Mobile%20Agent%20for%20Secure%20Web-Service

1
Mobile Agent for Secure Web-Service

• Debashis Roy
• Katayoon Moazzami
• Rachita Singh

2
Outline

• Introduction
• Security issues in mobile agent web service
  integration
• Selected Papers
• Agent-based Delegation Model
• Bilinear Diffie-Hellman Public Key System
• Boneh-Franklin ID-based Public Key Scheme
• Conclusion

3
Introduction

• Web services
• Based on XML,SOAP,WSDL
• Enables communication between software client
• Invokes services from service provider
• Information retrieval, online calculation and etc
  
• Mobile agent
• Mobile executable object
• Dispatched from owner/agent service provider
• Migrates autonomously in the network

4
Why Mobile Agent?

• Mobile agent can migrate in the network
  independently
• Returns back to the owner after finishing the
  task
• Does not need continuous network connection as
  the conventional RPC
• Applicable to devices with limited bandwidth and
  resources

5
Security Issues

• Non-repudiation
• Verify the sender the recipient are the parties
  who claim to send or receive the message
• Authentication
• Verify digital identity of the sender/receiver
• Authorization
• Decide the access to data or function
• Use traditional ACL (Access Control List) or RBAC
  (Role Based Access Control)

6
Selected Papers

• H. S. Hwang, H. J. Ko, K. I. Kim, U. M. Kim, D.
  S. Park, Agent-Based Delegation Model for the
  Secure Web Service in Ubiquitous Computing
  Environments, International Conference on Hybrid
  Information Technology, ICHIT '06, Volume 1,
  pp.51-57, Nov. 2006.
• J. Zhang, Y. Wang, V. Varadharajan, Mobile Agent
  and Web Service Integration Security
  Architecture, IEEE International Conference on
  Service-Oriented Computing and Applications, SOCA
  '07, pp.172-179, June 2007.
• J. Zhang, Y. Wang, V. Varadharajan, A New
  Security Scheme for Integration of Mobile Agents
  and Web Services, Second International
  Conference on Internet and Web Applications and
  Services (ICIW'07), pp.43-48, May 2007.

7
Agent-based Delegation Model

• All the communication are done with the help of
  agents.
• User gives his/her credentials to his/her agents,
  the agents transfer users credentials to web
  service providers.
• Extends from SAML 1.1/2.0 (Security Assertion
  Markup Language) specification to transfer the
  delegation information among the user and the
  agents

8
Components of Delegation Model

• Web-Service Management Server (WSMS)
• Based on XACML (eXtensible Access Control Markup
  Language) model.
• Mediator between the users and the web service
  providers
• Manages the web services and the policies
  registers by the web service providers
• Assigns appropriate roles to the user.

9
Components of Delegation Model (contd.)

• Principal (P)
• The user who delegates his/her rights to agents
• Principal Agent (PA)
• Communicates with other agents on behalf of P
• Carrier Agent (CA)
• PA delegates its rights to CA
• CA can communicates with other agents if required
• Service Agent (SA)
• Verifies the validity of delegation assertion
• Processes Ps service request

10
Components of Delegation Model (contd.)

• Authentication Authority (AA)
• Authenticates Ps or agents
• Delegation Authority (DA)
• Issues delegation assertions to authenticated
  agents

11
The Delegation Model
12
Delegation Assertion

• Indicates whether P or agent is capable of
  delegating their rights or not.
• Based on the SAML (Security Assertion Markup
  Language) specification
• Digitally signed by DA
• Ps information is encrypted with AAs public key
• Contains additional information such as
• Service providers URL
• Inputs to the WSDL
• Least role,
• Recipient agent PA
• Encrypted with service providers public key

13
Delegation Interaction
14
Discussion

• Agents can delegate their rights to other agents
  without any privacy disclosure
• Principal agent PA has the complete control over
  all delegation operations
• No agent can delegate its rights to other agent
  without PAs approval
• The communication between any two components is
  encrypted with public key cryptosystem
• Requires a considerable amount of time and
  resource for encryption and decryption

15
Bilinear Diffie-Hellman Public Key System

• ID-based authentication instead of the
  certification authority (CA)
• One key required for encrypting a service
  available to a group of users
• based on the computational Diffe-Hellman and the
  Bilinear Diffe-Hellman assumption

16
Assumptions

• Web service provider consists of different web
  services to which users can be assigned
• Each of these users has a mobile agent
• The users that are assigned to a specific web
  service resource form a group
• Web service provider acts as a key distribution
  centre (KDC)
• Keys allocated to each group of users
• The users are free to join any web service
  resource and leave any one

17
Steps

• System setup
• Subscription
• Signature scheme
• Authentication scheme
• Encryption
• Decryption
• Re-keying

18
System setup

• p2q1
• G1 , G2 of order p(BDH assumption )
• Master key s?Zq
• P belonging to the additive group G1
• H10,1?G1,H20,1?G2
• PpubsP
• sIDsQID(QIDH1(ID)) private key

19
Subscription

• If there are n users using l web service
  resources a nl matrix is set where the ij th
  element is 1 if user i is a part of user group j
  and 0 otherwise
• Signature is a triple (Ri,Si,m)
• m message
• RirQi
• Si(H2(m,Ri)r)sIDi

