Security Protections for Mobile Agents

Size: px

Start display at page:

Download "Security Protections for Mobile Agents"

Allen Robinson
5 years ago
Views:

1 Stephen R. Tate Dept. of Computer Science and Engineering University of North Texas Talk describes joint work with Ke Xu and Vandana Gunupudi Research supported by the National Science Foundation

2 class Agent { public void Register() {... AGENTID=007 HOME= class Agent { public void Register() {... AGENTID=007 HOME= Delta Airlines American Airlines class Agent { public void Register() {... AGENTID=007 HOME= Originator Hosts United Airlines Slide 2

3 ! " # $%&'( Slide 3

4 ) $* +!, - -* $** Slide 4

5 -.* Integrity-only protection methods Vandana Gunupudi and Stephen R. Tate. Performance Evaluation of Data Integrity Mechanisms for Mobile Agents, 2004 IEEE Conference on Information Technology: Coding and Computing Information Assurance and Security Track, 2004, pages Comprehensive protection with minimal trust assumptions S. R. Tate and K. Xu. "Mobile Agent Security Through Multi-Agent Cryptographic Protocols", 4th International Conference on Internet Computing (IC 2003), pp Provable security in the universally composable paradigm S. R. Tate and K. Xu. Universally Composable Mobile Agent Computation, to appear in 7 th Information Security Conference (ISC 04), Sept Slide 5

6 Data Integrity Easy solution: All hosts have public/private keys and certificate, and sign all data and a running hash. But: Can this be done either (a) without a PKI or (b) without using public key crypto Slide 6

7 Previous Methods Idea 1: Create one-use secrets for a MAC that only the originator can recover. Partial Result Authentication Code [Yee 1998] new secret = hash(current secret) Hash Chaining [Karjoth et al., 1999] new secret = hash(current secret, data, next host) Problem: Old results can t change Set Authentication Code [Loureiro, 2001] Set Hash of MAC values from hosts Given host secret, host can insert and delete elements But: Originator and each host must share a secret Slide 7

8 Our Results New, more efficient method for establishing shared secrets for set authentication code Experimental study of all methods Baseline agentsize final PRAC agentsize final HC agentsize final SAC agentsize final MSAC agentsize final Agent size (bytes) Number of host visits Slide 8

9 More Results Times overalltimes Baseline overalltimes Hash Chaining overalltimes Modified Set Authentication Code overalltimes PRAC overalltimes Set Authentication Code Time (seconds) Number of host visits Slide 9

10 %)/ 0 ) 1 & "&)( & 2 3 "3)( 4*52 % "%)( %.&) 3) * %) * Slide 10

11 )6* $' %'$ '$* %!7,,, )899:' $' '; ';'< %% <% 8!+.%8999' %'%#'%#'4 #''.!7%&)=>>>' #'%'%#'%0'4?' % %!7,,, )=>>8' Slide 11

12 .7 ) +/ "'( % Slide 12

13 Basic Tool: 2-party Secure Function Evaluation [Yao 1986] Inputs: Alice holds value w Bob holds value x Computation: Compute f(w,x) (y,z) Output: Alice gets y Security: Bob gets z Alice learns no more about x than follows from y Bob learns no more about w than follows from z Examples: Salary comparisons Slide 13

I need the encrypted form of my x, so let s do an oblivious transfer so I can get this bit-by-bit.

14 2-party SFE How it works Here s an encrypted circuit to compute f(w,x) along with the encrypted form of w. I m also sending the key to decrypt your output (z). I need the encrypted form of my x, so let s do an oblivious transfer so I can get this bit-by-bit. Alice Here s the encrypted form of y. Now I evaluate the encrypted circuit to get encrypted (y,z). Bob I can decrypt my own output z. Slide 14

