the data itcollects. A method of Actigen syntactic integrity checkmechanism is used to detect if the Actigen's behavior istampered. An append-only data log approach is also usedto prevent the agent' s collected data fro m being tampered.3.1.3 Protecting Com municationThe communication between the Actigen interpreters(daemons) involves the migration of the Actigen agentand some Actigen system management information.Protecting the communication can be achieved by settingup secure channels between Actigen hosts. Secure SocketLayer (SSL) [11] is the most widely used protocol forsecure network communication nowadays, whichprovides authentication and encryption services for TCPconnections. SSL provides encrypted communication sothat eavesdropping attack can be prevented. SSL alsoprovides mutual authentication of both sides of theconnection so that man-in-the-middle attack can beprevented. SSL can be plugged into applications at thesocket layer and the application does not need any specialsecurity lmowledge or security related code about SSL.In this ease, the network communication security ishidden at the socket level, so that the usage of the originalTCP socket can be simply replaced by a SSL socket in theActigen communication processor, without affecting theActigen interpreter or the OS interface processor. Sincethe solution to the security problem of protecting thenetwork communication is well understood anduncorrelated to the other challenging security problems,we will not discuss it f urther in the paper.We now turn to a general description of the componentsof the SAS that address the host protection solutions.3.2 Principals in the Secure Actigen Sy stemThe Secure Actigen System (SAS) is composed of so-called principals. A principal is an entity whose identitycan be authenticated. Each principal performs a specificrole and has its own responsibilities and interests. Eachprincipal is also associated with a certificate, which

provides the principal's privilege, role and public key.Inside the system, the identity of the principal isdetermined by its signature, and the security policy isperformed according to the principal's privilege. Theprincipals in the SAS are described as follows:3.2.1 Injector (Use r)An injector is a user that is the owner of the agent, andthat injects the agent into the Actigen KN. In somesystems e.g. Aglet, the code manufacturers, code injectorand agent owner are considered as different entities. Inthe SAS, we only have the injector, i.e. the owner of theagent that may or may not program the agent itself. Aninjector can also be called a user since every injector is aregistered user of an Authentication Agent.Identity: An injector's identifier together with anAuthentication Agent 's identifier uniquely identifies theinjector. The injector's identifier is unique only within anauthentication agent's domain.Roles: An injector initiates the execution of an agent ata particular KN node.3.2.2 Act igen Agent (XA )An Actigen agent belongs to the injector that injects itinto the system.Identity: The agent's ID or Serial Number (SN)and its owner's ID. The agent's SN needs to be uniqueonly among the agents injected by the same injector. Theagent's identity will be signed by the agent's injector andthe agent's privilege is inherited from its owner/injector.Roles: The XA performs a task on behalf of the injector3.2.3 Authentication Age nt (AA )An Authentication Agent is a stationary agent, whichresides beside the Actigen interpreter.Identity: An AA's identity is determined by theaddress of its residing host, e.g. AA@cs.ubc.ca. TheActigen interpreter does not have its own identity, but itcan be identified via the AA's identity. Every AA willhave an administrator as its super user. The administratorhas the right to configure the AA and maintains the AA'sinjectors.Roles: User account management

User certificate managementLocal security policy deployment,Agent injection control

3.2.4 Authentication Cen ter (AC )Unlike the AA, the AC doesn't have any Actigeninterpreter associated with it. An AC has only one superuser, i.e. the administrator who can configure change thestate of the AC.

24

8/6/2019 p21-vuong

5/10

AC: Authentication CenterAA: Authentication AgentC A : Certif ication A uthori tyM i en Ne t w o r k : Ne t w or k doma i n w i thanother mob i le agent sys tem.

F i g u r e 4. G e n e r a l S e c u r i t y A r c h i t e c t u r eIdenti ty : A n Authent ica t ion Center i s a spec i a l -p u r p o s e h o s t . I t m a n a g e s t h e l o c a l S A S d o m a i n . T h u s , it si d e n t i t y is a l s o d e t e r m i n e d b y t h e r e s i d i n g h o s t ' s a d d r e s s ,e .g . A C @ u b c . c a .Roles : A A c e r t if i c at e i s su i n g a n d m a n a g e m e n t

A g e n t r e g i s tr a ti o n a n d m a n a g e m e n tL o c a l d o m a i n s e c u r i ty p o l i c y m a i n t e n a n c eP a s s p o r t is s u i n g ( d e s c r i b e d i n S e c t i o n 4 )V i s a i s s u i n g ( d e s c r i b e d i n S e c t i o n 4 )

3.3 N a m i n g S c h e m e o f T h e P r i n c i p a l sI n s i d e a n $ A S d o m a i n , t h e A C i s t h e r o o t o f a l l t h ep r in c i pa l s. A n S A S d o m a i n i s c o m p o s e d o f an A C a n ds e v e r a l A A s , e a c h o f w h i c h h a s s e v e r a l u s e r s ( i n j e c to r s )r e g i s t e r e d u n d e r i t. A h i e r a r c h i c a l D N S - s t y l e n a m i n gs y s t e m i s u s e d t o n a m e t h e p r i n c i p a l s i n a n $ A S d o m a i n .T h e n a m e o f t h e A C d e p e n d s o n t h e d o m a i n n a m e o f i tsr e s i d i n g h o st . T h u s , t h e h o m e A C i s a t t h e m o t o f t h el o c a l S A $ n a m e s p a c e . S u p p o s e a n $ A S d o m a i n i s n a m e dc s . u b c . c a ; t h e n , a l l t h e p r i n c i p a l s c a n b e n a m e d a s s h o w ni n F i g u r e 3 .4 A C T I G E N C E R T I F IC A T I O N

