Secure Electronic Business Applications in Mobile Agent Based Networks Using Elliptic Curve Cryptosystems

Woei-Jiunn Tsaur
Department of Information Management Da-Yeh University Changhua, Taiwan, R.O.C. wjtsaur@yahoo.com.tw
AbstractBecause the mobile agent can provide the essential properties of personalization, automation, intelligence, etc., it plays an increasingly important role in electronic business applications. As far as mobile agent security is concerned, we develop a proxy signature scheme for protecting mobile agents against malicious agent hosts. The proposed proxy signature scheme can protect users private keys stored in smart cards, and provide the fairness of contracts signed by agents. In addition, we also design a proxy authenticated encryption scheme so that the signature of the contracts will satisfy users constraints, and the non-repudiation of servers can be achieved. On the other hand, as far as agent host security is concerned, we apply the idea of proxy signature to construct an authentication scheme for protecting agent hosts. This scheme is to achieve the requirements of authentication and authorization. Hence, we affirm that the proposed security schemes are suitable for practical electronic business applications in mobile-agent-based network environments. Keywords-Network security; elliptic curve cryptosystems; mobile agent; proxy signature; electronic business applications

Hsin-Chieh Tsai
Department of Information Management Da-Yeh University Changhua, Taiwan, R.O.C. xctsai@yahoo.com.tw proposed ECC-based self-certified public key cryptosystem. The proposed proxy signature scheme can protect users private keys stored in smart cards, and provide the fairness of contracts signed by agents. The proposed cryptosystem is constructed using the ECC, and it also integrates the identity-based public key cryptosystem with the selfcertified public key cryptosystem [10, 16, 18] to provide higher security strength. Furthermore, based on the proposed cryptosystem, we employ the proposed proxy signature scheme to further design a proxy authenticated encryption scheme so that the signature of the contracts will satisfy users constraints, and the non-repudiation of servers can be achieved. In summary, these proposed schemes are able to accomplish the security requirements of confidentiality, integrity, authenticity, and non-repudiation for protecting mobile agents in electronic business applications. On the other hand, this paper also presents an authentication scheme for protecting mobile agent hosts against unauthorized mobile agents. In such a scheme, a mobile agent can register once to the system authority for several services in the mobile-agent-based networks. The rest of this paper is organized as follows. In Section II, we first develops an efficient public key cryptosystems, and then several security schemes constructed using it are designed for protecting mobile-agent-based electronic business applications. In Section III, security analyses about attacks on the proposed schemes consolidate the feasibility of the schemes. Performance evaluation of the proposed schemes, which is measured by the required computational effort and communicational cost, is given in Section IV. Finally, some concluding remarks are presented in Section V. II. SECURITY SCHEMES FOR PROTECTING MOBILE AGENT NETWORKS

I.

INTRODUCTION

In recent years, there are many business applications based on mobile agent on the Internet. Those agents of business applications usually provide personalization, automation,d intelligence, etc [1-8]. However, it also results in many security threats such as stealing data from hosts by agents and tampering constraints of agents by hosts. For instance, when a mobile agent carrying a users private key roams among servers on the Internet, the agent may find a bid satisfies the users constraints, and then sign the bid [9, 20]. However, users will not wish to equip agents with their private signature keys when the agents may execute on untrusted agent hosts [13, 18, 19]. On the other hand, a problem specific to mobile agents is the protection of the agent platforms running the agents. A hostile agent could destroy the hard drive, steal data, or do all sorts of undesirable operations to agent platforms. In this paper we will develop related security schemes based on cryptographic solutions [14, 18] for prevention of agent and hosts tampering. This paper develops a proxy signature scheme and a proxy authenticated encryption scheme for protecting mobile agents against malicious agent hosts using the

In this section, we first develop an efficient public key cryptosystems, and then several security schemes constructed using it are designed for protecting mobileagent-based electronic business applications. A. Initialization The entities in the system are a system authority (SA), users (Ui), hosts (Hi), and mobile agents (MA) generated by specific users. We assume that SA is responsible for key

