Table Of ContentMOBILE AGENT SECURITY THROUGH MULTI-AGENT CRYPTOGRAPHIC PROTOCOLS
Ke Xu, B.E.
Dissertation Prepared for the Degree of
DOCTOR OF PHILOSOPHY
UNIVERSITY OF NORTH TEXAS
May 2004
APPROVED:
Stephen R. Tate, Major Professor
Armin R. Mikler, Committee Member
Ram Dantu, Committee Member
Krishna Kavi, Chair of the Department of
Computer Science and Engineering
Oscar Garcia, Dean of the College of
Engineering
Sandra Terrell, Interim Dean of the Robert B. Toulouse
School of Graduate Studies
Xu, Ke, Mobile agent security through multi-agent cryptographic protocols. Doctor of Philos-
ophy (Computer Science), May 2004, 141 pp., 6 tables, 7 flgures, references, 69 titles.
An increasingly promising and widespread topic of research in distributed computing is the
mobile agent paradigm: code travelling and performing computations on remote hosts in an au-
tonomous manner. One of the biggest challenges faced by this new paradigm is security. The
issue of protecting sensitive code and data carried by a mobile agent against tampering from a
malicious host is particularly hard but important. Based on secure multi-party computation, a re-
cent research direction shows the feasibility of a software-only solution to this problem, which had
been deemed impossible by some researchers previously. The best result prior to this dissertation
is a single-agent protocol which requires the participation of a trusted third party. Our research
employs multi-agent protocols to eliminate the trusted third party, resulting in a protocol with
minimum trust assumptions.
Thisdissertationpresentsoneoftheflrstformaldeflnitionsofsecuremobileagentcomputation,
in which the privacy and integrity of the agent code and data as well as the data provided by the
host are all protected. We present secure protocols for mobile agent computation against static,
semi-honest or malicious adversaries without relying on any third party or trusting any speciflc
participant in the system. The security of our protocols is formally proven through standard proof
technique and according to our formal deflnition of security.
Our second result is a more practical agent protocol with strong security against most real-
world host attacks. The security features are carefully analyzed, and the practicality is demon-
strated through implementation and experimental study on a real-world mobile agent platform.
All these protocols rely heavily on well-established cryptographic primitives, such as encrypted
circuits, threshold decryption, and oblivious transfer. Our study of these tools yields new contri-
butions to the general fleld of cryptography. Particularly, we correct a well-known construction of
the encrypted circuit and give one of the flrst provably secure implementations of the encrypted
circuit.
ACKNOWLEDGEMENTS
Deep thanks to my advisor, Dr. Steve Tate, for suggesting the topic and continuous guidance
throughouttheresearch, fornumerousfruitfuldiscussionsaboutsomeofthemostintriguingdetails
in this work, for moral support and encouragement, and for providing ample opportunities for
me to interact with the research community. Thanks to the committee members, Dr. Mikler
and Dr. Dantu, for the hard work of reviewing this dissertation and providing helpful feedbacks.
Furthermore, this research was supported in part by the National Science Foundation, Trusted
Computing program, award 0208640.
Every step in my life would have been impossible without the greatest love and support from
my parents. Thank you, Mom and Dad, for your indispensable role in this remarkable journey.