I N F R A S T R U C T U R E ( A C I )G i v i n g i d e n t i f i c a t i o n t o e a c h p r i n c i p a l o f t h e S A S i n a no p e n n e t w o r k i s n o t a tr i v ia l t a s k . C e r t i f i c a ti o n to g e t h e rw i t h e n c r y p t i o n a n d s i g n a tu r e p r o v i d e a v e r y o p e n w a y t os u p p o r t b o t h s e c u r i t y a n d p r i v a c y [ 5 ] . A c e r t i f ic a t e b i n d s

a p u b l i c k e y a n d a p r i v i l e g e t o a n i n j e c t o r i n t h e S A S .T h e r e i s n o c e n t r a l i z e d i n j e c t o r a c c o u n t m a n a g e m e n tn e e d e d , b u t a s y s t e m a t i c c e r t i fi c a t e m a n a g e m e n tt e c h n iq u e m u s t b e u s e d . T h e r e a r e c u r r e n t ly tw o w i d e l yu s e d c e r t i f i c a t i o n s y s t e m s , w h i c h a r e b a s e d o n X . 5 0 9 [ 1 4 ]p r o t o c o l a n d P r e t t y G o o d P r i v a c y ( P G P ) [ 9 ] p r o t o c o l ,r e s p e c t i v e l y . X . 5 0 9 i s a n I T U s t a n d a r d d i r e c t o r y s e r v i c e ,i n w h i c h a s e r v e r o r a d i s t ri b u t e d s e t o f s e r v e r s m a i n t a i n st h e i n f o r m a t i o n a b o u t t h e u s e r s . X . 5 0 9 i n f r a s t ru c t u r e is ac e n t r a l i z e d t o p - d o w n o r g a n i z a t i o n : t h e t o p - l e v e lC e r t i f i c a t io n A u t h o r i t y ( C A ) i s s u e s t h e c e r t i f i c a t e m t h ei m m e d i a t e l o w e r - l e v e l C A s . T h e s ou n d n e s s o f th ec e r t i f i c a t e i s b a s e d o n t h e t ru s t w o r t h i n e s s o f t h e C A . O nt h e o t h e r h a n d , P G P i s a d i s t r i b u t e d s c h e m e , b a s e d o n ar e f e r r a l m o d e l i n w h i c h t h e c e r t i f ic a t e d e p e n d s o n t h ei n t e g r i t y o f a c h a i n o f a u t h e n t i c a t o r s . T h e a u t h e n t i c a t o r sa r e t h e u s e r s them se lves . The u s e r s a n d t h e i r k e y s a r er e f e r r e d f r o m o n e u s e r t o t h e o t h e r , a s in a f r ie n d s h i pc i r c l e t h a t f o r m s a n a u t h e n t i c a t i o n r i n g . T h e r e i s n oc e n t r a l c o n t r o l f o r t h e i s s u i n g a n d m a i n t e n a n c e o f t h ec e r t i f i c a t e s ; t h e u s e r s a r e t h e m s e l v e s r e s p o n s i b l e f o r t h i st a sk . T h i s i s d u e t o th e f a c t t h a t P ( ~ P is a n I n t e r n e tp h e n o m e n o n , w h i c h i s n o t d e s i g n e d b y a n o f f i c i a lo r g a n i z a ti o n b u t i n v e n t e d a n d d e v e l o p e d l a r g e l y b y o n ep e r s o n , P h i l Z i m m e r m a n n , a n d i t s s o u r c e i s p u b l i c l yava i l ab l e .T h e X . 5 0 9 m o d e l u s e . ~ a c e n t r a l i z e d c o n t r o l o f t r u s t ,w h i c h i n n a t u r e i s o p p o s i t e to the concept o f a n o p e nn e t w o r k . A f a i l u re o f a n u p p e r -l e v e l C A w i ll cause thef a i l u r e o f t h e w h o l e c e r t i f i c a t e i n f r a s t r u c t u r e u n d e r n e a t h

