Uwe G. Wilhelm

Introducing trusted third parties to the mobile agent paradigm

The mobile agent paradigm gains ever more acceptance for the creation of distributed applications, particularly in the domain of electronic commerce. In such applications, a mobile agent roams the global Internet in search of services for its owner. One of the problems with this approach is that malicious service providers on the agents itinerary can access confidential information contained in the agent or tamper with the agent. In this article we identify trust as a major issue in this context and propose a pessimistic approach to trust that tries to prevent malicious behaviour rather than correcting it. The approach relies on a trusted and tamper-resistant hardware device that provides the mobile agent with the means to protect itself. Finally, we show that the approach is not limited to protecting the mobile agents of a user but can also be extended to protect the mobile agents of a trusted third party in order to take full advantage of the mobile agent paradigm.

A simple logic for authentication protocol design

The authors describe a simple logic. The logic uses the notion of channels that are generalisations of communication links with various security properties. The abstract nature of channels enables one to treat the protocol at a higher abstraction level than do most of the known logics for authentication, and thus, one can address the higher level functional properties of the system, without having to be concerned with the problems of the actual implementation. The major advantage of the proposed logic is its suitability for the design of authentication protocols. They give a set of synthetic rules that can be used by protocol designers to construct a protocol in a systematic way.

A hierarchy of totally ordered multicasts

The increased interest in protocols that provide a total order on message delivery has led to several different definitions of total order. In this paper we investigate these different definitions and propose a hierarchy that helps to better understand the implications of the different possibilities in terms of guarantees and communication cost. We identify two definitions: weak total order and strong total order, which are at the extremes of the proposed hierarchy, and incorporate them into a consistent design. Finally, we propose high-level algorithms based on a virtually synchronous communication environment that implement the given definitions.

Extensions to an authentication technique proposed for the global mobility network

We present three attacks on the authentication protocol that has been proposed for the so-called global mobility network in the October 1997 issue of the IEEE Journal on Selected Areas in Communications. We show that the attacks are feasible and propose corrections that make the protocol more robust and resistant against two of the presented attacks. The aim is to highlight some basic design principles for cryptographic protocols, the adherence to which would have prevented these attacks.

A pessimistic approach to trust in mobile agent platforms

The problem of protecting an execution environment from possibly malicious mobile agents has been studied extensively, but the reverse problem, protecting the agent from malicious execution environments, has not. We propose an approach that relies on trusted and tamper-resistant hardware to prevent breaches of trust, rather than correcting them after the fact. We address the question of how to base trust on technical reasoning. We present a pessimistic approach to trust that tries to prevent malicious behavior from occurring in the first place, rather than correcting it after it has occurred.

Protecting the Itinerary of Mobile Agents

New approaches for distributed computing based on mobile agent technology, such as Java, Telescript, or Agent Tel become ever more pervasive. Typical applications of mobile agents in the domain of electronic commerce are agents that roam the Internet in search of services for their owners. The question of how to protect agent platforms from malicious agents is extensively being tackled. The reverse problem of how to protect mobile agents and the potentially confidential information they contain from malicious platforms is largely ignored.

Solving Fair Exchange with Mobile Agents

Mobile agents have been advocated to support electronic commerce over the Internet. While being a promising paradigm, many intricate problems need to be solved to make this vision reality. The problem of fair exchange between two agents is one such fundamental problem. Informally speaking, this means to exchange two electronic items in such a way that neither agent suffers a disadvantage. We study the problem of fair exchange in the mobile agent paradigm. We show that while existing protocols for fair exchange can be substantially simplified in the context of mobile agents, there are still many problems related to security which remain difficult to solve. We propose three increasingly flexible solutions to the fair exchange problem and show how to implement them using existing agent technology. The basis for ensuring the security properties of fair exchange is a tamper-proof hardware device called a trusted processing environment.

Security in the Telecommunications Information Networking Architecture-the CrySTINA approach

We present the first results of the CrySTINA project. We analyze and structure the security problem domain in the TINA-C architecture and present our approach to provide the necessary security functionality in the form of self-contained application-independent security services and security mechanisms as part of the DPE functionality. The DPE is assumed to be basically provided by CORBA products. Therefore, we introduce the CORBA security specification and investigate if and how the identified TINA security services can be implemented using the CORBA security functionality.

Closed user groups in Internet service centres

The paper presents a model for end-user directed access control to services in Internet service centres that, beside the classical Internet services (e.g., e-mail), offer a multitude of new services (e.g., on-line conferencing and auctioning) over the Internet. The model is based on the concept of closed user groups. The main idea is that at creation time each service instance and its components are assigned to a user group previously formed by a subset of the end-users, and access control is performed for access attempts through checking the group assignment of the accessed resource against the group memberships of the authenticated accessing end-user. Access control is directed by the end-users through the management of group memberships. We describe the concept of closed user groups, the management of group memberships, the enforcement of access control, and the realisation with off-the-shelf software for a middleware based service environment, which is characterised by the use of CORBA, Java, and WWW technology.