7
Adaptation of agent-based non-repudiation protocol to mobile digital right management (DRM) Chung-Ming Ou a,, C.R. Ou b a Department of Information Management, Kainan University, Luchu 338, Taiwan b Department of Electrical Engineering, Hsiuping Institute of Technology, Taichung 412, Taiwan article info Keywords: Mobile agent Non-repudiation PKI Digital right management Proxy certificate abstract Non-repudiation of a mobile digital rights management (DRM) ensures that when a user (U) sends some message to a rights issuer (RI), neither U nor RI can deny having participated in this transaction. An evi- dence of a transaction is generated by wireless PKI mechanism such that U and RI cannot repudiate send- ing and receiving the message respectively. U generates a mobile agent which carries encrypted payment information to RI. This mobile agent is also issued a proxy certificate by U; this certificate guarantees the binding relationship between them. One trusted third party acts as a lightweight notary for evidence gen- eration. One advantage of this agent-based non-repudiation protocol is to reduce inconvenience for mobile clients such as connection time; it causes difficulty for fair transaction for mobile DRM. Ó 2011 Elsevier Ltd. All rights reserved. 1. Introduction Recently, varied concepts of intelligent agents are experienced growing applications in many areas related to network manage- ment. Grossklags and Schmidt introduced software agents with market efficiency (Grossklags & Schmidt, 2006). Wang proposed an agent-based control of traffic management system (Wang, 2005). Hamdi proposed a multiagent-based approach to informa- tion customization (Hamdi, 2006), etc. On the other hand, agent- based E-commerce systems provide some advantages over the conventional client and server-based E-commerce systems; it is also a promising architecture for peers to peers (P2P) E-commerce systems and cloud computing. According to Borrell, Robles, Serra, and Riera (1999), they reduce network traffics, provide efficient re- source access and dynamic system adaptations, and particularly support mobile transactions. The agent-based system is becoming a framework for both E-commerce and mobile commerce (M- commerce). Wireless devices which communicate with application servers over the air are highly exposed to potential security threats. They require enhanced security and authenticity services for mobile transactions which are not properly supported by the original GSM and UMTS security mechanisms. For example, Stach, Park, and Makki (1999) proposed an enhanced GSM protocol supporting non-repudiation of services. Moreover, as M-commerce applications increases, further sensitive services such as payment and billing are needed. Tseng, Yang, and Su (2004) proposed a PKI-based protocol of authentication and billing for WLAN and 3G integrations. This scheme can provide non-repudiation billing service based on digital signatures. According to M’Raihi and Yung (2001), smart cards (SIMs for GSM and USIMs for UMTS) are crucial in allowing safe operations for these mobile telecom applications. Dispute of mobile transactions is a common problem that could jeopardize the mobile commerce (Zhou, Deng, & Bao, 1999). The purpose of non-repudiation is to collect, maintain, make available and validate irrefutable evidence concerning a claimed event or ac- tion in order to resolve disputes on the occurrence or non-occur- rence of the event or action (ITU-T., 1996; Li & Luo, 2004). Any evidence has to be verified by some fair arbitrator once dispute arises. One motivation for this paper is the mobile TAIWAN project (mTAIWAN). Since 2005, mTAIWAN is one major nation-wide pro- ject of establishing seamless and ubiquitous wireless infrastruc- ture. This next generation communication network combines mobile communication systems such as 2G (GSM), 2.5G (GPRS), 3G (UMTS), wireless network systems such as WiFi and WiMAX technologies. One major goal for mTAIWAN project is to promote the ubiquitous mobile applications using varied mobile devices such as mobile phone, PDA, laptop PC, etc. Combining these moti- vations, we propose an agent-based architecture and protocol to implement the non-repudiation mechanism over the mobile appli- cation systems, which includes the digital right management (DRM); this will also improve the security mechanisms of those existing electronic invoice systems. On the other hand, mobile 0957-4174/$ - see front matter Ó 2011 Elsevier Ltd. All rights reserved. doi:10.1016/j.eswa.2011.02.149 Corresponding author. E-mail addresses: [email protected] (C.-M. Ou), [email protected] (C.R. Ou). Expert Systems with Applications 38 (2011) 11048–11054 Contents lists available at ScienceDirect Expert Systems with Applications journal homepage: www.elsevier.com/locate/eswa

Adaptation of agent-based non-repudiation protocol to mobile digital right management (DRM)

Embed Size (px)

Citation preview

Expert Systems with Applications 38 (2011) 11048–11054

Contents lists available at ScienceDirect

Expert Systems with Applications

journal homepage: www.elsevier .com/locate /eswa

Adaptation of agent-based non-repudiation protocol to mobile digital rightmanagement (DRM)