25

8/6/2019 p21-vuong

6/10

i t. T h e P G P o n t h e o t h e r h a n d i s t o ta l l y d e c e n t r a l i z e d , s ot h e r e is n o s in g l e p o i n t o f f a i lu r e . H o w e v e r P G P f a c e s t h ep r o b l e m o f n o g u a r a n t e e o f a c c o u n t a b i l it y , c o h e r e n c e ,d e p e n d a b i l i t y a n d c o r r e c t a u t h e n t i c a t i o n , w h i c h r e s t ri c t i tsc o m m e r c i a l a p p l i c a ti o n . A f t e r a c a r e f u l e v a l u a t i o n o fX . 5 0 9 a n d P G P , w e c a m e u p w i t h a n e w c e r t i f i c a t i o ns y s t e m , c a l l e d t h e A c t i g e n C e r t i f i c a t i o n I n f i r a s t r u c t u r e( A C I ) , w h i c h c o m b i n e s t h e s t r e n g th s o f t h e t w oa p p r o a c h e s w h i l e a v o i d i n g t h e i r w e a k n e s s e s .A s i l l u s t r a t e d i n F i g u r e 4 , t h e S A S i s o r g a n i z e d i n t od o m a i n s , e a c h o f w h i c h c o m p r i s e s a n A u t h e n t i c a t i o nC e n t e r ( A C ) a n d s e v e r a l A u t h e n t i c a t i o n A g e n t s ( A A s ) .I n s i d e a d o m a i n , t h e t r u s t w o r t h i n e s s d e p e n d s o n t h e A Ca n d A A . A S A S d o m a i n c a n b e a L A N , a n o r g a n i z a t i o n 'sV P N o r j u s t a c l u s t e r o f m a c h i n e s . A l l th e m a c h i n e s i nt h e d o m a i n b e l o n g t o a c o n t r o l a u t h o r i t y s o t h a t c o n s i s t e n ta n d i n t e g r a t e d t r u s t w o r t h i n e s s c a n b e d e p l o y e d v i a ah i e r a r c h i c a l c e r t i f ic a t e m a n a g e m e n t st r u c tu r e . B e t w e e nt h e S A S d o m a i n s , a s o - c a l l e d p a s s p o r t - v i s a d e c e n t r a l i z e da p p r o a c h i s u se d .4 .1 I n t r a - D o m a i n C e r t i fi c a ti o n S e r v i c eW i t h i n a n S A S d o m a i n , a t w o - t i e r c e r t i f ic a t i o n h i e r a r c h yi s u s e d : ( i) A A - - ) U s e r a n d ( ii ) A C - - ) A A . T h e A A a s s i g n se a c h l o c a l u s e r ( i n j e c t o r ) a c e r t i f i c a t e ; a l s o A A h o l d s ac e r t i f ic a t e i s s u e d b y a n A C . A n i n j e c t o r ' s i d e n t i ty c a n b er e c o g n i ~ d b y a c h a i n o f t w o c e r t i fi c a t e s: t h e i n j e c t o r ' sc e r t i f i c a t e a n d h i s / h e r A A ' s c , r t i fi c ~ t e . B e c a u s e t h e t w ot ie r s u s e t h e s a m e c e r t i f ic a t e m a n a g e m e n t t e c h n i q u e , w es h a ll s i m p l y u s e t h e t e rm s " i s s u e r " a n d " h o l d e r " g e n e r a l l yt o r e f e r to t h e i s s u e r a n d h o l d e r o f e i t h e r c e r t if i c a te . K e y p a i r g e n e r a t i o n

T h e k e y p a i r g e n e r a t i o n i s t h e r e s p o n s i b i l i t y o f t h ec e r t i f ic a t e h o l d e r . I t o n l y h a p p e n s i n t w o c a s es : ( i )w h e n t h e h o l d e r f i r s t r e g i s t e r s t o t h e i s s u e r o r ( i i )w h e n t h e h o l d e r ' s k e y p a ir n e e d s t o b e u p d a t e d . I nb o t h c a s e s , t h e h o l d e r w i l l g e n e r a t e t h e k e y p a i r a n ds u b m i t th e p u b l i c k e y t o t h e i s s u er . T h e is s u e r o n l ym a n a g e s t h e a c c o u n t a n d t h e p u b l ic k e y o f t h e h o l d e ra n d i t d o e s n ' t k n o w t h e h o l d e r ' s p r i v a te k ey . I n t h ec a s e w h e n a n i s s u e r i s t a m p e r e d , t h e p r i v a t e k e y o f i t sr e g i s t e r e d h o l d e r c a n r e m a i n s a f e.

C e r t i f i c a t e d i s t r i b u t i o nA n A C w i l l d i s tr i b u t e t h e c e r t i f ic a t e s o f a ll o f i ts A A ss o t h at e v e r y A A k n o w s t h e c e r ti f ic a t e o f o t h e r A A s .T h e u s e r ' s c e r t i f ic a t e n e e d s n o t b e d i s t r i b u t e de x p l i c it l y . T h e A c t i g e n a g e n t w i ll c a r r y it d u r i n g i tsm i g r a t i o n . T h e i d e n t i ty c a n b e v e r i f i e d b y t h e u s e r ' sc e r t i f ic a t e t o g e t h e r w i t h i ts A A - a s s i g n e d c e r t if i c a te .

C e r t i f i c a t e r e v o c a t i o nA c e r t i f i c a t e w i l l n e e d t o b e r e v o k e d w h e n i t is n o te x p i r e d b u t it s c o n t e n t is c h a n g e d o r t a m p e r e d . A l l

t h e s e r i a l n u m b e r s o f t h e c e r t i fi c a t e s t h at n e e d t o b er e a l l o c a t e d w i l l b e s u b m i t t e d t o A C . A C h a s t w ow a y s t o c ir c u l a t e t h e i n f o r m a t i o n m a l l o f i ts A A s : ( i )publish a l l t h e r e v o k e d c e r t i f i c a t e s o n a C e r t i f i c a t eR e v o c a t i o n L i s t ( C R L ) ; t h e n a l l t h e A A s w i llp e r i o d i c a l l y l o o k u p t h e C R L a n d u p d a t e t h e i rR e v o k e d C e r t i f i c a t e B u f f e r ( R C B ) ; o r ( i i ) push( b r o a d c a s t ) t h e i n f o r m a t i o n t o a ll o t h e r A A s w h i l e t h eA C r e c e i v e d a C e r t i f ic a t e R e v o c a t i o n R e q u e s t ( C R R )f r o m a n A A .

