Security issues

General security issues

Network security is an important issue in any distributed system. System and user resources have to be protected from unauthorized use by other users and by remote applications using methods on local server objects.

In systems utilizing mobile agents, there is also the issue of agent security. A mobile agent has to be protected from being modified on its way to fullfil the assigned goal. Otherwise, it may constitute a security risk to the network and its users.
 

Cryptography

Cryptography is a field of science concerned with encrypting information. The information, called in the cryptographic jargon plaintext, is provided as input to an encrypting algorithm. The algorithm uses certain value, call a key,  to generate output, ciphertext. The ciphertext cannot be read or modified by any intruder, becasue they do not have the key, which is required to decipher the message. The target of the transmission uses the same key, or a macthing key, to decrypt the data.

Secret keys

If there is only one key, then it has to be shared between the source and the target and it has to remain secret. The sender uses the key in an algorithm, which produces E(P). At the other end of the communication link the decryption algorithm using the same key is used to obtain the original message (plaintext P). If the key is not secret, then anybody, who has access to the key will be able to read the ciphertext.
It is a simple scheme (although involving very complex encryption algorithms), but maintaining and distributing secret keys constitutes a problem. Another problem is that every two parties need a secret key, so a large number of keys are required to ensure safe communication between any two users.

Public keys

An alternative to a secret key is a pair of keys assigned to every user of the network. One of them is a public key, which is freely distributed. The other key is a private key, which is kept secret by the owner. The keys must satisfy the following equations: 
E(D(P)) = D(E(P)) = P
where D and E are encryption algorithms using the keys. They are symmetrical, so both play a double role: as a encryptor and decryptor. Lets assume that E is a public key, and D is a private key. Anybody can send an encryted message to the owner of the private key. It is sufficient to use the public key to encrypt the message. This will produce E(P), which cannot be read by anybody but the owner of the private key. When the message reaches the target, the decryption algorithm using the private key will produce D(E(P)) which is the original plaintext P.

Intrusion

There are plenty of possible intrusions that can compromise the security of the presented security schemes. We will not discuss them here, because the goal is to show the basic security concepts and approaches. In most cases, the intrusion can be prevented by enhacing existing schemes and algorithms.

Authentication

Authentication is needed to confirm the authenticity of the other party of the communication session. It is the basis for maintaining Access Control Lists (ACLs), which protect network resources. Every user has a predetermined access rights, which are stored in hash tables with a user id as a key. The user id must be confirmed, so no unauthorized access is allowed.

Secret keys

Secret keys can be used to confirm user's authenticity either through a direct communication or through a Key Distribution Center (KDC). To be identified, the user A sends its identity to the access granting authority. In the examples, both sides of communication are authenticated, so the first message includes also a challagenge for the other side. The user B uses the shared secret key to encrypt the challenge, which authenticates B from A's perspective. B includes also a challenge for A. A encrypts the challenge and sends the encrypted message back to B. B can confirm that the challenge has been encrypted using the secret key, so it could come only from A.
The scheme with a KDC depends on a center that everybody trusts. In this case, a secret session key can be established for every secure session. The user A sends to the KDS the id and encrypted id of the target and a proposed key for the session. This encryption uses a key that only A and the KDS share, so the KDS is assured that it is A, who sent the message. The identity of the target is decrypted, so B can be contacted. A key shared by the KDC and B is used to encrypt a message containing the identifier of the source and the proposed session key. Only B can decipher this message, so both ends are assured to be A and B.

Public key algorithms

Public keys can also be used for authentication. In this case, the initiating party uses the public key of the targeted party to encode A's identity and a challenge for B. Only B can decode this message using the matching private key. After doing so, B applies an encryption algorithm with the public key of A to send back a message with the challenge sent by A, a proposed session key and a challange for A. Again, only A can decode this message using the matching private key. It then sends back an encrypted value of the challange received from B. This assures B that the communication is indeed with A.

Digital Signatures

Digiatl signatures are used as proofs of authenticities of received messages. A sender of a message signs the message, so the recipient can store it as a proof that a message indeed came from the sender. It is very important in online shopping, banking, etc. It is an equivalent of a hand-written signature, which people use to authenticate documents.

Secret keys

The scheme with secret keys involves a signing authority (SA), which is analogous to a key distribution center. The user A sends the identity and encrypted message with the identity of the target, the challenge for B, a timestamp and the plaintext. A secret key shared by the SA and A is used, so the SA knows that the message comes from A. It obtains the details about the target of the message and uses appropriate secret key (shared with B) to encrypt a message containing the identity of the source, the challenge, time stamp, plaintext and another part, which is encrypted using the secret key, which belongs only to the SA. This part includes the source, timestamp and the original message. B can use this as a proof of receiving the message from A. The SA has to be involved in such confirmation, because the proof has been signed by a secret key that the SA does not share with anybody.

Public keys

A private key can be used to sign a message. This scheme does not require a presence of a trusted intermediary (SA). The message is encrypted using a private key of the source (A). Then, the the encryption algorithm is applied once more, but this time the public key oof the target (B) is used. The doubly encrypted message is sent over the network to the target. It is encrypted using B's public key, so only B can decrypt it with the matching private key. The output of this process is saved as a proof of authenticity of the source. Only A knows its private key, so nobody else could have produced a message encrypted with that key. A public key of A can be used to both obtain the original message and to prove that the encrypted message originated at A. Applying A's public key to something that was not produced by A would certainly end up with a garbage rather than the message in question.


 Message digests

Frequently, a message, which is being digitally signed does not need to be encrypted. It may save plenty of time, especially for long messages, because encryption and decryption algorithms are very complex and time consuming. In such a case, a message digest can be used. A message digest is a value, which is obtained from a message by a special hashing algorithm. Producing a message digest of a message is much faster than encrytping the message. The message digest algorithms ensure that the value of the digest can be obtained uniquely from any message. If that is so, then it is sufficient to sign the messgae digest to ensure the authenticity of the sender.
Bothe secret keys and public/private keys can be used to sign message digests. It is sufficient to use a message digest in place of the plaintext. Of course, the plaintext has to be included as well, because there is no way to obtain the original message from its digest.

Java security facilities