Chung-Ming Ou a,⇑, C.R. Ou b

a Department of Information Management, Kainan University, Luchu 338, Taiwanb Department of Electrical Engineering, Hsiuping Institute of Technology, Taichung 412, Taiwan

a r t i c l e i n f o

Keywords:Mobile agentNon-repudiationPKIDigital right managementProxy certificate

0957-4174/$ - see front matter � 2011 Elsevier Ltd. Adoi:10.1016/j.eswa.2011.02.149

⇑ Corresponding author.E-mail addresses: [email protected] (C.-M

(C.R. Ou).

a b s t r a c t

Non-repudiation of a mobile digital rights management (DRM) ensures that when a user (U) sends somemessage to a rights issuer (RI), neither U nor RI can deny having participated in this transaction. An evi-dence of a transaction is generated by wireless PKI mechanism such that U and RI cannot repudiate send-ing and receiving the message respectively. U generates a mobile agent which carries encrypted paymentinformation to RI. This mobile agent is also issued a proxy certificate by U; this certificate guarantees thebinding relationship between them. One trusted third party acts as a lightweight notary for evidence gen-eration. One advantage of this agent-based non-repudiation protocol is to reduce inconvenience formobile clients such as connection time; it causes difficulty for fair transaction for mobile DRM.

� 2011 Elsevier Ltd. All rights reserved.

1. Introduction

Recently, varied concepts of intelligent agents are experiencedgrowing applications in many areas related to network manage-ment. Grossklags and Schmidt introduced software agents withmarket efficiency (Grossklags & Schmidt, 2006). Wang proposedan agent-based control of traffic management system (Wang,2005). Hamdi proposed a multiagent-based approach to informa-tion customization (Hamdi, 2006), etc. On the other hand, agent-based E-commerce systems provide some advantages over theconventional client and server-based E-commerce systems; it isalso a promising architecture for peers to peers (P2P) E-commercesystems and cloud computing. According to Borrell, Robles, Serra,and Riera (1999), they reduce network traffics, provide efficient re-source access and dynamic system adaptations, and particularlysupport mobile transactions. The agent-based system is becominga framework for both E-commerce and mobile commerce (M-commerce).

Wireless devices which communicate with application serversover the air are highly exposed to potential security threats. Theyrequire enhanced security and authenticity services for mobiletransactions which are not properly supported by the originalGSM and UMTS security mechanisms. For example, Stach, Park,and Makki (1999) proposed an enhanced GSM protocol supportingnon-repudiation of services. Moreover, as M-commerce

ll rights reserved.

. Ou), [email protected]

applications increases, further sensitive services such as paymentand billing are needed. Tseng, Yang, and Su (2004) proposed aPKI-based protocol of authentication and billing for WLAN and3G integrations. This scheme can provide non-repudiation billingservice based on digital signatures. According to M’Raihi and Yung(2001), smart cards (SIMs for GSM and USIMs for UMTS) are crucialin allowing safe operations for these mobile telecom applications.Dispute of mobile transactions is a common problem that couldjeopardize the mobile commerce (Zhou, Deng, & Bao, 1999). Thepurpose of non-repudiation is to collect, maintain, make availableand validate irrefutable evidence concerning a claimed event or ac-tion in order to resolve disputes on the occurrence or non-occur-rence of the event or action (ITU-T., 1996; Li & Luo, 2004). Anyevidence has to be verified by some fair arbitrator once disputearises.

One motivation for this paper is the mobile TAIWAN project(mTAIWAN). Since 2005, mTAIWAN is one major nation-wide pro-ject of establishing seamless and ubiquitous wireless infrastruc-ture. This next generation communication network combinesmobile communication systems such as 2G (GSM), 2.5G (GPRS),3G (UMTS), wireless network systems such as WiFi and WiMAXtechnologies. One major goal for mTAIWAN project is to promotethe ubiquitous mobile applications using varied mobile devicessuch as mobile phone, PDA, laptop PC, etc. Combining these moti-vations, we propose an agent-based architecture and protocol toimplement the non-repudiation mechanism over the mobile appli-cation systems, which includes the digital right management(DRM); this will also improve the security mechanisms of thoseexisting electronic invoice systems. On the other hand, mobile

C.-M. Ou, C.R. Ou / Expert Systems with Applications 38 (2011) 11048–11054 11049

applications need to be user-friendly and convenient for mobileclients via their mobile handsets; this investigation leads to the re-search of agent-based mobile applications.