ii
CONTENTS
ACKNOWLEDGEMENTS ii
LIST OF TABLES vi
LIST OF FIGURES vii
1 INTRODUCTION 1
1.1 Mobile Agent Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1.1 Protecting Agents with Secure Multi-Party Computation Protocols . . . . . . 5
1.1.2 Prior Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.1.3 Basic Idea and Drawbacks of The ACCK Protocol . . . . . . . . . . . . . . . 7
1.2 Our Research | Secure Computation with Multi-Agents . . . . . . . . . . . . . . . . 10
1.2.1 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.2.2 Organization of This Dissertation . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.3 The ACCK Protocol for Secure Mobile Agent Computation . . . . . . . . . . . . . . 15
1.3.1 The Computational Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
1.3.2 The Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2 PROVABLY SECURE MOBILE AGENT COMPUTATION 22
2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.1.1 Deflnition of Security for Secure Function Evaluation . . . . . . . . . . . . . . 23
2.1.2 Computational Indistinguishability . . . . . . . . . . . . . . . . . . . . . . . . 28
2.2 Secure Mobile Agent Computation | The Deflnitions . . . . . . . . . . . . . . . . . 31
2.2.1 The Ideal Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.2.2 The Real Model and The Deflnition of Security . . . . . . . . . . . . . . . . . 36
iii
2.3 The Universal Composition Theorem . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
2.4 Basic Tool 1: Encrypted Circuits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
2.4.1 The Beaver-Micali-Rogaway Construction of Encrypted Circuits . . . . . . . 40
2.4.2 The Security Flaw of The BMR Construction . . . . . . . . . . . . . . . . . . 42
2.4.3 Using Splitters to Correct The Problem . . . . . . . . . . . . . . . . . . . . . 47
2.4.4 Proving Security for The Enhanced BMR Construction . . . . . . . . . . . . 49
2.5 Basic Tool 2: (Concurrent) Oblivious Threshold Decryption . . . . . . . . . . . . . . 56
2.5.1 1-out-of-2 Oblivious Transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
2.5.2 Threshold Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
2.5.3 Oblivious Threshold Decryption . . . . . . . . . . . . . . . . . . . . . . . . . 63
2.5.4 Concurrent OTD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
2.6 Secure Mobile Agent Computation against Static, Semi-Honest Adversaries . . . . . 69
2.6.1 Basic Tool 3: Public-Key Encryption . . . . . . . . . . . . . . . . . . . . . . . 69
2.6.2 Secure Mobile Agent Protocol in The Hybrid Model . . . . . . . . . . . . . . 71
2.6.3 Proof of Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
2.6.4 Secure Mobile Agent Protocol in The Real Model . . . . . . . . . . . . . . . . 79
2.6.5 Communication Complexity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
2.7 Protecting Universally Composable Protocols against Malicious Adversaries . . . . . 81
2.7.1 The Goldreich-Micali-Wigderson Compiler . . . . . . . . . . . . . . . . . . . . 82
2.7.2 A Universally Composable Compiler . . . . . . . . . . . . . . . . . . . . . . . 84
2.8 Secure Mobile Agent Computation against Static, Malicious Adversaries . . . . . . . 86
2.8.1 The Infeasibility of Efiectively Predicting Ofi-Path Signals . . . . . . . . . . . 87
2.8.2 Secure Mobile Agent Protocol against Static, Malicious Adversaries . . . . . 90
2.8.3 Proof of Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
iv
2.8.4 Communication Complexity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
3 A PRACTICAL MOBILE AGENT PROTOCOL 95
3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
3.2 Security against Malicious Adversaries . . . . . . . . . . . . . . . . . . . . . . . . . . 97
3.2.1 Secure Oblivious Threshold Decryption . . . . . . . . . . . . . . . . . . . . . 97
3.2.2 More Fortiflcations for OTD . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
3.2.3 Protection against Other Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 105
3.3 Putting It Altogether. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
3.3.1 Security Deflnitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
3.3.2 The Practical Protocol for Secure Mobile Agent Computation . . . . . . . . . 108
3.3.3 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
4 EXPERIMENTAL RESULTS 115
4.1 Implementation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
4.1.1 The JADE System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
4.1.2 Code Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
4.2 Test Conflgurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
4.3 Performance Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
5 CONCLUSION 129
5.1 Open Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
BIBLIOGRAPHY 133
v
LIST OF TABLES
1.1 Comparison of the three secure computation-based approaches . . . . . . . . . . . . 7
3.1 Privacy and integrity achieved by Protocol 3.3.2. . . . . . . . . . . . . . . . . . . . . 114
4.1 Cryptographic tools used by our implementation. . . . . . . . . . . . . . . . . . . . . 121
4.2 Test parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
4.3 Performance of the ACCK protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
4.4 The initial sizes of the mobile agents in number of bytes, with 32-bit MAX circuit,
256-bit signal size, and 1024-bit keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
vi
LIST OF FIGURES
2.1 A circuit that computes z = max(x ;x ). . . . . . . . . . . . . . . . . . . . . . . . . 43
1 2
2.2 TheencryptedsubcircuitM . Wiresfi gettheinputbitsfromx , andoutputwires
1 k 1
(cid:176) provide the bits of y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
k 1
2.3 Basic cryptographic tools for secure mobile agent computation. . . . . . . . . . . . . 80
4.1 Implementation of the secure mobile agent computation protocol . . . . . . . . . . . 120
4.2 Overall running time of Protocol 3.3.2 with 32-bit MAX circuit . . . . . . . . . . . . 123
4.3 AveragetimeanagentspendsoneachhostinProtocol3.3.2with32-bitMAXcircuit,
and the circuit evaluation time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
4.4 Average computation overhead per host . . . . . . . . . . . . . . . . . . . . . . . . . 126
vii
CHAPTER 1
INTRODUCTION
Mobile agents are goal-directed, autonomous programs capable of migrating from host to host dur-
ing their execution, using a combination of agent technology and mobile code. Working as an agent
for its user, a mobile agent can execute the user’s authority and work autonomously toward a goal.