978-1-4244-7640-4/10/$26.00 2010 IEEE

generation and user registration. We then define the notations used in the proposed schemes as follows: p: a field size. E: y2 = x3 + ax + b: an elliptic curve E over F p . B: a base point of order n over E( F p ). sSA: SA's private key, where sSA [2,
n 2] .

s i B = [(k i + s SA ( Pix + h( I i )) + h( xi || I i )) (mod n)] B

= [( ki + sSA ( P + h( I i ) ) ) mod n] B + h( xi || I i ) B ix

= [( k i + h ( x i || I i )) mod n ] B + [( Pix + h ( I i )) mod n ] PSA = k i B + Z i + [( Pix + h ( I i )) mod n ] PSA = Pi + h ( I i ) B + [( Pix + h ( I i )) mod n ] PSA

PSA: SA's public key, where PSA = s SA B . h( ): a one-way hash function. X(P): output the x-coordinate of point P. After that, SA publishes E, B, p, n, PSA and h, while keeping s SA secret. B. The Proposed Public Key Cryptosystems The operations of the proposed public key cryptosystems are divided into two phases. [The System Setup Phase] SA creates a system public key and some public parameters in this phase, and then SA releases these parameters. SA randomly chooses a number sSA and keeps it secret. Then SA computes the system public key PSA = sSA B. [The Key Generation Phase] User Ui and host Hi perform the following steps to register to SA, and obtain the corresponding public key, respectively. They also compute their private keys in this phase. Step 1. Respectively, Ui and Hi select identity information, denoted by Ii, randomly choose an integer xi as the master key, compute [2, n 2] Zi = h( xi || I i ) B , and finally submit {Ii, Zi} to SA. Step 2. SA randomly chooses a time-variant integer ki [2, n 2] , and then computes a public key Pi and where its witness wi,
Pi = Z i + (k i h( I i )) B = ( Pix , Piy )
w i = k i + s SA ( Pix + h ( I i )) (mod n )

C. The Proposed Proxy Signature Scheme The proposed proxy signature scheme can hide users private keys and provide the fairness of contracts. In the following, we first define the notations used in the proposed schemes, and then show the steps in the commission phase, the transaction phase and the verification phase, respectively. Ui: a user who generates the mobile agent (MA). Hi: a host who executes the mobile agent in the agent platform. M: the content of the contract. N: the constraints of a user. w: the delegation warrant for MA. ||: a symbol denoting concatenation. [Commission Phase]: Preparing the Agent Step 1. Ui establishes his/her requirements with constraints N to limit the power of hosts. Ui then computes
d = h( N ) and D = d B = (Dx , D y )

Step 2. Ui computes c = h( w || D x ) . Step 3. Ui inserts his/her own smart card into a card reader to use his/her private key su to calculate r = d c s u (mod n) . Step 4. Ui assigns the requirement lists (c, r, w) to MA, and launches MA to search a specific product through networks. [Transaction Phase]: Executing the Agent When host Hi generates a bid that conforms to Uis requirements, MA and Hi will negotiate to sign a contract. They take the following steps to perform the transaction: Step 1. When Hi receives the requirement list (c, r, w), it can obtain Uis Iu and public key Pu from the warrant w, and then calculate
Vu = Pu + h( I u ) B + [( Pux + h( I u )) mod n] PSA

Then, SA returns {Pi, wi} to Ui and Hi, respectively. Step 3. Ui and Hi calculate their own private keys as si = wi + h( xi || I i ) (mod n) , and then verify the authenticity of Pi by testing if si B = Pi + h ( I i ) B + [( Pix + h( I i )) mod n] PSA (1) If the verification result of Eq. (1) is correct, then the participants public key is Pi and the corresponding private key is si; otherwise, it means that the public key Pi is altered in the transmission. For the consideration of security, the private key si is stored in a smart card for subsequent electronic business applications. Theorem 1. User Ui and host Hi can utilize Eq. (1) to verify his/her public key Pi by himself/herself. Proof:

(2) Step 2. Hi computes D' = r B + c Vu Step 3. Hi verifies whether the equation h(w || Dx) = c holds. If the result is correct, (c, r, w) is a valid requirement list, and Hi then goes to Step 4; otherwise, Hi rejects the transaction. Step 4. Hi chooses a random integer t [ 2, n 2] , and computes E = [(t r ) mod n] B = ( E x , E y ) , where E is a message denoted the bidding information and dealings information. Step 5. MA negotiates with Hi, and makes a dealings contract M. Then Hi computes g = h(M || Ex). Step 6. Hi uses its private key sh to compute y = t r g s h (mod n) .

Step 7. Hi attaches to MA the requirement list, bidding information, and the contract, ((c, r, w), (g, y, M)), and then MA comes back to Ui. [Verification Phase]: Verifying the Signature When Ui receives the message from MA, he/she can verify the validity of his/her purchase as follows: Step 1. A verifier or Ui can take His Ih and Ph from the received message, ((c, r, w), (g, y, M)). The verifier computes Vh = Ph + h(Ih ) B + [(Phx + h(Ih )) mod n] PSA to check the validity of signature. Step 2. The verifier computes D' = r B + c Vu = ( D'x , D' y ) , and
E ' = y B + g Vh = ( E ' x , E ' y )

(3) Step 3. The verifier checks whether the equation h( w || D'x ) = c holds. If it is correct, Hi is a valid proxy signer; otherwise, the verifier rejects the message ((c, r, w), (g, y, M)). Step 4. The verifier checks whether the equation h( M || E ' x ) = g holds. If it is true, (g, y, M) is a valid proxy signature subject to the constraints of the requirements. Theorem 2. The host Hi can verify the validity of users requirement list, which is attached to the mobile agent, by performing Eq. (2). The verifier and user Ui can also verify the signature of contracts by computing Eq. (3). Proof: According to Eq. (1), we can obtain si B = Vu . Thus, the proof of Eq. (2) is shown as follows:
D' = r B + c Vu = [(d c su ) (mod n)] B + c Vu = d B c Vu + c Vu = d B =D

In order to generate a proxy key S P , Hi uses its private key sh to generate S P = r + g sh (mod n) , where g = h( M || E x ) is a hashed bidding information. [Proxy Authenticated Encryption] In this phase, host Hi can proxy-authenticated-encrypt the contract M, and create a valid authenticated encryption message to the user. In addition, the contract contains a specific redundancy. Step 1. The host Hi obtains Uis IDu and public key Pu . Step 2. Hi computes Vu = Pu + h( Iu ) B + [(Pux + h( I u )) mod n] PSA Step 3. Hi randomly chooses two integers t, u [2, n 2] , and then calculates the following equations: T= t B = (T x , T y ) r = M h(Tx ) s = t + h(r) Sp (mod n) C1 = u B U = u Vu = (U x , U y ) C2 = r h(U x ) Step 4. Hi attaches the authenticated encryption message {C1, C2, s} and the hashed bidding information g to the mobile agent, and then send back to the user. Notice that the message (or contract) is not a plaintext. [Proxy Authenticated Decryption] Step 1. Upon receiving {C1, C2, s}, Ui uses his/her private key su to recover r as follows: r = C2 h(X( )) s u C1 (4) further computes Step 2. Ui Vh = Ph + h( I h ) B + [( Phx + h ( I h )) mod n] PSA and
S
p

B = D c Vu + g Vh = V P

Also, we can prove Eq. (3) by performing the same manner as the proof of Eq. (2). D. The Proposed Proxy Authenticated Encryption Scheme The proposed proxy signature scheme can hide users private keys, but the transmitted messages are plaintexts on the networks. Therefore, due to the requirement of confidentiality, we also construct a proxy authenticated encryption scheme for mobile-agent-based networks using the above proposed proxy signature scheme. We will describe the proposed scheme in the following. V : a third-party authority or any unspecified verifier. : bitwise exclusive-or operator. [Proxy Authorization] In this phase, host Hi uses a proxy key to sign the contract subject to the constraints of the user. It is exactly the same as Step 1 to Step 5 of the transaction phase in the proposed proxy signature scheme.

