A framework to protect mobile agents by using reference states

To protect mobile agents from attacks by their execution environments, or hosts, one class of protection mechanisms uses 'reference states' to detect modification attacks. Reference states are agent states that have been produced by non-attacking, or reference hosts. This paper examines this class of mechanisms and present the bandwidth of the achieved protection. First, a new general definition of attacks against mobile agents is presented. As this general definition does not lead to a practicable protection scheme, the notion of reference states is introduced. This notion allows to define a protection scheme that can be used to practically realize a whole number of mechanisms to protect mobile agents. Therefore, after an initial analysis of already existing approaches, the abstract features of these approaches are extracted. A discussion examines the strengths and weaknesses of the general protection scheme, and a framework is presented that allows an agent programmer to choose a level of protection using the reference states scheme. An example illustrates the usage of the framework, measurements present the overhead of the framework for the case of the example mechanism

Succinct Spooky Free Compilers Are Not Black Box Sound

It is tempting to think that if we encrypt a sequence of messages $\{x_i\}$ using a semantically secure encryption scheme, such that each $x_i$ is encrypted with its own independently generated public key $pk_i$, then even if the scheme is malleable (or homomorphic) then malleability is limited to acting on each $x_i$ independently. However, it is known that this is not the case, and in fact even non-local malleability might be possible. This phenomenon is known as spooky interactions. We formally define the notion of spooky free compilers that has been implicit in the delegation of computation literature. A spooky free compiler allows to encode a sequence of queries to a multi-prover interactive proof system (MIP) in a way that allows to apply the MIP prover algorithm on the encoded values on one hand, and prevents spooky interactions on the other. In our definition, the compiler is allowed to be tailored to a specific MIP. We show that (under a plausible complexity assumption) spooky free compilers that are sufficiently succinct to imply delegation schemes for NP with communication $n^{\alpha}$ (for any constant $\alpha<1$) cannot be proven secure via black-box reduction to a falsifiable assumption. On the other hand, we show that it is possible to construct non-succinct spooky free fully homomorphic encryption, the strongest conceivable flavor of spooky free compiler, in a straightforward way from any fully homomorphic encryption scheme. Our impossibility result relies on adapting the techniques of Gentry and Wichs (2011) which rule out succinct adaptively sound delegation protocols. We note that spooky free compilers are only known to imply non-adaptive delegation, so the aforementioned result cannot be applied directly. Interestingly, we are still unable to show that spooky free compilers imply adaptive delegation, nor can we apply our techniques directly to rule out arbitrary non-adaptive NP-delegation

Non-Interactive Delegation for Low-Space Non-Deterministic Computation

We construct a delegation scheme for verifying non-deterministic computations, with complexity proportional only to the non-deterministic space of the computation. Specifically, letting $n$ denote the input length, we construct a delegation scheme for any language verifiable in non-deterministic time and space $(T (n); S(n))$ with communication complexity $poly(S(n))$, verifier runtime $n polylog(T (n)) + poly(S(n))$, and prover runtime $poly(T (n))$. Our scheme consists of only two messages and has adaptive soundness, assuming the existence of a sub-exponentially secure private information retrieval (PIR) scheme, which can be instantiated under standard (albeit, sub-exponential) cryptographic assumptions, such as the sub-exponential LWE assumption. Specifically, the verifier publishes a (short) public key ahead of time, and this key can be used by any prover to non-interactively prove the correctness of any adaptively chosen non-deterministic computation. Such a scheme is referred to as a noninteractive delegation scheme. Our scheme is privately verifiable, where the verifier needs the corresponding secret key in order to verify proofs. Prior to our work, such results were known only in the Random Oracle Model, or under knowledge assumptions. Our results yield succinct non-interactive arguments based on subexponential LWE, for many natural languages believed to be outside of P

Optimal Single-Server Private Information Retrieval

We construct a single-server pre-processing Private Information Retrieval (PIR) scheme with optimal bandwidth and server computation (up to poly-logarithmic factors), assuming hardness of the Learning With Errors (LWE) problem. Our scheme achieves amortized $\widetilde{O}_{\lambda}(\sqrt{n})$ server and client computation and $\widetilde{O}_\lambda(1)$ bandwidth per query, completes in a single roundtrip, and requires $\widetilde{O}_\lambda(\sqrt{n})$ client storage. In particular, we achieve a significant reduction in bandwidth over the state-of-the-art scheme by Corrigan-Gibbs, Henzinger, and Kogan (Eurocrypt\u2722): their scheme requires as much as $\widetilde{O}_{\lambda}(\sqrt{n})$ bandwidth per query, with comparable computational and storage overhead as ours

Protecting mobile agents against malicious hosts.