4 .2 I n t e r - D o m a i n P a s s p o r t - V i s a a p p r o a c hT he ce r t if i c a te s a r e used and hav e a l oca l s i gn i fi cance w i th i n anS A S d o m a i n . T h e n e x t qu e s t io n w o u l d b e h o w t o id e n t i fya n A c t i g e n a g e n t w h e n i t m o v e s o u t s i d e t h e ( l o c a l ) S A Sd o m a i n i nt o a n o t h e r d o m a i n . T h e r e i s n o c o m m o na u t h o r i t y b e t w e e n t h e t w o S A S d o m a i n s t h a t b o t h t r u s t.W e c a n c o n s i d e r t h e a n a l o g y w h e n p e o p l e t r a v e l b e t w e e nc o u n t r i e s . L e t ' s l o o k a t a s c e n a r i o i n w h i c h B o b w a n t s t ot ra v e l t o C a n a d a f r o m C h i n a . W h a t B o b s h o u l d d o i s t og e t a p a s s p o r t f r o m t h e C h i n e s e G o v e r n m e n t a n d t h e na p p l y a v i sa f r o m C a n a d i a n E m b a s s y . W i t h t h e p a s s p o r ta n d t h e a p p r o p r i a t e v i s a B o b c a n l e g a l l y e n t e r t o C a n a d a .H o w e v e r , B o b ' s b e h a v i o r a b r o a d i s s t i l l r e s t r i c t e d b y t h ev i s a , e . g . B o b c a n n o t l e g a l l y a tt e n d s c h o o l i n C a n a d a w i t ha v i s i t o r 's v i s a . T h e s a m e a p p r o a c h c a n b e a p p l i e d to t h eA c t i g an s y s t e m . W h e n a n A c t ig e n a g e n t tr a v el s o u t o f al o c a l d o m a i n , i t n e e d s t o a p p l y f o r a p a s s p o r t f r o m t h el o c a l A C a n d u p o n a r r i v in g a t th e o t h e r S A S d o m a i n , i th a s t o r e q u e s t f o r a v i s a f r o m t h e A C o f t h e d e s t i n a ti o nS A S d o m a i n . I n t h is c a s e , w e s u p p o s e t h e t w o A C s o f t h et w o S A S d o m a i n s h a v e a l r e a d y h a d i n p la c e a n a g r e e m e n to n t h e s e c u r i t y p o l i c y f o r in t e r - d o m a i n a g e n t s . A p a s s p o r ti s a c e r t i fi c a t e t h a t i s i s su e d b y t h e l o c a l A C a n d t h e v i s ai s a c e r t i f i c a t e t h a t i s i s s u e d b y t h e f o r e i g n ( d e s t i n a t i o n )A C . G i v e n t h e f a c t t h a t t h e A A a n d A C d o n o t t r a v e lb e t w e e n d o m a i n s , t h is p a s s p o r t - v i s a s e c u r i t y m e a s u r e i so n l y a p p l i e d t o th e A c t i g e n a g e n t s . P a s s p o r t i s s u in g

T h e p a s s p o r t i s a s p e c i a l c e r t if i c a t e ( s a m e f o r m a t )p r e p a r e d f o r th e f o r e i g n S A S d o m a i n s . I t c a n o n l y b ei s s u e d b y t h e A C t o it s l o c a l a g e n t s . T h e i n f o r m a t i o nin the passport is bas ed on the agent's certificate andthe AC 's foreign policy. W he n the agent travelsoutside of its loca l dom ain , it wil l not carry iti n j e c t o r ' s c e r t i f i c a t e a n y m o r e .

V i s a o b t a i n i n gV i s a i s a s p e c i a l c e r t i f ic a t e ( s a m e f o r m a t ) p r e p a r e df o r f o re i g n a g e n ts . I t c a n b e i s s u e d o n l y b y t h e A C o ft h e f o r e i g n ( d e s ti n a t io n ) S A S d o m a i n . T h e c o n t e n t o ft h e v i s a i s b a s e d o n t h e a g e n t ' s p a s s p o r t , i t s a c c e s sr e q u e s t a n d t h e i n t e r- d o m a i n a g r e e m e n t b e t w e e n t h et w o A C s : t h e p a s s p o r t is s u i n g ( l o c a l ) A C a n d t h e v i s ai s s u i n g (d e s t i n a t io n ) A C . T h e p a s s p o r t t o g e t h e r w i t h

2 6

8/6/2019 p21-vuong

7/10

t h e v i s a c o n s t i t u t e s t h e a g e n t ' s i d e n t i f i c a t i o nd o c u m e n t w h i l e i t t r a v e l s i n s i d e t h e f o r e i g n S A Sd o m a i n . P a s s p o r f f v i s a r e v o c a t i o n