15 2-party SFE Applied to Agents Here s an encrypted circuit to compute f(w,x) along with the encrypted form of w. I m also sending the key to decrypt your output (z). Host i-1? I need the encrypted form of my x, so let s do an oblivious transfer so I can get this bit-by-bit. Now I evaluate the encrypted circuit to get encrypted (y,z). Host i Here s the encrypted form of y. Host i+1 I can decrypt my own output z. Slide 15

16 . $".$(.81 * -@1$ Slide 16

17 7 Originator "#"$"! #"$ &! k "#"#"! 1,0 = #"# k 1,1 = "%"$"! %"$ k "%"#"! 2,0 = %"# k 2,1 = "#"$"! #"$ "%"#"! %"# "#"$"! #"$ "#"#"! #"# "%"$"! %"$ "%"#"! %"#!'! #"$! #"$ & ('!! %"# %"#! Slide 17

18 , % % 7CCCC <.D.,1, : Slide 18

19 .<* E ( E " E (.1 " (' +1* 51 "( "( Slide 19

20 . $ ".$( * 1 * * 01 " ( * Slide 20

21 ,, $1$ '! " ( 8*! 8 ' <1.$.$ $ "*( Slide 21

22 Universally Composable Security Proposed by Canetti [FOCS 2001] Problem to solve: Some protocols are secure when analyzed by themselves, but become insecure when combined with other protocols Example: Zero-knowledge proofs UC model of computation includes parties, adversary, and environment Slide 22

23 Universally Composable Security Environment Z Environment Z Adversary S Adversary A P 1 P 2 P 3... P n Ideal Functionality F Protocol π P 1 P 2 P 3... P n Communication Adversary talks to Z, corrupts parties, controls communication F does all the computation Adversary also sees communication Parties do all the computation Security Goal: A S Z: IDEAL F,S,Z REAL π,a,z Slide 23

24 Important Properties of UC Security Composability (informal): If protocol ρ is secure using ideal functionality F as a subprotocol/oracle, then ρ using π is secure. Malicious adversary compiler: If a protocol π is secure against honest-but-curious adversaries, it can be compiled into a protocol σ that is secure against malicious adversaries. Down side: Inefficient construction and requires broadcasting all messages to all parties. Slide 24

25 Difficulties with UC Agent Computation Concept of traveling integral to mobile agents, and treating as a function evaluation doesn t capture this. Autonomous property of agents means originator should be able to go off-line and not participate further but malicious adversary compiler requires all parties participate in all steps. Slide 25

26 Our Solutions Carefully crafted ideal functionality reflects notion of agent moving Ideal functionality steps agent computation Agent purposely exposed to adversary between steps Properties of encrypted circuits used to handle malicious hosts wrt the originator s interests, and compiler used for the rest Slide 26

27 Ideal Functionality F MA 1. Originator sends all initial agent states to F MA 2. Hosts send private inputs to F MA 3. F MA does the following: a) F MA collects values sent to it, and when it has both the agent state input to a host and that host s private data, it computes the new state and output, sending the output back to the host. b) If F MA receives a request from both the originator and a host to reveal the agent state, send the input state for this agent back to the originator (note that otherwise all intermediate agent states never leave F MA ). c) When the final host is visited for any agent, send the final agent state back to the originator. Slide 27

28 Main Results Theorem 1: Given a UC realization of non-interactive threshold cryptography, for any threshold parameter m>n/2, our protocol securely realizes the mobile agent ideal functionality in which an honest-butcurious adversary can corrupt up to m-1 hosts. Theorem 2: Given a UC realization of non-interactive threshold cryptography, for any threshold parameter m>n/2, our protocol in conjunction with our combined use of the malicious adversary compiler and our custom technique securely realizes the mobile agent ideal functionality in which a malicious adversary can corrupt up to m-1 hosts. Slide 28

29 %.) * * * / C 5 C Slide 29

Secure Multiparty Computation: Introduction. Ran Cohen (Tel Aviv University)

Secure Multiparty Computation: Introduction Ran Cohen (Tel Aviv University) Scenario 1: Private Dating Alice and Bob meet at a pub If both of them want to date together they will find out If Alice doesn