by Sau-Koon Ng.Thesis (M.Phil.)--Chinese University of Hong Kong, 2000.Includes bibliographical references (leaves 100-112).Abstracts in English and Chinese.Chapter 1 --- Introduction --- p.1Chapter 1.1 --- Evolution of the mobile agent paradigm --- p.1Chapter 1.2 --- Terminology --- p.5Chapter 1.3 --- Beneficial aspects --- p.7Chapter 1.3.1 --- Autonomy --- p.7Chapter 1.3.2 --- Client customization --- p.8Chapter 1.3.3 --- Attendant and real time interactions --- p.8Chapter 1.4 --- Fundamental deployment bottleneck: security concern --- p.9Chapter 1.4.1 --- Risking the mobile agent hosts --- p.10Chapter 1.4.2 --- Risking the mobile agents --- p.11Chapter 1.4.3 --- The difficult problem --- p.12Chapter 1.5 --- Contribution of this thesis --- p.13Chapter 1.6 --- Structure of the thesis --- p.14Chapter 2 --- Understanding attacks and defense --- p.15Chapter 2.1 --- Introduction --- p.15Chapter 2.2 --- Understanding attacks --- p.16Chapter 2.2.1 --- The meaning of an attack --- p.16Chapter 2.2.2 --- An abstract model of attacks --- p.17Chapter 2.2.3 --- A survey of various attacks --- p.21Chapter 2.3 --- Understanding defense --- p.25Chapter 2.3.1 --- The meaning of defense --- p.25Chapter 2.3.2 --- Security requirements of defense --- p.26Chapter 2.3.3 --- A survey of protection schemes --- p.28Chapter 2.4 --- Concluding remarks --- p.40Chapter 3 --- Confidentiality in mobile agent systems --- p.42Chapter 3.1 --- Introduction --- p.42Chapter 3.2 --- Motivations --- p.43Chapter 3.2.1 --- Program comprehension --- p.44Chapter 3.2.2 --- Black-box testing --- p.45Chapter 3.3 --- Theory --- p.46Chapter 3.3.1 --- Assumptions --- p.46Chapter 3.3.2 --- Entropy of mobile agents --- p.46Chapter 3.3.3 --- Intention spreading by insertion --- p.49Chapter 3.3.4 --- Intention shrinking by splitting --- p.52Chapter 3.3.5 --- Nested spreading and shrinking --- p.55Chapter 3.4 --- Implementation possibilities --- p.55Chapter 3.4.1 --- Addition of irrelevant variables and conditional statements --- p.55Chapter 3.4.2 --- Splitting the cost function --- p.60Chapter 3.5 --- Security analysis --- p.63Chapter 3.5.1 --- Human inspection --- p.63Chapter 3.5.2 --- Automatic program comprehension --- p.64Chapter 3.6 --- Related work --- p.66Chapter 3.6.1 --- Time limited blackbox security --- p.66Chapter 3.6.2 --- Computing with encrypted function --- p.66Chapter 3.7 --- Applicability --- p.67Chapter 3.8 --- Further considerations --- p.68Chapter 3.8.1 --- Weaknesses --- p.68Chapter 3.8.2 --- Relationship with other approaches --- p.69Chapter 3.8.3 --- Further development --- p.71Chapter 3.9 --- Concluding remarks --- p.71Chapter 4 --- Anonymity in mobile agent systems --- p.73Chapter 4.1 --- Introduction --- p.73Chapter 4.2 --- Solutions to anonymity --- p.74Chapter 4.2.1 --- Mixing --- p.75Chapter 4.2.2 --- Group signatures --- p.76Chapter 4.3 --- Anonymous agents --- p.78Chapter 4.3.1 --- Anonymous connection --- p.78Chapter 4.3.2 --- Anonymous communication --- p.79Chapter 4.4 --- Concluding remarks --- p.84Chapter 5 --- Open issues --- p.86Chapter 5.1 --- Introduction --- p.86Chapter 5.2 --- Security issues --- p.86Chapter 5.2.1 --- Reachable problems --- p.87Chapter 5.2.2 --- Difficult problems --- p.88Chapter 5.3 --- Performance issues --- p.88Chapter 5.3.1 --- Complexity and strength --- p.89Chapter 5.3.2 --- An optimizing protocol --- p.90Chapter 5.4 --- Concluding remarks --- p.94Chapter 6 --- Conclusions --- p.9

A security protocol for authentication of binding updates in Mobile IPv6.