T h e p a s s p o r t a n d t h e v i s a h a v e a v e r y s h o r t e x p i r a t i o nt i m e , e . g . a f e w h o u r s . N o e x p l i c i t r e v o c a t i o n isn e e d e d .4.3 B ene f i t o f t he A ct i gen C ert i f i cat i on

I n f r a s tr u c t ur e ( A C I )T h e m a j o r b e n e f i t s o f t h e A C I a r e l i s t ed a s f o l l o w s : M a t c h i n g t h e r e a l - w o r l d s m l c t u r e

T h e I n t e r a c t i s a n i n t e r c o n n e c t io n o f t h e n e t w o r k s ,w h i c h u s u a l l y b e l o n g t o d i f f e r e n t o r g a n i z a t i o n s .T h e r e i s n o c e n ~ a l c o n t r o l o v e r t h e se n e t w o r k s .H o w e v e r , w i t h i n e a c h n e t w o r k , a c e n t r a l a u t h o r i t yt y p i c a l l y e x i s ts . T h e A C I is t h u s d e s i g n e d s o as tor e f l e c t t h is i n h e r e n t s t r u c t u r e o f t h e I n t e r n e t.

E a s e i n c e r t i f ic a t e r e v o c a t i o nT h e c e r t i f ic a t e is k e p t l o c a l i n s id e a n S A S d o m a i n s oa s t o f a c i l it a t e th e t a s k o f c e r t i f i c a t e r e v o c a t i o n . F o ri n t e r- d o m a i n a g e n t s, w e d o n o t n e e d t o r e v o k e t h ep a s s p o r t a n d v i s a c e r t i f i c a t e s d u e t o t h e i r s h o r te x p i r a t i o n t i m e s .

X . 5 0 9 c o m p a t i b i l i t yT h e X . 5 0 9 p r o t o c o l s u i t i s a p o p u l a r c o m m e r c i a ls t a n d a rd , n o w a d a y s . I t i s w i d e l y u s e d i n e -c o m m e r c e , i m p l e m e n t e d i n m o s t m o d e mp r o g r a m m i n g l a n g u a g e s , s u p p o r t e d b y m o s t l a r g es o f t w a r e c o m p a n i e s a n d u s e d i n m a n y w e b s it es .Q u i t e a f e w s e c u r i t y t e c h n o l o g i e s u s e X . 5 0 9 ,i n c l u d in g N e ts c a p e , I P S e c a n d S S L . O u r A C I c a n b ee a s i l y a d a p t e d t o t h e X . 5 0 9 i n f r a s t r u c t u r e w i t h o u tc h a n g e . C o n c e p t u a l l y , a n A C h a s a l l t h ef u n c t i o n a l i ti e s o f a C A i n X . 5 0 9 . B y r e g i s t e r i n g th eA C ( A u t h e n t i c a t i o n C e n t e r ) t o a n e x i s t i n g C A( C e r t i f i c a t i o n A u t h o r i t y ) , a n S A S d o m a i n c a n b et u r n e d i n t o a b r a n c h o f X . 5 0 9 d i r e c t o r y s e rv i c e .F i g u r e 4 s h o w s t h e l in k s b e t w e e n t h e A C s a n d a C A ,i n w h i c h a n A C c a n r e g i s t e r w i t h t h e C A a n db e c o m e s p a r t o f th e X . 5 0 9 d i r e c to r y .

5 P R O T E C T I N G T H E H O S T5 . 1 S t r u c t u r e o f A u t h e n t i ca t i o n A g e n tI n d e s i g n i n g t h e S A S , o u r m a i n g o a l i s to d e v e l o p as e c u r i t y a p p r o a c h t h a t i s g e n e r a l a n d t h a t r e q u i r e sm i n i m a l c h a n g e s t o t h e e x i s ti n g i n t e r p r e t e r. T h u s , w ec a m e u p w i t h a n a r c h i t e c tu r e o f t h e A u t h e n t i c a ti o n A g e n t( A A ) , a s s h o w n i n F i g u r e 5 . I n t h i s s e c u r i ty a rc h i t e c t u r e ,a n A u t h e n t i c a t i o n A g e n t r e s i d e s b e s i d e t h e A c t i g e ni n t e r p r e t e r ; t he A A ac t s a s a w r a ppe r t ha t ' %vr aps" a r oun d

t h e i n t e r p r e t e r in a w a y t h a t a ll t h e i n t e r a c t io n s b e t w e e nt h e i n t er p r e te r a n d i ts e n v i r o n m e n t g o t h r o u g h th e A A f o rs e c u r i t y a c ti o n s . A n A A i n t e r a c ts d i r e c t l y w i t h t h ei n t e r p r e t e r t h r o u g h t h r e e c o m p o n e n t s : (i) the ,4,4Authentication Manager, (ii) the AA CommunicationManager, and (iii) the AA Reso urce Manag er. I n add i t i on ,t h e r e a r e t w o o t h e r c o m p o n e n t s , w h i c h a r e n o t s h o w n i nF i g u r e 5 : (iv) the AA User Interface M anager, and (1,) theAA Security Policy Manager. Th e u s e r i n t e r f a c e m a n a g e rp r o v i d e s a G U I i n t e r f a c e a n d a c o n s o l e i n t e r f a c e t o t h eu s e r f o r a c c o u n t m a n a g e m e n t a n d a g e n t i n j e c t i o n . T h es e c u r it y p o l i c y m a n a g e r s e l ec t s a n d i m p l e m e n t s a l o c a ls e c u r i ty p o l i c y . T h e f i v e c o m p o n e n t s o f a n A A a r es u m m a r i z e d a s f o ll o w s : A A U s e r I n t e r f a c e M a n a g e r : P r o v id e s t he i n te r fa c ef o r t h e u s e r t o a c c e s s a n d m a n a g e t h e A A ( A c t i g e n