DRM is a technology to solve the issues of transferring copy-right-protected information. Many multimedia contents are dis-tributed without any copyright protection via digitalization andcommunication network. Among them, medical data from unau-thorized peers, copyright-protected music or books, must be onlyconsumed by users who paid for it (Onieva, Lopez, Roman, Zhou,& Gritzalis, 2007). In this paper, we show how to establish a simpleagent-based protocol integrated existing DRM architecture basedon the OMA (open mobile alliance) DRM specification 2.0. This pro-tocol provides the secure mechanism between the mobile user andthe right issuer (RI) through the mobile network provider, whilethey are exchanging a right object (RO) according to agreed pur-chase order. Non-repudiation services must ensure that when mo-bile consumer U sends some content right request to rights issuerRI over a network, neither U nor RI can deny having participated ina part or the whole of this transaction. The basic idea is the follow-ing: an evidence of origin (EOO) is generated for U and an evidenceof receipt (EOR) is generated for RI. In general, evidences are gener-ated via PKI-based digital signatures. Disputes arise over the originor the receipt of messages. For the case of origin dispute, U deniessending message while RI claims having received it. As for the re-ceipt dispute, RI denies receiving any message while U claims hav-ing sent it.

Many non-repudiation protocols have been proposed in a so-called ‘‘wrapper context’’, for example, the one proposed by Zhouand Gollman (Zhou & Gollmann, 1996). In this situation, a partyA wants to send a message M to B to enforce non-repudiation onM; namely, non-repudiation is enforced for one message (M). Stachet al. (1999) focus on non-repudiation of GSM service based onone-way hash function in order to preventing mobile subscribersfrom denying initiating this GSM service. However, this is moreauthentication rather than non-repudiation from applicationspoint of view. Liew, Ng, Lim, Tan, and Ong (1999) proposed anon-repudiation protocol for communication sessions rather thanmessages in an agent-based E-commerce system. Their protocolis a general-purposed one for any E-commerce system. Lee andYeh (Lee & Yeh, 2005) proposed a delegation-based authenticationprotocol for mobile devices; it is achieved by utilizing proxy signa-tures which basically delegates signing power to other end-entities.

Mobile agents are considered to be an alternative to client andserver-based mobile commerce where mobile devices have limitedcomputing resource. A mobile agent of the host is a set of code anddata which can execute codes with data as parameter in sometrusted processing environment (TPE) or on some merchant hosts.However, there are several issues related to security and trustwhile considering mobile agent-based E-commerce (Esparza, Mu-noz, Soriano, & Forne, 2003; Pagnia, Vogt, Gartner, & Wilhelm,2000; Wilhelm, Staamann, & Buttyan, 1998), such as the non-repu-diation. We consider brokerage rather than TPE in our mobile DRM.One advantage of adopting this mobile agent architecture to non-repudiation protocol is the following: Mobile devices simply sendtheir agents with (digital) right request to the broker; they neednot to connect to specific application servers throughout the wholetransacting activity. The wireless public key infrastructure (WPKI)adoptable for this non-repudiation mechanism relies on sometrusted third party (TTP) which generates the final evidence for dig-ital right request. The identity binding of a mobile agent and itsowner is a major security concern from M-commerce point ofview; this issue can be reasonably solved by using proxy certifi-cates within the WPKI. Mobile agent systems provide platformsallowing mobile agents autonomously migrating between differenthosts. While migrating between hosts, these agents are under

security threats with different scenarios. Borrell et al. (1999) pro-posed a PKI-based cryptographic solution with some trustedauthority (TA) launching agents. Bamasak and Zhang (Bamasak &Zhang, 2005) have proposed a distributed reputation managementscheme to reduce the risk of malicious hosts. We propose a revoca-tion mechanism of host certificates to help brokers from sendingagents to malicious hosts.

The arrangement of this paper is as follows. In Section 2, weintroduce the architecture of an agent-based mobile applicationsystem. In Section 3, we propose an agent-based non-repudiationprotocol suitable for mobile digital right management; we alsoanalyze security mechanisms of this agent-based non-repudiationprotocol, namely, dispute resolutions.

2. Preliminary knowledge

An efficient and fair non-repudiation protocol was proposed byZhou and Gollmann where TTP acts as a lightweight notary (wename it ZGP) (Zhou & Gollmann., 1996). This protocol is suitablefor 3G communication by analyzing the capability of implementingcryptographic operations such as digital signature, symmetric keyencryption/decryption, hash function and random number genera-tions (WPKI., 2004). According to this investigation, we design anon-repudiation protocol adaptive to agent-based mobile digitalright management systems.