(5) Then he/she performs the following equation to recover the contract M from (r, s). M = r h( X ( s B h(r ) V p ) ) (6) Step 3. Ui verifies the authenticated encryption message for M by checking whether the validity of attached redundancy holds. If the redundancy is valid, then {C1, C2, s} is a valid authenticated encryption message. [Signature Verification] In this phase, a third-party authority V can arbitrate the dispute between users (customers) and hosts (servers). Thus, the authenticated encryption message has no need to be secret. Furthermore, Ui can release (r, s) to V to verify the validity of the signature. The third party V, who receives (r, s), can recover M by performing Eq. (6), and check the attached redundancy to verify the signature.

Theorem 3. The user Ui can recover (r, s) from the authenticated encryption message {C1, C2, s} by computing Eq. (4). Proof: We first calculate
Vu = Pu + h( I u ) B + [( Pux + h( I u )) mod n] PSA ,

Step 2. SA computes M = h(mw). Step 3. SA uses his/her own private key sSA to calculate w' = (r + m) s SA (mod n) . Step 4. SA sends (R, w, mw) to Ui, where w should be secretly sent in a secure manner. Step 5. Upon receiving the data, Ui computes w = w + su (mod n) Step 6. Ui computes Vu = Pu + h( I u ) B + [( Pux + h( I u )) mod n] PSA and verifies this proxy key by checking whether the following Eq. (7) holds:
w B = m PSA + Vu + R

and then recover r according to Eq. (1) as follows : C2 h(X( su C1)) = r h(U x ) h(X( s u u B )) = r h(U x ) h(X( u Vu )) = r Thus, we can obtain r form {C1,C2} by computing Eq. (4). Theorem 4. When user Ui wants to recover the contract M from (r, s), he/she first utilizes the public key Ph and identity Ih of host Hi to compute Eq. (5), and then performs Eq. (6) to recover M.

(7)

Proof: We can first calculate

S p B = [(r + g sh ) mod n] B = [(d csu + g sh ) mod n] B = D cVu + gVh = V p

[Request and Verification Phase] After acquiring the proxy key, Ui can use the proxy key to sign login request as follows. Then he/she attaches the signed request to the mobile agent. Step 1. Ui prepares the request req that contains the identity of hosts and the current timestamp. Step 2. Ui randomly chooses c [2, n 2] , and then he/she computes C = c B = (Cx , C y ) and a = h(C x || req) Step 3. Ui calculates t = c + w a, and then attaches the login request message {R, t, C, IDU, mw, req} to the mobile agent and lunches it. Step 4. Upon receiving the request message, the host platform Hi checks the validity of the timestamp and the warrant, and then verifies the following verification equation, where the users public key Pu and identity Iu are specified in the warrant. t B = [(a m) mod n] PSA + a Vu + a R + C (8) If the hosts identity is included in the warrant mw, the timestamp is valid, and the verification of Eq. (8) succeeds, then the host accepts the request. Theorem 5. User Ui can verify the authorized proxy key by checking whether Eq. (7) holds. Proof:
w B = [(w'+su ) modn] B = [((r + m)sSA + su ) modn] B = R + m PSA + Vu

and then compute the following to recover M from (r, s): r h( X ( s B h(r ) V p ) ) = r h( X (t B + h(r ) S P B h(r ) V p ) ) = r h( Tx ) =M According to Theorems 3 and 4, both signing and encrypting a message can be concurrently accomplished in a logically single step. E. The Proposed Authentication Scheme Here we apply the concept of proxy signature to construct the proposed authentication scheme, which possesses the merits that users can register only once to the system authority (SA) for obtaining many services in different servers. We will give further details about how to achieve this as below. mw: a warrant for a users mobile agent. req: the login request of a user. [Authorization Phase] In this phase, the hosts authorize the SA to authenticate users mobile agents and issue the corresponding warrants and proxy keys to users, upon users registration. [Registration Phase] In this phase, a user can register only once at the SA for all services. When a user Ui wants to apply for some services of the domain by using mobile agents, he/she registers himself/herself at the SA. If Ui passes the authentication, the SA prepares a warrant mw to Ui, and then the following steps will be executed: Step 1. SA chooses a random integer r [2, n 2] , and computes R = r PSA.