i n t e r p r e te r ) . T h e u s e r c a n o n l y i n j e c t a n a g e n t th r o u g ht h e i n t e r f a c e m a n a g e r . A A A u t h e n t i c a t i o n M a n a g e r : C h e c k s t h e i d e n t i t y

a n d t h e p r i v i l e g e o f a n i n j e c t o r / u s e r w h e n t h e u s e ri n j e c t s a n a g e n t ; t h e a u t h e n t i c a t i o n m a n a g e r a l s or eg i s t e r s t he agen t .

A A R e s o u r c e M a n a g e r : S u p e r v i s e s t h e a g e n t 'sa c c e s s to t h e l o c a l r e s o u r c e s t h r o u g h t h e A c t i g e ni n t e r p r e t e r . T h e p r i v i l e g e o f t h e a g e n t i s i n h e r i t e df r o m i t s i n j e c t o r ; t h e i d e n t i t y o f t h e a g e n t ' s i n j e c t o rm a y a l so b e c o n s i d e r e d i f r e qu i r e d b y t h e s e c u ri t yp o l i c y .

A A C o m m u n i c a t i o n M a n a ge r : A d d s t h e a g e n t ' si d e n t i f i c a t i o n i n f o r m a t i o n t o t h e a g e n t ( A c t i g e np r o g r a m ) w h e n t h e a g e n t g o e s o u t o f t h e i n t e rp r e t er( A c t i g c n h o s t ) , a n d r e m o v e s a n d c h e c k s t h ei d e n t i f i c a t io n i n f o r m a t i o n w h e n t h e a g e n t a r r iv e s a tt h e A c t i g e n h o s t f r o m a n o t h e r h o s t . E n c r y p t i o n f o rs e c u r e c o m m u n i c a t i o n i s a l so a p p l i e d w h e n n e c e s s a r y

A A S e c u r i t y P o l i c y M a n a g e r : M a i n ta in s a t a bl e o fa c c e s s p e r m i s s i o n s , w h i c h m a p s t h e p r i v i l e g e t o l o c a lr e s o u r c e s . T h e a c c e s s t a b l e c a n b e c u s t o m i z e d a t t h eA c t i g e n h o s t l e v e l a c c o r d i n g t o t h e l o c a l i n t e r e s t s .T h e s e c u r i ty p o l i c y m a n a g e r t o g e t h e r w i t h t h er e s o u r c e m a n a g e r a l lo w s t h e a c c e ss c o n t r o l to b ec u s t o m i z e d a n d e n f o r c e d .

5 . 2 S e c u r i ty P o l i c ie sA l l t h e p r i n c i p a l s d e s c r i b e d a b o v e c a n a d h e r e t o s o m ep r e - d e f i n e d s e c u r i t y p o l i c i e s , e x c e p t f o r t h e A c t i g e na g e n t s w h o s e i n j e c t o r s d e t e r m i n e t h e p o l i c y . F o re x a m p l e , a u s e r t h a t in j e c t s a n A c t i g e n a g e n t m a y w a n tt h e a g e n t t o v e r i f y e a c h A c t i g e n i n t e r p r e t e r b e f o r e i tm i g r a t e s i t s e l f t o it . O n t h e o t h e r h a n d , a n A u t h e n t i c a t i o nA g e n t ( A A ) m a y s e t i t s p o l i c y t o f o r b i d a c c e s s t o a c e r t a i nd i r e c t o r y to a n y a g e n t w h o s e i n j e c t o r h a s a p r iv i l e g e le s st h a n a c e r t a i n v a l u e ( e .g . 2 0 ) . T h e o v e r a l l e f f e c t m u s t