2.1. Basic structure for 3G mobile digital right management services

DRM is defined as a set of technologies and systems that cancollectively support the entire life cycle (creation, manipulation,distribution and consumption) of contents by preventing illegalcopying (Onieva et al., 2007).

The architecture for mobile digital right management system iscomposed of the following entities: a user represented by mobileequipment (ME), WPKI, a content provider and corresponding (dig-ital) rights issuer, a bank and a broker, see Fig. 1. These entities arealso issued certificates by some certification authority (CA) withinthis WPKI. ME utilizes the USIM (Universal Subscriber IdentityModule) to store mobile client’s information such as IMSI (Interna-tional Mobile Subscriber Identity) and WPKI components. ME iscapable of verifying digital signatures to authenticate other enti-ties, if necessary. We also deploy a middleware called the brokerto help ME authenticate the merchant server such that attackerscannot impersonate this seller. Merchant servers can perform PKIoperations for evidence generations.

2.2. WPKI

The WPKI is the core cryptographic mechanism for non-repudi-ation protocol; it consists of two parts, one is the operation; theother is the entity. WPKI entities must contain at least two pub-lic–private key pairs for encryption/decryption and signature gen-eration/verification, respectively. These key pairs are generated bysome CAs whose major task is to bind public key, private key andentity together. The public key will be stored in some certificatefield; CA will issue (subscriber) certificates and server certificatesto buyers and varied servers, respectively, see Fig. 2. Users may is-sue proxy certificates to their mobile agents for transaction delega-tions. The digital signature of a message is generated by using theprivate key of message owner and some hash function. Withoutloss of generality, we may assume that one of the standard hashfunction is applied, which is denoted by H.

2.2.1. WPKI operationsMajor WPKI operation in our non-repudiation protocol is the

digital signature-based evidence generation and verification. Let

wireless Network

BROKERUSER

Internet

Mobile agentContent Provider

Rights Issuer

Fig. 1. The architecture of an agent-based mobile DRM.

wireless Network

Broker

CONTENT Provider

USER

Internet

Mobile agent

WPKI

Transfer Money

Open account

BANK

Open account

Saving Money

Issuing certificate

Fig. 2. The architecture of an agent-based mobile content service.

11050 C.-M. Ou, C.R. Ou / Expert Systems with Applications 38 (2011) 11048–11054

X be a certificate subscriber and Y the certificate issuer of X. Let KX

and K�1X be the public key and the corresponding private key of X,

respectively. Let M be a message and sSXðMÞ the digital signature ofM generated by the private key K�1

X .We define signature and cer-tificate verification as follows.

1. Signature verification of sSXðMÞ: sig_ver(sSX(M)) is successful ifand only if KX(sSX(M)) = H(M).

2. Verification of subscriber certificate CfX;KxgK�1Y

: Cert VerðCfX;KxgK�1

YÞ is successful if and only if sig verðCfX;KxgK�1

YÞ is

successful, namely, KYðCfX;KxgK�1YÞ ¼ HðCfX;KxgK�1

YÞ.

2.2.2. WPKI Entities2.2.2.1. Certificate authority (CA). A CA issues (subscriber) certifi-cates to mobile subscribers and server certificates to merchantservers, TTP, Home Revocation Authority (HoRA) and banks. Theseentities can authenticate each other and transmit encryptedinformation. CA needs to provide certificate management service

to ensure the validity of certificate. These entities would continueWPKI operations if and only if related certificates are valid.

2.2.2.2. Mobile client. We suggest that a mobile client be a USIM-based 3G mobile equipment for efficient signature generationand verification. Related public-key certificates are all issued bysome CA within this WPKI. Private keys should be generated withinUSIMs and contained in them afterwards.

2.2.2.3. Trusted third party (TTP). The trusted third party here is anotary server which simply generates necessary evidences for buy-ers and sellers. TTP needs to perform WPKI operations according tothe non-repudiation protocol described in the next section. There-fore TTP needs to access CA’s repository to retrieve necessary cer-tificates of users’ (rights issuers’) and verify digital signatures.TTP needs to store the broker’s public-key certificates and plays arole as the time stamp authority if necessary. For those generatedevidences, TTP will store these information in its public directoryfrom which users and rights issuers may fetch evidences.

C.-M. Ou, C.R. Ou / Expert Systems with Applications 38 (2011) 11048–11054 11051

TTP acts as a lightweight notary in this WPKI-based non-repudi-ation protocol that only notarizes digital rights requests by re-quests. TTP also provides directory services accessible to thepublic. For the non-repudiation protocols introduced in the nextsection, TTP only deal with ‘‘keys’’ rather than purchase order, thatis, TTP does not know any information of this order. Therefore thecommunications overheads between parties and TTP are reduced,and the user’s purchasing privacy is also guaranteed.