Theorem 6. The host platform can verify the authentication of the mobile agent by checking whether Eq. (8) holds. Proof:
t B = [( c + w a ) mod n ] B = [( c + ( w ' + s u ) a ) mod n ] B = [( c + (( r + m ) s SA + s u ) a ) mod n ] B = C + a R + [( a m ) mod n ] PSA + a V u

III.

SECURITY ANALYSIS

The security of the proposed schemes is primarily relied on the difficulties of solving elliptic curve discrete

logarithm problem (ECDLP) [12, 15] and one-way hash function (OWHF). The security analyses of the proposed security schemes for mobile agents are discussed in the following. A. Security of the Proposed PKC In the proposed PKC, the security keys include SAs private key, users master keys, and users derived private keys. The security analyses of the proposed PKC are discussed as follows: 1) Revealing SAs private key and any registering users master key Although attackers can obtain the parameters Pi and Ii through a public channel, they cannot get si through Eq. (1) due to the difficulty of solving the ECDLP. 2) Revealing any registering users derived private key Without knowing xi, SA cannot obtain the users private key by using the equation si = wi + h ( xi || I i ) (mod n ) . It is obvious that if SA tries to find xi satisfying Vi = h( xi || I i ) B , then the security is based on the intractability of solving the ECDLP. 3) Generating a valid public key Acording to the equation for generating the witness wi = k i + s SA ( Pix + h ( I i )) (mod n ) , the user cannot forge a guarantee to validate the public key by himself/herself without knowing ki and sSA. B. Possible Attacks on Related Security Schemes [Proposed Proxy Signature Scheme] We will discuss the security of the proposed proxy signature scheme as follows: 1) Revealing the users (original signers) private key It is computationally infeasible for an attacker to obtain users private key su from the users requirement list (c, r, w). Although an attacker can get c and r, he/she cannot derive su from the equation r = d c s u (mod n) without knowing d. 2) Revealing the hosts (proxy signers) private key An attacker may acquire the contract (g, y, M). However, without knowing t, he/she cannot derive the from the equation hosts private key sh . 3) Acquiring the users constraints N (or d) The attacker cannot derive N from the equation r = d c s u (mod n) without knowing su and d. Moreover, based on the OWHF assumption, it is hard to compute N from d. An attacker can obtain D = D = r B + c Vu from the requirement list, and then he/she may try to derive d from the equation D = d B. However, it will face the intractability of solving the ECDLP. 4) Acquiring the hosts random integer t An attacker can obtain (g, y, M) from the public channel, but it is computationally infeasible to derive t
y = t r g s h (mod n)