27

8/6/2019 p21-vuong

8/10

r e f l e c t a c o m p r o m i s e o f a l l th e e x i s t in g p o l i c ie s . T h eA c t i g e n a g e n t m a y t r a v e l s a c ro s s d i f f e r e n t A c t i g e nd o m a i n s w i t h v a r i o u s s e c u r i t y p o l i c i e s . A t r a n s - d o m a i np o l i c y is m a i n t a i n e d b y t h e i n t e r - d o m a i n A u t h e n t i c a t i o nC e n t e r ( A C ) . F o r e x a m p l e , a n a g e n t w i t h a p r i v i l e g e o f 2 0i n d o m a i n I ( a s s h o w n i n F i g u r e 4 ) m a y m i g r a t e i t s e l f t od o m a i n 2 i n w h i c h a d i f f e r e n t s e c u r i ty p o l i c y i s d e p l o y e d .T h e a g e n t m u s t g o t h r o u g h t h e in t e r- d o m e f in b e f o r em i g r a t i n g to d o m a i n 2 . T h e i n t e r - d o m a i n A C w i l l a s s i g nt h e a g e n t a n e w c e r t i f i c a t e . I n g e n e r a t i n g t h e n e wc e r t if i c a te , t h e A C c o n s i d e r s t h e s e c u r i t y p o l i c y o f b o t hd o m a i n s a n d a s s ig n s a n e w p r i v i l e g e t o t h e a g e n ta c c o r d i n g t o th e a g r e e m e n t w i t h t he tw o d o m a i n s . W h e nt h e A c t i g e n a g e n t t r a v e ls o u t o f a n A c t i g e n d o m a i n i n t o af o r e i g n d o m a i n , t h e i n t e r - d o m a i n A C c a n a l s o n e g o t i a t et h e s e c u ri t y p o l i c y w i t h n o n - A c t i g e n s y s t em s a n d p e r f o r ma c e r t i f i c a t e c o m p a t i b l e t r a n s la t i o n .5 . 3 R u l e - B a s e d A c c e s s C o n t r o lT he acces s con t r o l i s s e t a cco r d i ng t o t he A A ' s l oca l s ecu r i t yp o l i c y a n d a c c e ss r u le s . W h e n a n A c t i g e n a g e n t e x e c u t e do n a n A c t i g e n i n t e r p r e t e r m a k e s a r e q u e s t fo r a l o c a lL e t a u t h ( o b j ) d e n o t e t h e fa c t th a t a n o b j e c t o b j ' s ( a nA c t i g e n h o s t o r a n i n j e c t o r ) i d e n t i f i c a t i o n i s t e s t e d a n da p p r o v e d . A n d l e t s d e n o t e a g i v e n s e n d e r . F u r t h e r m o r e ,P r i v i l e g e R e q ( o p ) d e n o t e s t h e m i n i m u m p r i v i l e g e a na g e n t m u s t h a v e t o p e r f o r m a n o p . A n d P r i v i l e g e H a s ( i )d e n o t e s t h e p r i v i l e g e a n i n j e c t o r i h a s .F o r a n y o p e r a t io n o p , w e a p p l y f o l l o w i n g a c c e s s c o n t ro l

r e s o u r c e , t h e r e q u e s t is p a s s e d t o t h e A A r e s o u r c em a n a g e r . T h e r e s o u r c e m a n a g e r w i l l c h e c k t h e s e c u r it yp o l i c y a n d t h e p r i v i l e g e o f t h e a g en t . W h e t h e r t h e a c c e ssw i l l b e g r a n t e d d e p e n d s o n t h e a c c e s s r u l e s .T h e o p e r a ti o n s o f a n a g e n t in t h e S e c u r e A c t i g e n S y s t e ma r e c l a s s i f i e d i n t o 4 g r o u p s a s f o l l o w s :

U O - U n r e s t r i c t e d O p e r a t i o n s I R O - I d e n t i f i c a t i o n R e q u i r e d O p e r a t i o n s P R O - P r i v i l e g e R e q u i r e d O p e r a t i o n s M C O - M o s t C r i t ic a l O p e r a t i o n s

L e t o p d e n o t e a s i n g l e o p e r a t i o n a n d O P , a s e t oo p e r a t i o n s . F u r t h e r m o r e , l e t i d e n o t e a g iv e n i n j e c t o r a n dI ( O P ) , a s e t o f i n j e c t o r s t h a t c a n p e r f o r m a s e t o f a c t i o n sO P . W e h a v e t h e f o l l o w i n g r e la t io n :

I ( U O ) D I O R O ) D I (P R O ) D I (M C O )

r u l e s :a.

b .

I f o p ~ U OR u l e : No Rule

P e r f o r m t h e o p e r a t io nI f o p E I R O

A c t i g e nA g e n t ~ . . . . .

/K /

D o m a i n IA u t h e n t i c a t i o nA g e n t

, R e s o ur c e

A e t i g e nA g e n t

F i g ur e 5 . S tr uc tur e o f a n A uthe nt i ca t i o n A g e nt in a n A c t i g e n D o m a i n28

8/6/2019 p21-vuong

9/10

Rules:1. Injector identity based rule

If au th0) , then grant the access to op .2. Injector and sender based rule

If auth(s) and auth0), then grant theaccess to op.c . I fop~PRO

Rule: Privilege based ruleIf PrivilegeHas(i) > PrivilegeReq (op),then grant the access to op.

d . I fopEMCORule: Integrity based rule

If op ~ MCO and PrivilegeHas(i) >PrivilegeReq(op), then check the agentintegrity, if true, then grant access toop. .