2.2.2.4. Host revocation authority (HoRA). HoRA issues host certifi-cates (HC) to RIs; these certificates bind mobile agent executioncapability to the RI’s identity. When a RI acts maliciously, HoRAonly needs to revoke this RI’s HC to prevent the broker from direct-ing agents to it. The functionality of HoRA to detect the status ofmerchant servers can be referred to (M’Raihi and Yung, 2001).

HoRA issues the host revocation list (HRL), which is a digital-signed list of revoked HCs. Before sending an agent of user to somemerchant server, the broker must check the status of all servers onthis agent’s itinerary to see if any server is on the HRL. If the checkis positive, broker will stop sending this agent to the merchant ser-ver; this mobile transaction is terminated.

2.3. Broker

Broker acts as a mediator between the mobile users in the wire-less network and the content provider in the Internet, see Fig. 3.Broker must distinguish malicious content provider from the hon-est ones according to HRL to avoid sending agents to them. It ispossible that honest server become malicious before HRL is up-dated. Esparza et al. (2003) provides solutions to solve this agentsecurity issue. HoRA will issue an updated HRL to broker if a con-tent provider is detected to be malicious. Broker needs to authen-ticate TTP on behalf of ME before non-repudiation protocol runs.

2.4. Mobile agent

A mobile agent consists of the following components: agentowner, identifier, goal/result, life time and states. Each agent car-ries items which are intended to be exchanged. These items in-clude purchase orders and payment information (e.g. bankaccount number, credit card number, or micro payments accountnumber, etc). When the user’s agent enters the rights issuer, broker

wireless Network

BR

LDAP Repository

CA

USER

HoRA

Mobile agent

Payment Info. + proxy cert.

Fig. 3. Architecture of agent-based mo

must ensure that they play fair. Furthermore, none of these agentsis allowed to communicate with any other party except its host ortransacted seller. The following steps are a general guideline forprotecting these mobile agents using WPKI.

1. Broker obtains the certified public key of the merchant server.2. Broker encrypts this mobile agent using RI’s public key and

sends it to the RI.

2.5. Proxy certificates

The proxy certificate basically follows standard certificate for-mat (such as ITU-X.509) with minor change. The major differenceis the subject identifier (SID), which is the certificate field recordedthe owner of this certificate. In proxy certificate, its subject identi-fier is equal to the certificate issuer (Romao & da Silva, 2001).

A proxy certificate of a mobile agent is issued and digitallysigned by its owner. Beside standard certificate fields, this certifi-cate contains a set of constraints which specifies valid operationsthat the agent is allowed to perform while using this certificate(Romao & da Silva, 2001). We use the notation PCfB;KA; ½D�gK�1

Bto

represent the proxy certificate of a mobile agent A belonging toits owner B with additional data D. This proxy certificate is carriedby this mobile agent along with its owner certificate such that abinding of mobile agent A with its owner B can be verified by appli-cations through certificate validation process.

When migrating to an application server, mobile agent will car-ry its proxy certificate. Verification of proxy certificate can be de-fined as follows.

cert ver PCfB;KA; ½D�gK�1B

� �is successful if and only if

sig ver PCfB;KA; ½D�gK�1B

� �is successful; namely;

KB PCfB;KA; ½D�gK�1B

� �¼ H PCfB;KA; ½D�gK�1

B

� �:

For our agent-based mobile DRM system, RI needs to verify mo-bile agents by checking its proxy certificate and its owner certifi-cate (which is the user’s certificate) according to standardcertificate chain validation, see Fig. 4.

OKER

TTP

Internet

Certificate retrieval

Content Provider

bile content services with WPKI.

CA Certificate

Subscriber Certificate

Proxy Certificate

Agent signature

Payment Information

Sub signature

SID:Sub

SID:Sub

Agent PK

Sub. PK

S signatureS signatureS signatureCA signature

SID:CA

CA signatureCA signatureCA PK

constraints

Certificate chain

Fig. 4. Signature verification with proxy certificate.

11052 C.-M. Ou, C.R. Ou / Expert Systems with Applications 38 (2011) 11048–11054

3. Non-repudiation of agent-based mobile digital rightmanagement

In this section, we focus on evidence generations of exchanginga right object between a mobile client and a rights issuer. Theseevidences are the foundation of the mobile DRM system.