from the equation y = t r g s h (mod n) because of without knowing sh. 5) Forging a valid requirement list (c, r, w) Consider the scenario that an attacker attempts to forge a requirement list (c, r, w). The attacker can create a fake warrant w, and then he/she selects a random number d to compute D ' = d ' B and c = h(w||Dx). Finally, he/she may attempt to compute r which satisfies r ' = d ' c 's u (mod n ) . However, the attacker cannot get su, thus he/she still cannot find out r to satisfy the equation. 6) Forging a valid contract (g, y, M) If an attacker wants to forge a contract (g, y, M), then he/she needs to choose a random number t, and computes E = [(t 'r ) mod n] B and g = h(M||Ex). However, because he/she cannot obtain the hosts private key sh, he/she cannot find out y to satisfy the equation y = t r g s h (mod n) . [Proposed Authenticated Encryption Scheme] A secure authenticated encryption scheme should satisfy the security requirements of confidentiality, unforgeability, and non-repudiation [11]. Therefore, we can attain the confidentiality of the signed messages and the signers private key, the unforgeability of the authenticated encryption messages and the signatures, and the property of non-repudiation, because these requirements can be protected based on the intractability of solving the ECDLP and OWHF. [Proposed Authentication Scheme] The proposed authentication scheme is based on the proxy signature approaches. In addition, any secure proxy signature can be adopted in the implementation of the proposed authentication scheme. We can achieve the requirements of secrecy and unforgability using the difficulties of solving ECDLP and OWHF. IV. PERFORMANCE EVALUATION In the section, we discuss the computational complexity and communicational cost of the proposed ECC-based selfcertified public key cryptosystem and related security schemes. In Table I, the computational complexities of the proposed ECC-based self-certified public key cryptosystem and related security schemes are listed. Table II lists the communicational cost required for the key generation phase and related security schemes, respectively, where let |y| be the bit-length of integer y. Using a certificate for public key verification, though having the advantage that even SA does not know the users secret keys, it requires extra amount of storage, communication and computation, which essentially depends on the signature scheme in use [17]. In contrast to the certificate-based approach, our proposed schemes do need the use of certificates, and therefore save much computational and communicational cost.

TABLE I. Items System phase

THE COMPUTATIONAL COMPLEXITIES OF THE PROPOSED CRYPTOSYSTEMS AND RELATED SECURITY SCHEMES. Computational complexity setup SA: TEM SA:
T EM + T EA + TMM

Rough evaluation SA: 29 TMM SA: 30.12 TMM + TH User: 118.24 TMM +2 TH

the integrated cryptosystems to design several security schemes for protecting mobile agents and agent hosts, such as the proxy signature, proxy authenticated encryption scheme and authentication scheme. REFERENCES
[1] D. Yun, J. Lee, M. Yu, and S. Choi, Agent-based user mobility support mechanism in RFID networking environment, IEEE Transactions on Consumer Electronics, vol. 55, no. 2, pp. 800804, 2009. [2] K. Kang, J. Lee, and H. Choi, Using management markup language for remote control of OSGi-based home server, IEEE Transactions on Consumer Electronics, vol. 54, no. 4, pp. 20232028, 2008. [3] S. Baek, E. Choi, J. Huh, and K. Park, Sensor Information Management Mechanism for Context-aware Service in Ubiquitous Home, IEEE Transactions on Consumer Electronics, vol. 53, no. 4, pp. 1393-1400, 2007. [4] S. Park, S. Kang, and Y. Kim, A channel recommendation system in mobile environment, IEEE Transactions on Consumer Electronics, vol. 52, no. 1, pp. 33-39, 2006. [5] S. Baek, H. Lee, S. Lim, and J. Huh, Managing mechanism for service compatibility and interaction issues in context-aware ubiquitous home, IEEE Transactions on Consumer Electronics, vol. 51, no. 2, pp. 524-528, 2005. [6] J. Baek and H. Yeom, d-Agent: an approach to mobile agent planning for distributed information retrieval, IEEE Transactions on Consumer Electronics, vol. 49, no. 1, pp. 115-122, 2003. [7] C. O. Kim, I. H. Kwon, and C. Kwak, Multi-agent based distributed inventory control model, Expert Systems with Applications, vol. 37, no.7, pp. 5186-5191, 2010. [8] J. Wu, S. Yuan, S. Ji, G. Zhou, Y. Wang, and Z. Wang, Multi-agent system design and evaluation for collaborative wireless sensor network in large structure health monitoring, Expert Systems with Applications, vol. 37, no. 3, pp. 2028-2036, 2010. [9] D. M. Chess, B. Grosof, C. G. Harrison, D. Levine, C. Parris, and G. Tsudik, Itinerant agents for mobile computing, IEEE Personal Communications Magazine, vol. 2, no. 5, pp. 34-49, 1995. [10] M. Girault, Self-certified public keys, Advances in Cryptology: Proceedings of Eurocrypt91, LNCS 547, Springer-Verlag, pp. 490497, 1992. [11] W. H. He and T. C. Wu, Cryptanalysis and improvement of PetersenMichels signcryption scheme, IEE Proceedings Computer and Digital Techniques, vol. 146, no. 2, pp.123-124, 1999. [12] A. Jurisic and A. J. Menezes, Elliptic curves and cryptography, Dr. Dobbs Journal, pp. 26-35, 1997. [13] P. Maes, R. Guttman, and A. Moukas, Agents that buy and sell, Communications of the ACM, vol. 42, pp. 81-91, 1999. [14] M. Mambo, K. Usuda, and E. Okamoto, Proxy signatures: delegation of the power to sign messages, IEICE Transactions on Fundamentals, vol. E79-A, no. 9, pp. 1338-1354, 1996. [15] A. J. Menezes and S. A. Vanstone, Elliptic curve cryptosystem and their implementation, Journal of Cryptology, vol. 6, no. 4, pp. 209224, 1993. [16] H. Petersen and P. Horster, Self-certified keys: concepts and applications, Proceedings of Communications and Multimedia Security 97, Chapman & Hall, pp. 102-116, 1997. [17] S. Saeednia, A note on Giraults self-certified model, Information Processing Letters, vol. 86, pp. 323-327, 2003. [18] T. Sander and C. F. Tschudin, Protecting mobile agents against malicious hosts, Mobile Agents and Security, LNCS 1419, SpringerVerlag, pp. 44-60, 1998. [19] H. Takeda, K. Iino, and T. Nishida, Agent organization and communication with multiple ontologies, International Journal of Cooperative Information Systems, vol. 4, no. 4, pp.312-337, 1995. [20] J. E. White, Mobile agents make a network an open platform for third-party developers, IEEE Computer, vol. 27, no. 11, pp. 89-90, 1994.