20
Authentication

• Signed message can be authenticated using the
  public key and the user ID
• Should check
• e(Si,P)e(H2(Mr,Ri)H1(IDi)Ri,Ppub)
• e is a computable bilinear map,for some a,b?Zq
  and P,Q?G1
• e(aP,bQ)e(P.Q)ab

21
Encryption

• considering the kth service provider , tk the
  number of users using this service resource, Qt
  be the users public key and Mk a session key or
  a message for this group of users
• and matrices denoted by aik are
  set up thus
• The ciphertext (Uik,Vk) obtained by
• U1krkP,UikrQVik (2iktk)
• VkMk?H2(e(Ppub,rkQV1k)) ( rk?Zq a random
  number)

22
Decryption

• Qv1k calculated
• Mk calculated using

23
Re-keying

• Member changes
• Re-keying of the group session key is done by the
  WSP
• changing the group registration matrix S
• adding a new row when a member joins
• removing a row when a member leaves
• recalculating the values of U,V
• Web-service changes
• adding a new column in the matrix S and
  recalculating all the parameters

24
Boneh-Franklin ID-based Public Key Scheme

• Security scheme employs an Identity-based public
  key system
• New authentication protocol without using the
  username/password pair
• Alternative method for security mechanism without
  using the Certification Authorities (CA)

25
System Description

• Web Service provider (WSP) acts as a Key
  Distribution Centre (KDC)
• Have secure channels to distribute keys to the
  users
• Registered users with same web service resource
  form a group
• Groups denoted as G1,G2,.Gl, resources as
  r1,r2,.,rl and l as cardinality of web services

26
New Scheme Setup

• Based on ID based encryption algorithm
• WSP computes the system public key PpubsP and
  sends to all registered users
• User has to provide his/her identity whenever
  he/she joins the group
• WSP authorize the user by sending users private
  key SIDsQID where QIDH1(ID)
• H10,1?G1 and H2G1?0,1 are two one way
  hash functions

27
New Scheme Setup (cont)

• For n users and l services,WSP provides matrix S
  as
• Where Smk1 if user um is a member of web service
  Gk

28
Authentication Scheme

• User Ui has a unique identification IDi
• Message Mr
• Random number r?Zq
• Generator P?G1
• Public hash function H20,1?q
• Computes Ri?rQi and Si?(H2(m,Ri)r)sIDi
• Signature is the triple (Ri,Si,Mr)
• WSP verifies the signature using public key and
  the senders IDi.

29
Secure Web Service Scheme

• Describes about web service data encryption
• Assumes one encryption key for each service
• Data can be encrypted depending on its size
• If data set is not large then it is directly
  encrypted with the service encryption key
• For large data set, data is first encrypted with
  a session key and then the session key is
  encrypted with the service encryption key
• Receiver decrypts the session key with its
  private key then uses session key to decrypt the
  data

30
Re-keying for member changes and service changes

• Three cases for re-keying
• New member joins
• Existing member leaves
• Member switches from one group to another
• Member switches from group Gk to Gk where
  k?k ,WSP updates the registration matrix S

31
Re-keying for member changes and service changes
(cont)

• WSP recomputed the polynomial function fk(x) to
  revoke the member Um from Gk, and then
  recomputes another polynomial function fk(x) to
  add the member Um to the data group Gk.
• The function fk(x) is given as
• Where

32
Discussion

• New ID-based public key management scheme for
  securing the integration of mobile agents and web
  services
• Without use of Certification Authorities (CA),
  also does not use the username/password pair.
• Simplifies the key management
• Drawbacks
• users must have their private key pair based on
  PKI
• calculate the username/password token
• use different keys for different user's

33
Conclusion

• All communications among the users, agents or
  service providers needed to be encrypted
• Symmetric encryption cannot be used
• Asymmetric encryption based on the public key
  infrastructure (PKI) is most suitable for
  agent-based web service integration
• PKI also has some drawbacks
• All users must have his/her public/private key
  pair
• A server has to manage and verify all the public
  keys
• Server has to search the users public key and
  use different keys to encrypt different messages
  for different users
• Requires a considerable amount of resource for
  encryption and decryption

34
References

• 1 H. S. Hwang, H. J. Ko, K. I. Kim, U. M. Kim,
  D. S. Park, Agent-Based Delegation Model for the
  Secure Web Service in Ubiquitous Computing
  Environments, International Conference on Hybrid
  Information Technology, ICHIT '06, Volume 1,
  pp.51-57, Nov. 2006.
• 2 J. Zhang, Y. Wang, V. Varadharajan, Mobile
  Agent and Web Service Integration Security
  Architecture, IEEE International Conference on
  Service-Oriented Computing and Applications, SOCA
  '07, pp.172-179, June 2007.
• 3 J. Zhang, Y. Wang, V. Varadharajan, A New
  Security Scheme for Integration of Mobile Agents
  and Web Services, Second International
  Conference on Internet and Web Applications and
  Services (ICIW'07), pp.43-48, May 2007.
• 4 C. A. Ardagna, E. Damiani, S. De Capitani di
  Vimercati, P.Samarati, XML-based Access Control
  Language, 2004.
• 5 Web services, http//www.webopedia.com/TERM/W/
  Web_services.html.
• 6 Mobile Agent, http//en.wikipedia.org/wiki/
  Mobile_agent
• 7 SAML, http//en.wikipedia.org/wiki/SAML

35
Any Questions??