3.1. Fair non-repudiation protocol with timeliness

Time evidence of sending and receiving a right object is crucialin mobile DRM. It could be achieved by adding some time stampsto evidences. Li and Luo (Li & Luo, 2004) improved ZGP by consid-ering the time span for evidence preservation. This improvementneeds only TTP plays the role of time stamping authority whileusers and rights issuers just define their intended time spans.

A non-repudiation protocol is fair if it can ensure that at the endof a protocol execution, none or both of the two entities, the senderand the receiver, can retrieve all the evidences it expects (Li & Luo,2004). Fairness guarantees that neither sender nor receiver cangain advantage over the other.

The user (U) access a web server to find what right object (RO)should purchase in order to access a protected content. Then thisuser contacts RI through the mobile network operator, sendingthe request of right (RORequest). RI will send response of right(ROResponse) to TTP, which will wait for U to take it, if the pay-ment information is verified.

Now we design a fair non-repudiation protocol suitable foragent-based mobile DRM; this protocol also relies on the trust thatbroker will act according to the HRLs. Trust is more a social issuethan a technical one. We may assume reasonably that mobile oper-ators or some service providers provide brokers which are com-pletely trusted by mobile subscribers. The purpose of this non-repudiation protocol is to transmit encrypted payment informationM and obtain non-repudiation evidences for U and RI. M containstwo parts, one is a commitment C, and the other is a key K. Nota-tions are as follows.

� M: Payment information being sent from U to RI.� K: Key generated by U.� A: Mobile agent generated by its owner U.� C = eK(M): Commitment for payment information M (eK repre-

sents encryption by key K).

� sSU(M): Signature of message M signed by U’s private key.� L = H(M, K): A label linking C and K (H represents a hash

function).� fi: Flag indicating the purpose of a signed message.� EOO_C: Evidence of origin of C, which is equal to

sSU(fEOO, RI, L, C).� EOR_C: Evidence of receipt of C, which is equal

tosSRI(fEOR, U, L, tRI, C).� sub_K: Authenticator of receipt of C, which is equal to

sSU(fSUB, RI, L, tU, K, EOO_C).� con_K: Evidence of confirmation of K issued by the TTP with

time stamp T, which is equal tosSTTP(fCON, U, RI, L, T, tU, tRI, K, EOO_C, EOR_C).

We include time information in this protocols; tU is a time spandefined by user U indicating that sub_K will be kept in TTP’s privatedirectory for tB time units; tS is a time span defined by RI indicatingthat TTP will keep EOR_C in its private directory for tRI time units. Tis the time stamp indicating the actual time TTP generate key con-firmation con_K and make it public. This non-repudiation protocolis as follows (also see Fig. 5).

3.1.1. Initiation phaseU generates a mobile agent A and its proxy certificate

PCfU;KA; ½D�gK�1U

. U also generates EOO_C according to M, and fEOO,RI, L, C.

3.1.2. Evidence exchange phaseNow U starts the process of right object request with this spe-

cific RI by delegating agent A.

1. A ? c RI: fEOO, RI, L, C, RORequest, EOO_C, PCfU;KA; ½D�gK�1U

.2. U ? TTP: fSUB, RI, L, tU, K, EOO_C, sub_K, PCfU;KA; ½D�gK�1

U.

3. RI ? TTP: fEOR, U, L, tRI, ROResponse, EOO_C, EOR_C.4. TTP U: fCON, U, RI, L, T, tU, tRI, K, ROResponse, EOR_C, con_K.5. TTP RI: fCON, R, RI, L, T, tU, tRI, K, ROResponse, EOR_C, con_K.

‘‘A ? c RI: M’’ means agent A carries information M to RI;‘‘U ? TTP: M’’ means U sends message M to TTP; ‘‘TTP U’’ meansU fetches messages from TTP. The basic idea is that user U is able tosend K, sub_K and tU to TTP in exchange for con_K; on the otherhand, RI sends EOO_C, EOR_C and tRI to TTP in exchange for con_K.

wireless Network

BROKER

Rights Issuer

LDAP Repository

CA

USER

TTPHoRA

Internet

Mobile agent

Certificate retrieval

Fetch evidence from TTP

Fetch evidence from TTP

Payment Info. + proxy cert.

Content Provider

Fig. 5. Agent-based mobile DRM with non-repudiation mechanism.