Key generation phase

+2 TMA + TH User: 4 TEM +2 T EA +2 TMA +2 TH Host: 5 TEM +3 T EA +3 TMM +2 TMA +3 TH User: 7 TEM +4 T EA + TMM +2 TMA +5 TH Authorization 5 TEM +3 T EA +2 TMM

Proxy signature scheme

Host: 148.36 TMM +3 TH User: 204.48 TMM +5 TH

Proxy authenticated encryption scheme

+2 TMA +3 TH Encryption: 5 TEM +2 T EA + TMM +2 TMA +4 TH Decryption: 7 TEM +5 T EA + TMA +3 TH SA:

T EM + TMM + TMA + TH

Authorization 147.36 TMM +3 TH Encryption: 146.24 TMM +4 TH Decryption: 203.6 TMM +3 TH

Authentication Scheme

Host: 3 TEM +3 T EA + TMM User: 4 TEM +4 T EA + TMM +3 TMA +2 TH

SA: 30 TMM + TH Host: 88.36 TMM User: 117.48 TMM +2 TH

Note: TEM / TEA/ TMM / TEXP/ TINV/ TMA / TH is the time for computing multiplication of a number and an elliptic curve point/ addition of two points on an elliptic curve/ modular multiplication/ modular exponentiation/ modular inversion/ modular addition/ one-way has function. TABLE II. THE COMMUNICATIONAL COST OF THE PROPOSED CRYPTOSYSTEMS AND RELATED SECURITY SCHEMES. Communicational cost I +4 p + n
3 | n | +3 h + 3 | M |

Items Key Generation Phase Proxy Signature Scheme Proxy Authenticated Encryption scheme

2| p| +|n| +| h|
6 | p | + | 2n | + | I | +3 | M |

Authentication Scheme

V.

CONCLUSION

This paper discusses about the security of mobile agents and agent hosts in electronic business applications. We focus on the cryptographic solutions for the confidentiality, integrity, authenticity, and non-repudiation in mobile agent networks environments. In order to protect the security of transactions in e-commerce, we propose an appropriate public key cryptosystem (PKC) for the mobile-agent-based networks. The proposed PKC is constructed based on the elliptic curve cryptosystems and the ID-based self-certified public key cryptosystems. In addition, we further employ