With the increasing worldwide usage of the Internet, electronic commerce (e-commerce) has been catching on fast in a lot of businesses. As e-commerce booms, there comes a demand for a better system to manage and carry out transactions. This has led to the development of agent-based e-commerce. In this new approach, agents are employed on behalf of users to carry out various e-commerce activities. Although the tradeoff of employing mobile agents is still a contentious topic (Milojicic, 1999), using mobile agents in e-commerce attracts much research effort, as it may improve the potential of their applications in e-commerce. One advantage of using agents is that communication cost can be reduced. Agents traveling and transferring only the necessary information save the bandwidth and reduce the chances of network clogging. Also, users can let their agents travel asynchronously to their destinations and collect information or execute other applications while they can disconnect from the network (Wong, 1999). Although agent-based technology offers such advantages, the major factor that is holding people back from employing agents is still the security issues involved. On the one hand, hosts cannot trust incoming agents belonging to unknown owners, because malicious agents may launch attacks on the hosts and other agents. On the other hand, agents may also have concerns on the reliability of hosts and will be reluctant to expose their secrets to distrustful hosts. To build bilateral trust in an e-commerce environment, the authorization and authentication schemes for mobile agents should be well designed. Authentication checks the credentials of an agent before processing the agent’s requests. If the agent is found to be suspicious, the host may decide to deny its service requests. Authorization refers to the permissions granted for the agent to access whichever resource it requested. In our previous work, we have proposed a SAFER (Secure Agent Fabrication, Evolution & Roaming) architecture (Zhu, 2000), which aims to construct an open, dynamic and evolutionary agent system for e-commerce. We have already elaborated agent fabrication, evolution, and roaming in Guan (1999, 2001, 2002), Wang (2001), and Zhu (2001). This article gives an overview of the authentication and authorization issues on the basis of the SAFER architecture.
Many intelligent agent-based systems have been designed to support various aspects of e-commerce applications in recent years, for example: Kasbah (Chavez, 1998), Minnesota AGent Marketplace Architecture (MAGMA) (Tsvetovatyy, 1997), and MAgNet (Dasgupta, 1999). Unfortunately, most current agent-based systems such as Kasbah and MAGMA are serving only stationary agents. Although MAgNet employs mobile agents, it does not consider security issues in its architecture.
Key Terms in this Chapter
Authentication: The process of ensuring that an individual is who he or she claims to be.
Authorization: The process of giving access rights to an individual or entity.
Private Key: That key (of a user’s public-private key pair) known only to the user.
Java: A high-level programming language similar to C++ developed by SUN Microsystems.
Agents: A piece of software, which acts to accomplish tasks on behalf of its user.
Cryptography: The act of protecting data by encoding them, so that they can only be decoded by individuals who possess the key.
Digital Signature: Extra data appended to the message in order to authenticate the identity of the sender, and to ensure that the original content of the message or document that has been sent is unchanged.
Public Key: The publicly distributed key that if combined with a private key (derived mathematically from the public key), can be used to effectively encrypt messages and digital signatures.