With the increasing usage of the Internet, electronic commerce (e-commerce) has been catching on fast in a lot of business areas. As e-commerce booms, there comes a demand for a better system to manage and carry out transactions. This leads to the development of agent-based e-commerce. In this new approach, agents are employed on behalf of users to carry out various e-commerce activities. Although the tradeoff of employing mobile agents is still under debate (Milojicic, 1999), using mobile agents in e-commerce attracts much research effort, as it may improve the potential of their applications in e-commerce (Guan & Yang, 1999, 2004). One advantage of using agents is that communication cost can be reduced. Agents traveling and transferring only necessary information saves network bandwidth and reduces the chances of network congestion. Also, users can schedule their agents to travel asynchronously to the destinations and collect information or execute other applications, while they can disconnect from the network (Wong, Paciorek, & Moore, 1999). Although agent-based technology offers such advantages, the major factor holding people back from employing agents is still the security issues involved. On one hand, hosts cannot trust incoming agents belonging to unknown owners, because malicious agents may launch attacks on the hosts and other agents. On the other hand, agents may also have concerns on the reliability of hosts and will be reluctant to expose their secrets to distrustful hosts. To build bilateral trust in an e-commerce environment, the authorization and authentication schemes for mobile agents should be designed well. Authentication checks the credentials of an agent before processing an agent’s requests. If the agent is found to be suspicious, the host may decide to deny its service requests. Authorization refers to the permissions granted for the agent to access whichever resources it requested.
Many intelligent agent-based systems have been designed to support various aspects of e-commerce applications in recent years, for example, Kasbah (Chavez & Maes, 1998), Minnesota AGent Marketplace Architecture (MAGMA) (Tsvetovatyy, Mobasher, Gini, & Wieckowski, 1997), and MAgNet (Dasgupta, Narasimhan, Moser, & Melliar-Smith, 1999). Unfortunately, most current agent-based systems such as Kasbah and MAGMA are serving only stationary agents. Although MAgNet employs mobile agents, it does not consider security issues in its architecture.
D’Agents (Gray, Kotz, Cybenko, & Rus, 1998) is a mobile agent system, which employs the PKI for authentication purposes, and uses the RSA (Rivest, Shamir, & Adleman, 1978) public key cryptography (Rivest et al., 1978) to generate the public-private key pair. After the identity of an agent is determined, the system decides what access rights to assign to the agent and sets up the appropriate execution environment for the agent.
IBM Aglets (Lange & Oshima, 1998; Ono & Tai, 2002) are Java-based mobile agents. Each aglet has a globally unique name and a travel itinerary (wherein various places are defined as context in IBM Aglets). The context owner is responsible for keeping the underlying operating system secure, mainly protecting it from malicious aglets. Therefore, he will authenticate the aglet and restrict the aglet under the context’s security policy.
Ajanta is also a Java-based mobile agent system (Karnik & Tripathi, 1999, 2001; Karnik, 2002) employing a challenge-response based authentication protocol. Each entity in Ajanta registers its public key with Ajanta’s name service. A client has to be authenticated by obtaining a ticket from the server. The Ajanta Security Manager grants agents permissions to resources based on an access control list which is created using users’ uniform resource names (URNs).
iJADE (intelligent Java Agent Development Environment) (Lee, 2002) provides an intelligent agent-based platform in the e-commerce environment. This system can provide fully automatic, mobile, and reliable user authentication.
Key Terms in this Chapter
Private Key: That key (of a user’s public-private key pair) known only to the user.
Java: A high-level programming language similar to C++ developed by SUN Microsystems.
Agents: A piece of software, which acts to accomplish tasks on behalf of its user.
Cryptography: The act of protecting data by encoding it, so that it can only be decoded by individuals who possess the key.
Authentication: The process of ensuring that an individual is who he or she claims to be.
Authorization: The process of giving access rights to an individual or entity.
Public Key: The publicly distributed key that if combined with a private key (derived mathematically from the public key), can be used to effectively encrypt messages and digital signatures.
Digital Signature: An extra data appended to the message in order to authenticate the identity of the sender, and to ensure that the original content of the message or document that has been sent is unchanged.