C.-M. Ou, C.R. Ou / Expert Systems with Applications 38 (2011) 11048–11054 11053

In step 1, S needs to verify EOO_C by retrieving U’s (signature) pub-lic key from CA; EOO_C is saved as an evidence of origin for RI. RIalso needs to verify the proxy certificate of A. In step 2, after receiv-ing sub_K, TTP keeps it in its private directory and delete it after tU

time units or until con_K is generated and published. In step 3, afterreceiving EOO_C, EOR_C and tRI from RI, TTP needs to verify EOR_Cusing S’s (signature) public key and compare EOO_C with the onesent by U in step 2. If either one is not true, TTP concludes thatat least one party is cheating and it will not generate con_K. We call{fCON, U, RI, L, T, tU, tRI, K, ROResponse, EOR_C, con_K} the evidenceof this M. TTP also check if labels L from step 2 and 3 are coincident.If not, user U and rights issuer RI must be disagreed with this orderM. TTP will stop this protocol.

If steps 1–3 are shown positive results, TTP starts to generatecon_K with time stamp T attached. In step 4, U fetches K and con_Kfrom TTP. In step 5, RI fetches con_K from TTP to prove that K isavailable for RI.

3.2. Security of non-repudiation protocols

The most important security issue of a non-repudiation proto-col is the dispute resolution. We analyze the generated evidencesof step 4–5 in the above non-repudiation protocol, dispute resolu-tion mechanisms of user and rights issuer to see whether non-repudiation can be reached. A trusted arbitrator will help solvethe dispute according to submitted evidences.

RI also checks if the constraint data D is bound by U. Namely, itwill first verify if

cert ver CfU;KUgK�1CA

n o¼ H CfU;KUgK�1

CA

n o;

Then RI also verifies the proxy certificate of the mobile agent A bychecking if

cert verfCfU;KA; ½D�gK�1Ug ¼ HfCfU;KA; ½D�gK�1

Ug:

3.2.1. Security of the payment informationThe payment information is well protected by encryption and

not revealed to other entities including TTP and broker. Moreover,user and rights issuer can reach secure communications, i.e. end-to-end security, for further transactions by sharing common ses-sion keys which is not known by other parties.

3.2.2. Validity of evidenceNon-repudiation service will fail if bogus evidence is accepted

or no evidence is received by either user or rights issuer. Validityof non-repudiation evidence depends on the security of crypto-graphic keys used for generating evidences. These keys need tobe revoked if they are compromised according to WPKI certificatepolicy practice.

According to WPKI, U, RI and TTP could retrieve certificates ofeach other’s from CA’s repository to verify digital signatures. Bythe nature of hash functions, it is computationally hard to findtwo different key K and K’ (with reasonable key length) with thesame labels, namely L = H(M, K) = H(M, K0) = L0 andM = dK(C) = dK0(C) = M0, where dK represents decryption using keyK. Therefore, TTP can investigate the validity of evidences by check-ing these labels.

3.2.3. Dispute of originWhen U denies having sent payment information M to RI, RI

may present EOO_C, EOR_C and con_K to some arbitrator in the fol-lowing way:

S ? arbitrator: EOO_C, EOR_C, con_K, sSRI(EOO_C, EOR_C, con_K),L, K, M, C, PCfU;KA; ½D�gK�1

U.

This arbitrator first verify the signature of RI, sSRI(EOO_-C, EOR_C, con_K); if the verification is positive, the arbitrator checksthe following six steps:

step 1: if EOO_C is equal to sSU(fEOO, RI, L, C).step 2: if A is generated by U; namely, verification of proxy cer-tificate, if

sig ver PCfU;KA; ½D�gKU�1

� �¼ H PCfU;KA; ½D�gK

U�1

n o

step 3: if EOR_C is equal to sSRI(fEOR, U, L, tRI, C).step 4: if con_K is equal tosSTTP(fCON, U, RI, L, T, tU, tRI, K, EOO_C, EOR_C).step 5: if L is equal to H(M, K).step 6: if M is equal to dK(C).

If step 1 is checked positive, this arbitrator concludes that U hassent RI the encrypted payment information C. If step 2 is checkedpositive, this arbitrator ensures that mobile agent A is generatedby U. If step 3 is checked positive, arbitrator concludes that RIhas sent all the correct payment information to TTP. For all 5 steps

11054 C.-M. Ou, C.R. Ou / Expert Systems with Applications 38 (2011) 11048–11054

being checked positive, this arbitrator finally concludes that U hassent RI the purchase order M, which is encrypted by K and pre-sented to be C.

3.2.4. Dispute of receiptWhen RI denies receiving M from U, U may present EOO_C,

EOR_C, con_K to the arbitrator in the following way:B ? arbitrator: EOO_C, EOR_C, con_K, sSU(EOO_C, EOR_C, con_K),

L, K, M, C, PCfU;KA; ½D�gK�1U

.The arbitrator first verifies the signature of U, sSU(EOO_-

C, EOR_C, con_K); if the verification is positive, the arbitrator checksall six steps same as those in the dispute of origin. For all six stepsbeing checked positive, arbitrator concludes that RI has received M,which is encrypted by K and presented to be C.

