1 Security Mechanisms for Using Mobile Agents in Electronic Commerce Paulo Jorge Marques, Luís Moura Silva, João Gabriel Silva Departamento de Engenharia Informática, Universidade de Coimbra, Portugal {pmarques, luis, jgabriel}@dei.uc.pt Abstract In order for mobile agents to be accepted as a basic technology for enabling electronic commerce, proper security mechanisms must be developed. Hosts must be protected from malicious agents, agents must be protected from other agents and also agents must be protected from malicious hosts. For solving the first three problems, existing technology from operating systems and distributed systems research can be used. The last problem is new and specific to the mobile agent paradigm and it is much harder to solve. Due to this problem, many say that mobile agents are not ready for the e-commerce systems. In this paper we discuss the security requirements of mobile agents in the context of electronic commerce and analyze how these requirements can be met. We show that, because of the characteristics of e-commerce systems, the security requirements of the agents and their users can be assured in real and open environments as the Internet. 1 Introduction Mobile agents are one of the most prominent technologies believed to be playing an important role on future electronic commerce (e-commerce) systems. Besides providing a very flexible approach for information gathering on prices and assets available from the several company servers they visit, they can effectively take over the different aspects of the electronic commercial transaction, from price settlement to paying and delivery of the goods purchased. Adopting the nomenclature of Maes’ [1], we identify the following stages where this technology can be especially important: • Product brokering • Merchant brokering • Negotiation • Payment and Delivery Product brokering involves gathering information from several merchants about a certain product that the user is looking for acquiring. Mobile agents can be used to collect offers from several hosts representing stores. These offers would be made in response of a query performed by the agent, which refers its owner’s whishes (“I want to buy a PC for less than $2000”). Merchant brokering consists in evaluating a set of alternatives, discovered in the previous stage, in order to decide where to make the purchase. Mobile agents can be used to autonomously decide where to make the purchase. In the negotiation stage, the final terms of the transaction are set. Agents can be used to mediate this part of the transaction. Finally, in the payment and delivery stage, the goods are delivered against currency (or its electronic equivalent). The mobile agents can be used to actually pay for assets being bought and to collect a receipt as proof. Mobile agents are especially interesting when considering all the previous activities as a whole. A mobile agent can autonomously take care of all the steps needed for carrying out the deal, without ever bothering its owner. Alternatively the process can be semi-autonomous requiring the user to validate the choices of the agent before the actual commercial transaction is performed. Although all the advantages that mobile agents can bring to e-commerce frameworks, the success or failure of this paradigm is directly connected to the question on whether proper security mechanisms can be effectively implemented and used. Security in mobile agent systems can be analyzed in four different perspectives [2]: • Protecting hosts from access by unauthorized parties. • Protecting hosts from attacks of malicious agents. • Protecting agents from attacks of other agents. • Protecting agents from attacks of malicious hosts.