(How) Can Mobile Agents Do SecureElectronic Transactions on Untrusted Hosts?A Survey of the Security Issues and theCurrent SolutionsJORIS CLAESSENS, BART PRENEEL, and JOOS VANDEWALLEKatholieke Universiteit Leuven—ESAT/SCD-COSICThis article investigates if and how mobile agents can execute secure electronic transactions onuntrusted hosts. An overview of the security issues of mobile agents is first given. The problemof untrusted (i.e., potentially malicious) hosts is one of these issues, and appears to be the mostdifficult to solve. The current approaches to counter this problem are evaluated, and their relevancefor secure electronic transactions is discussed. In particular, a state-of-the-art survey of mobileagent-based secure electronic transactions is presented.Categories and Subject Descriptors: A.1 [Introductory and Survey]; E.3 [Data Encryption];K.6.5 [Management of Computing and Information Systems]: Security and ProtectionGeneral Terms: SecurityAdditional Key Words and Phrases: Mobile agent security, electronic transactions, malicious hosts1. INTRODUCTIONBusiness on the Internet has now become standard practice. Books, music,computers, and so on, are bought electronically by consumers. Companies do(part of) their business with other companies in an electronic way. Securityand cryptography are important enablers: without them, electronic commercewould not work in the real world; moreover, they are the core technical meansto implement secure electronic payments and transactions.The most frequently used electronic payment mechanism on the Inter-net today is probably transferring credit card information over a secured(SSL/TLS [Dierks and Allen 1999]) connection from a customer’s browser to aJ. Claessens, at the time this article was written, was funded by a research grant of the Institutefor the Promotion of Innovation by Science and Technology in Flanders (IWT). This work was alsosupported in part by the FWO-Vlaanderen project G.0358.99 on Open Security Systems for Agent-Based Applications (OSABA), and by the Concerted Research Action (GOA) Mefisto-2000/06 of theFlemish government.Authors’ address: Katholieke Universiteit Leuven, Dept. of Electrical Engineering—ESAT/SCD-COSIC, Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium; email: URL: http://www.esat.kuleuven.ac.be/cosic/; email: [email protected] to make digital/hard copy of part or all of this work for personal or classroom use isgranted without fee provided that the copies are not made or distributed for profit or commercialadvantage, the copyright notice, the title of the publication, and its date appear, and notice is giventhat copying is by permission of the ACM, Inc. To copy otherwise, to republish, to post on servers,or to redistribute to lists, requires prior specific permission and/or a fee.C°2003 ACM 1533-5399/03/0200-0028 $5.00ACM Transactions on Internet Technology, Vol. 3, No. 1, February 2003, Pages 28–48.(How) Can Mobile Agents Do Secure Transactions on Untrusted Hosts?•29merchant’s Web server. This is, however, far from an ideal system: the creditcard information is only protected in transit; the information should remainsecret, yet it is communicated to the merchants and then mostly stored in theircomputer systems, vulnerable to attackers. Secure Electronic Transaction(SET) [SET]—note that this article’s title refers to the general concept of secureelectronic payment and transaction mechanisms and not to this particularprotocol—is a credit card payment system which is much more secure, as thecredit card number is cryptographically protected from the merchant, andas the payment token is not static but is each time cryptographically linked(using a digital signature) to, among other things, the payment amount. Analternative to credit card payments is the electronic form of cash. This areahas been researched intensively (an overview can be found in O’Mahony et al.[2001]), and systems with various properties have been proposed: online versusoffline, unconditional or revocable anonymity, and so on. While electronic cashworks with individual electronic coins, other systems are based on electronicchecks and a balance. Micropayments are efficient systems intended for verysmall payments, for example, deployed in pay-per-click Web applications.Finally, while digital signatures are often the cryptographic basis behind aparticular payment system, they can also be used to directly sign a message(e.g., secure email), a contract, or a business transaction (e.g., Signed XML[Eastlake et al. 2002]).In the traditional way of “Internet-ing,” a user runs client programs on herlocal machine. Clients send requests to server programs, get responses back,possibly process these responses, and show the results to the user. The userthen has to interpret these results, make decisions based on this interpreta-tion, and start the process again. In some applications this is becoming anincreasingly time-consuming and difficult task for end-users. First, there is anincreasing amount of available information on an increasing number of servers.When users want to buy a certain item at the lowest price, they have to con-sult the numerous sites that sell this item, and manually compare the prices.Second, some applications require a lot of interactivity, for example, queryinga public database or electronic auctions. Finally, the Internet is expanding tomobile devices, which still have a slower and more costly connection and, moreimportant, are usually not continuously online. Mobile devices also have lim-ited power consumption. Web crawlers and robots address the first two issues tosome extent. However, they run on the user’s machine and require a continuousactive connection to the network.Without giving a formal definition, a software agent is a very generic termfor a piece of software that can operate autonomously, and that helps facilitate acertain task. Software agents can communicate, they can be intelligent, and of-ten have learning capabilities. Mobile software agents are agents that can travelfrom one computer to another computer. They are sent by end-users and visit aseries of hosts. The mobile agents are executed locally on these hosts to performtheir tasks, and will return to the end-users to report their results. It seemsclear that the mobile agent paradigm offers a potential answer with respect tothe observations made above. Chess et al. [1997] conclude that