4. Conclusion

We propose a fair non-repudiation protocol based on mobileagents and proxy certificates. An evidence of mobile transactionis generated by WPKI mechanism such that user and rights issuercannot repudiate sending and receiving payment information,respectively. One challenge of non-repudiation protocols is toavoid any entity to cheat and gain advantage over the other. Mo-bile DRMs need time information included in evidences for disputeresolutions. Users generate mobile agents which carry encryptedpayment information to RIs. Mobile agent carries proxy certificateissued by its owner. The advantage of this agent-based protocol isto provide a convenient way for mobile clients to reach non-repu-diation for mobile DRMs. According to binding mechanism of theproxy certificate and its corresponding subscriber certificate, mo-bile agent and its owner cannot repudiate their relationship; thisis crucial for agent-based mobile DRM systems.

References

Bamasak, O., Zhang, N. (2005). A distributed reputation management scheme formobile agent-based e-commerce applications. In IEEE International Conferenceon e-Technology, e-Commerce and e-Service.

Borrell, J., Robles, S., Serra, J., Riera, A. (1999). Securing the itinerary of mobile agentsthrough a non-repudiation protocol, In IEEE 33rd Annual 1999 InternationalCarnahan Conference on Security Technology.

Esparza, O., Munoz, J., Soriano, M., Forne, J. (2003). Host revocation authority: a wayof protecting mobile agents from malicious hosts, ICWE 2003, LNCS 2722, pp.289–292.

Grossklags, J., & Schmidt, C. (2006). Software agents and market (in) efficiency: Ahuman trader experiment. IEEE Transactions on Systems, Man and CyberneticsPart C, 36(1), 1–13.

Hamdi, M. S. (2006). MASACAD: A multiagent-based approach to informationcustomization. IEEE Intelligent System, 21(1), 60–67.

ITU-T. (1996). Recommendation, X.813: information technology-open systemsinterconnection- security frameworks in open systems. Non-repudiationframework.

Lee, W.-B., & Yeh, C.-K. (2005). A new delegation-based authentication protocol foruse in portable communication systems. IEEE Transactions on WirelessCommunications, 4(1).

Li, B., & Luo, J. (2004). On timeliness of a fair on-repudiation protocol. InfoSecu’04,14-16, 99–106.

Liew, C.-C., Ng, W.-K., Lim, E.-P., Tan, B.-S., Ong, K.-L. (1999). Non-repudiation in anagent-based electronic commerce system, DEXW Workshop.

M’Raihi, D., & Yung, M. (2001). E-commerce applications of smart cards. ComputerNetworks, 36, 453–472.

Onieva, J., Lopez, J., Roman, R., Zhou, J., & Gritzalis, S. (2007). Integration of non-repudiation services in mobile DRM scenarios. Telecommunication Systems, 35,161–1765.

Pagnia, H., Vogt, H., Gartner, F., Wilhelm, U. (2000). Solving fair exchange with mobileagents, ASA/MA 2000, LNCS 1882, pp. 57–72.

Romao, A., & da Silva, M. (2001). Secure mobile agent digital signatures with proxycertificates. E-Commerce Agents, LANI, 2033, 206–220.

Stach, J. F., Park, E. K., & Makki, K. (1999). Performance of an enhanced GSM protocolsupporting non-repudiation of service. Computer Communications, 22, 675–680.

Tseng, Y.-M., Yang, C.-C., & Su, J.-H. (2004). Authentication and billing protocols forthe integration of WLAN and 3G networks. Wireless Personal Communications,29, 351–366.

Wang, F.-Y. (2005). Agent-based control for networked traffic managementsystems. IEEE Intelligent System, 20(5), 92–96.

Wilhelm, U., Staamann, S., Buttyan, L. (1998). On the problem of trust in mobileagent systems, In Symposium on Network and Distributed System Security,Internet Society, March, pp. 114–124.

WPKI. (2004). Implementation, initial stage, testing and experiments (Internal Reportand Discussion), Chunghwa Telecom Lab, Taiwan.

Zhou, J., Gollmann, D. (1996). A Fair non-repudiation protocol. In Proceedings of 1996IEEE Symposium on Security and Privacy, Oakland, California, May, pp.55–61.

Zhou, J., Deng, R., & Bao, F. (1999). Evolution of fair non-repudiation with TTP,ACISP’99. Lecture Notes in Computer Science (LNCS), 1587, 258–269.