Itisalsomobileinthattheagentprogramcansuspenditsexecutionatonehost, transferitself|its
code, data, and execution state|to another host, and resume execution there. The combination
of autonomy and mobility provides mobile agents enormous potential for application in today’s
Internet-based, distributed computing environment. Typical application areas, to name a few, in-
clude E-commerce, information retrieval, software distribution and administration, and network
management. The mobile agent paradigm ofiers several advantages over traditional network appli-
cations. First, mobile agents work independently from their users. The only interaction occurs at
the beginning of the agent’s lifetime, when it is created and sent out to remote hosts by the user,
and in the end when the agent returns back to the user. This makes mobile agents an attractive
paradigm for applications such as mobile computing where the communication bandwidth is lim-
ited or the user cannot or is not always connected to the network. Second, through migrating to
remote hosts, mobile agents are able to bring their execution close to the resource, therefore could
potentially save a large amount of communication overhead. Furthermore, compared to the client-
server paradigm, the mobile agent paradigm is more adaptive to the outside world. For example,
the agent can adjust its itinerary according to its current status.
Along with these notable properties and the bright prospect of a wide range of applications, the
mobile agent technology also faces some serious challenges. Like many other new technologies, mo-
bile agents sufier the lack of necessary infrastructure and widely-deployed applications. There are
1
mobile agent systems developed in both academia and industry, such as Telescript [66], Aglets [5],
Agent Tcl [44], Concordia [67], Mole [8], etc, but none of them has achieved commercial success.
Yet another even more serious hurdle for mobile agents is security. Awoken by the recent, seemly
endless and ever changing security attacks on the Internet, people have realized that security is
an inherent requirement for computer software, especially network-based applications. Hence, the
mobile agent technology cannot achieve all its promised success without a sound security mecha-
nism. Unfortunately, due to the unique executing scenario of mobile agents, security issues in this
paradigm are mostly brand-new, as illustrated in the following section.
1.1 Mobile Agent Security
Fromthesecurityperspective, amobileagentsystemconsistsofthreebasiccomponents: theagent,
theoriginator(alsoknownasthehomehost)fromwhichtheagentoriginates,andtheremotehosts1
that the agent visits. The distinctive feature of the mobile agent paradigm, as far as security is
concerned, is that there is little trust among these basic components, except for the agent and
its originator. The originator worries about hosts tampering with its agents, while the hosts are
concerned about potential damage an agent could do. And for many e-commerce applications such
as bidding, the hosts are competing with each other, so fair play is essential in such situation.
Considering all these issues, security threats in the mobile agent paradigm can be divided into
three categories [40].
† Agents attacking hosts. Amaliciousagentcouldtrytogainunauthorizedaccesstoahost’s
resources or secrets, through exploiting the security holes in the host system or masquerading
as an authorized agent. The agent can also launch denial-of-service attacks by consuming
excessive amount of resource. So far, threats in this category have been the most studied
1From now on, we’ll simply use \hosts" when talking about the remote hosts.
2
Description:Our second result is a more practical agent protocol with strong security against . 2.3 Basic cryptographic tools for secure mobile agent computation.