Wireless communication technologies have come along way, improving with every generational leap. As communications evolve so do the system architectures, models and paradigms. Improvements have been seen in the jump from 2G to 3G networks in terms of security. Yet these issues persist and will continue to plague mobile communications into the leap towards 4G networks if not addressed. 4G will be based on the transmission of Internet packets only, using an architecture known as mobile IP. This will feature many advantages, however security is still a fundamental issue to be resolved. One particular security issue involves the route optimisation technique, which deals with binding updates. This allows the corresponding node to by-pass the home agent router to communicate directly with the mobile node. There are a variety of security vulnerabilities with binding updates, which include the interception of data packets, which would allow an attacker to eavesdrop on its contents, breaching the users confidentiality, or to modify transmitted packets for the attackers own malicious purposes. Other possible vulnerabilities with mobile IP include address spoofing, redirection and denial of service attacks. For many of these attacks, all the attacker needs to know is the IPv6 addresses of the mobile’s home agent and the corresponding node. There are a variety of security solutions to prevent these attacks from occurring. Two of the main solutions are cryptography and authentication. Cryptography allows the transmitted data to be scrambled in an undecipherable way resulting in any intercepted packets being illegible to the attacker. Only the party possessing the relevant key will be able to decrypt the message. Authentication is the process of verifying the identity of the user or device one is in communication with. Different authentication architectures exist however many of them rely on a central server to verify the users, resulting in a possible single point of attack. Decentralised authentication mechanisms would be more appropriate for the nature of mobile IP and several protocols are discussed. However they all posses’ flaws, whether they be overly resource intensive or give away vital address data, which can be used to mount an attack. As a result location privacy is investigated in a possible attempt at hiding this sensitive data. Finally, a security solution is proposed to address the security vulnerabilities found in binding updates and attempts to overcome the weaknesses of the examined security solutions. The security protocol proposed in this research involves three new security techniques. The first is a combined solution using Cryptographically Generated Addresses and Return Routability, which are already established solutions, and then introduces a new authentication procedure, to create the Distributed Authentication Protocol to aid with privacy, integrity and authentication. The second is an enhancement to Return Routability called Dual Identity Return Routability, which provides location verification authentication for multiple identities on the same device. The third security technique is called Mobile Home Agents, which provides device and user authentication while introducing location privacy and optimised communication routing. All three security techniques can be used together or individually and each needs to be passed before the binding update is accepted. Cryptographically Generated Addresses asserts the users ownership of the IPv6 address by generating the interface identifier by computing a cryptographic one-way hash function from the users’ public key and auxiliary parameters. The binding between the public key and the address can be verified by recomputing the hash value and by comparing the hash with the interface identifier. This method proves ownership of the address, however it does not prove the address is reachable. After establishing address ownership, Return Routability would then send two security tokens to the mobile node, one directly and one via the home agent. The mobile node would then combine them together to create an encryption key called the binding key allowing the binding update to be sent securely to the correspondent node. This technique provides a validation to the mobile nodes’ location and proves its ownership of the home agent. Return Routability provides a test to verify that the node is reachable. It does not verify that the IPv6 address is owned by the user. This method is combined with Cryptographically Generated Addresses to provide best of both worlds. The third aspect of the first security solution introduces a decentralised authentication mechanism. The correspondent requests the authentication data from both the mobile node and home agent. The mobile sends the data in plain text, which could be encrypted with the binding key and the home agent sends a hash of the data. The correspondent then converts the data so both are hashes and compares them. If they are the same, authentication is successful. This provides device and user authentication which when combined with Cryptographically Generated Addresses and Return Routability create a robust security solution called the Distributed Authentication Protocol. The second new technique was designed to provide an enhancement to a current security solution. Dual Identity Return Routability builds on the concept of Return Routability by providing two Mobile IPv6 addresses on a mobile device, giving the user two separate identities. After establishing address ownership with Cryptographically Generated Addresses, Dual Identity Return Routability would then send security data to both identities, each on a separate network and each having heir own home agents, and the mobile node would then combine them together to create the binding key allowing the binding update to be sent securely to the correspondent node. This technique provides protection against address spoofing as an attacker needs two separate ip addresses, which are linked together. Spoofing only a single address will not pass this security solution. One drawback of the security techniques described, however, is that none of them provide location privacy to hide the users IP address from attackers. An attacker cannot mount a direct attack if the user is invisible. The third new security solution designed is Mobile Home Agents. These are software agents, which provide location privacy to the mobile node by acting as a proxy between it and the network. The Mobile Home Agent resides on the point of attachment and migrates to a new point of attachment at the same time as the mobile node. This provides reduced latency communication and a secure environment for the mobile node. These solutions can be used separately or combined together to form a super security solution, which is demonstrated in this thesis and attempts to provide proof of address ownership, reachability, user and device authentication, location privacy and reduction in communication latency. All these security features are design to protect against one the most devastating attacks in Mobile IPv6, the false binding update, which can allow an attacker to impersonate and deny service to the mobile node by redirecting all data packets to itself. The solutions are all simulated with different scenarios and network configurations and with a variety of attacks, which attempt to send a false binding update to the correspondent node. The results were then collected and analysed to provide conclusive proof that the proposed solutions are effective and robust in protecting against the false binding updates creating a safe and secure network for all