6 PR O TEC TIN G TH E A G EN T6 . 1 A c t i g e n S y n t a c t i c I n t e g r i t y C h e c k

M e c h a n i s mAn Actigen agent can be tampered while passing througha malicious host that results in a change of the desiredbehavior. The host may add some malicious actions orremove some existing behaviors from the Actigen agent.The agent (or Actigen program) is actually a sequentialand parallel or unordered composition of space-timeactions. These actions are performed on an Actigeninterpreter during its migration between nodes in the KN.The Actigen agent is encoded as a string (actions) withvectors (data). Once an action is coded in an Actigenagent it cannot be changed (but can be removed) under alegal interpretation. A primitive algorithm for thesyntactic integrity check can thus be applied. Let 'sconsider the following scenario in a global environmentdepicted in Figure 4. An Actigen agent (xa) originatesfrom Domain 1 ~avel through the inter-domain rinkAC1-- AC2 to Domain 2. When the xa travels out ofDomain 1, it has to go through AC1 to get the passport.AC1 will then keep a copy of that agent, done(xa), beforeinjecting it into Domain 2. When the xa finishes its taskin Domain 2, it tries to return to Domain 1 by passingthrough AC1. The xa is subject to an integrity check atAC1 before it is allowed for further actions in Domain 1.This is a security measure according to the security policyof AC1. The security check is carried out by AC1 bymatching the returning xa with its clone done(xa). Theaa should be a sub-string of elone(xa); otherwise the xa isdeclared to be tampered in Domain 2. In this example,we assume that AC1 is not tampered.

6 . 2 A p p e n d - O n l y D a t a L o gThe Actigen syntactic integrity check mechanism can be auseful method to test if a state of the agent has beentampered. However, it cannot easily detect whether theagent's data is tampered if the behavior of the returningagent remains the same as its copy kept by the AC. Theappend-only data log is an approach for protecting againstthis kind of attacks. In this approach, while the Actigenagent collects some data from a host, it will attach thedata to the data log and encrypt the whole log with itspublic key. The log becomes a black box to the followinghosts because they do not know the Actigen agent'sprivate key and do not know the content of the log. Thehost cannot make any meaningful change to the logbecause any change will lead to the decrypted datameaningless. The agent will give the data log an initialvalue so that a host cannot just delete the existing log andcreate a new one. The encryption process can beexplained by the following function:

Encrypt(Encrypt(Encrypt(initLog+ data) + data) +data)7 C O N C LU S IO N A N D FU TU R E W O R KIn this paper, we discussed the fundamental securityproblems in intelligent mobile agent systems andproposed some solution for a Secure Actigen System. Weaddressed the problem of protecting the host frommalicious agents as well as protecting the agent f r o mmalicious hosts. The design of the secure Actigen systemis kept general and separate from the Actigen interpreterso that the underlying method may be portable to anyplatform and applicable to other mobile agent systems.The prototype of this Secure Actigen System is beingimplemented in the Internet Computing Laboratory at theUniversity of British Columbia. The implementation ofthe security components now exceeds 6,000 lines of Javacode.Our Security Actigen System is a first attempt to solve thesecurity problems in Actigen and mobile intelligent agentsystems in general. Many issues still need to beinvestigated further before complete viable solutions canbe found. For example, a method for handling theprotection of agent's intensities is quite important forinjector's privacy. Also, the concepts of Actigen syntacticintegrity check and append-only data log are stillprimitive, more detailed design and scenarios must beinvestigated with quantitative performance evaluations.Last, but not least, is the application of the SAS to somesubstantial practical application, e.g. a Napster-like orgrid-like global distributed file system.8 R EFER EN C ES[1] P.M. Borst, "The first implementation of the WAVEsystem for Unix and TCP/IP computer networks",Repot 18/92, University of Karlsruhe, Dec. 1992.

29

8/6/2019 p21-vuong

10/10

[2] David M. Chess, "Security Issues in Mobile CodeSystems", Mobile Agents and Security, LNCS 1419,Springer Berlin Heidelberg 1998.[3] Concordia, www.concordiaagents.com[4] Fitz Hohl, "Time Limited Blackbox Security:Protecting Mobile Agents From Malicious Hosts",Mobile Agents and Security, LNCS 1419, Springer

Berlin Heidelberg 1998.[5] E. Gerek, "Would You Vote NakedT" The BELLNewsletter, ISSN 1530-048X, Vol. 1 No. 2, June2000.[6] S. Gonzales-Valenzuela, V.C.M. Leung, and S.T.Vuong "Multipoint-to-Point Routing With QoSGuarantees Using Mobile Agents", MATA2001 -The 3rd International Workshop on Mobile Agents forTelecommunication Applications, Montreal, August2001.[7] Robert S. Gray et al., "D'Agent: Security in amultiple-language, mobile-agent system", MobileAgents and Securily, LNCS 1419, Springer BerlinHeidelberg 1998.

[8] G. KarJoth et al., "A Security Model for Aglets",IEEE lnternet Computing, July 1997.[9] Website at http://www.pgp.com[10] P. Sapaty and P. Borst, "An Overview of theWAVE Language and System for DistributedProcessing in Open Networks", Technical Report,Dept. of Electronics and Electrical Engineering,

University of Surrey, Guildford, UK, June 1994.[11] SSL, www.openssLorg[12] S.T. Vuong, L Mathy, "Simula ting The Mobile-IPProtocol Using Wave", etaCOM ~)6 - The FirstInternational Conference on Emerging Technologiesand Applications in Communications, Portland, May1996.[13] S.T. Vuong, L Ivanov, "Mobile Intelligent AgentSystem: Wave vs. JAVA", etaCOM '96 - The FirstInternational Conference on Emerging Technologiesand Applications in Communications, Portland, May1996.[14] R. Housley, et. al., "Intcrnet X.509 Public KeyInfrastructure", Standards Track, Network WorkingGroup, Jan. 1999.

30