Internet domain name management is currently developing into a very significant market. In this paper we present the different security mechanisms that we have designed and implemented for the Domain Name eXchange (DNX) platform, which aims to support an integrated market for Internet domain names. Our platform is based on mobile agent technology, which enables flexible and efficient electronic trade of domain names. The registration model that we have used is Core's Shared Registry System model, which aims at an open and fair registration process.
We have analyzed the different threats relative to the agent's platform, and thus we have defined two sets of security measures. On the one hand, we use cryptographic tools like encryption and digital signatures to ensure the safe transport of the agents between the hosts. On the other hand, we have opted for a secure Java-based platform to guarantee a safe execution of the concurrent agents. Finally, we have examined the different advantages and limitations of the agent's use relative to security.
The demand for names is currently increasing very rapidly in line with the commercialization of goods and selling of services using the Internet. Many names will have a short Internet life cycle and will become reusable after a certain period of time. Since there are a limited number of short names, one can expect such names to have a good resale value.
The Domain Name eXchange (DNX) platform  has been designed and implemented in order to provide value-added registration services for the Internet domain name market. Our platform is based on the Shared Registry System (SRS) model specified by the Internet SRS Draft , in which registries (companies that administer one or more gTLDs [generic top-level domains]) and registrars (companies that dispense domain names) are the main actors.
The main focus of our work in DNX has been the construction of an open registration platform leading to the computerized trade of domain names. In order to compensate for the decentralization of domains at the top level, the primary purpose of the value-added services is to support a single market for domain names. We have provided these services using mobile agent technology  since they are typical examples of services that can benefit from the flexibility of agents. For instance, agent more easily support the integration of new services into registrar sites and existing systems. Furthermore, an agent can carry a dynamically formulated registrar request to a registry database. This provides the registrar with much flexibility in the type of reservation and registration strategies since he or she does not need to enumerate exhaustive lists of interesting domain names. Agents also facilitate enhanced querying, which can be exploited for domain name market studies.
Stability and security in the conduct of registration activities are critical components that need to be addressed. Currently, in the domain name business area, the registration activity is always performed via e-mail with minimal security features. In this paper, we discuss and present the different security levels that we have established in order to provide a safe and secure mobile agent-based platform for the trade of Internet domain names. We begin with an overview of the DNX architecture, followed with an analysis of the different threats and the security measures needed to prevent them. Then we present some implementation details, and we end with some concluding remarks.
The DNX architecture is a distributed architecture with two kinds of actors, registries and registrars. Each host acting in the agent's network is structured in the same way, with three main parts:
The main difference between a registrar and a registry lies in the services available to the agents.
The registrar architecture (fig. 1) is very simple, and only a few services are provided:
Figure 1 Registrar architecture
The agent space is used only by mobile agents starting their execution before migrating to remote registries or after coming back from registries for publishing their results.
On the registry side, the DNX platform is connected to the database's front end, and all communications between them are based on the SRS protocol . No change has to be performed on the front end, which can accept requests from mobile agents as well as from clients using e-mail or a TCP transport channel (fig. 2).
Figure 2 Registry architecture and system integration
A registry typically offers several basic services (e.g., SRS services) and advanced services (e.g., notification of events).
Attacks against DNX can be separated into two categories, which require two different sets of security measures:
Since the system runs on the Internet, agents are vulnerable to attack during their transport from one host to another. Such attacks include the following:
In an agent's system, detection of these attacks is not sufficient, and their prevention is required in order to guarantee that unknown agents are not able to enter the platform. Cryptographic protocols are the best solution to avoid the first few threats in the list above: encryption solves the confidentiality problem, while digital signatures solve the integrity and authentication one. Unfortunately, no good solution is known to avoid denial of services attacks, and we can only expect them to be detected after they have occurred.
In the world of computer security, most people know that it is much better to use already known and well-tested algorithms instead of building their own. Several solutions are available for the agent's transport protocol. Standard protocols like Secure Socket Layer (SSL) and Transport Layer Security (TLS) exist for securing transmission of data between two hosts and contain everything needed for our agent's transmission, but they are far too general and too heavy for this purpose, since the agents are supposed to be as small and fast as possible.
An easy solution is to use a Key Exchange Protocol with slight modifications to exchange agents instead of keys. We suppose here that A and B have exchanged their public key before the communication take place. "E_A" means "encryption using A's public key," "S_A" means "signature using A's secret key," Hash is a usual hash function like MD5 or SHA-1, and r is a random number.
The first transaction is the transport of the signed and encrypted agent. The receiver sends back a signed "return receipt" to acknowledge the good reception of the agent, along with the random number r sent encrypted as a challenge to test the freshness of the agent (i.e., to test that it has not already been played).
This general protocol works fine, but it has several defects in our agent's context, the most important being the fact that the three communications need to be completed before the agent can be accepted into the platform. If the transaction is not completed for any reason, the receiver cannot securely execute the agent, even if it has been well received.
Instead, we decided to use a two-way protocol with time stamps:
After the first transmission, the receiver has enough information to authorize or not authorize the entry of the agent into the system and the only remaining task is to acknowledge its reception. If the sender does not receive this acknowledgment, he or she should send the agent again.
The receiver has to keep a database of received time stamps for a determined time. If a new agent comes with an obsolete time stamp, it is automatically rejected. Otherwise, whether the agent's time stamp is already in the database is checked. If the time stamp isn't already in the database, the receiver has a guarantee that the agent has not been already sent and can thus accept and execute it. The time before a time stamp is obsolete depends on the degree of synchronization between the clock of the sender and clock of the receiver and on the time needed by the agent to go from one host to the other. If we allow a large window of time, we need less synchronization and we can accept a longer time of transport for the agent, but the database gets bigger and attacks that cause delays in the agent's transport are more difficult to notice.
With these security measures, the security control located at the entry of the agent's platform is able to guarantee that only authorized and identified agents can gain access to the platform.
The main security problems introduced by the use of a mobile agent system are related to the execution of the agents. These problems include the following:
These different attacks are not very different from the ones discussed above, but we need completely different security measures in order to avoid them. It is worth noting that as we have seen above, no anonymous or unauthorized agent is able to enter the system. The problem has two parts:
It is easy to see that there is a fundamental asymmetry between these two parts: since the platform is the entity that executes the agent, it must have some control on it, and the second part of the problem is likely to be more difficult to solve than the first one.
To ensure that an agent cannot threaten any other entity, we decided to use the JavaSeal agent platform . JavaSeal is based on Java and has been developed by the Object Systems Group at the University of Geneva. The main goal of JavaSeal was security, and it is achieved by satisfying three requirements:
On the other hand, it is difficult to guarantee anything about the execution of a program on a system that you don't control.
Since the program is executed on the distant computer, it has to be intelligible sometimes. A manufacturer of DVD systems recently learned that one of its DVD players had been reverse engineered, revealing the keys needed to decrypt a DVD in order to play it, despite the numerous cryptographic protections (which by the way were weak even if you were not able to find the key). This shows that "code that you don't control cannot remain secret," and this rule is especially true if you use Java, whose compiled bytecode is quite easy to disassemble, even if the time to disassemble an entire program may be quite long.
An often proposed solution is to use tamperproof hardware, but good tamperproof hardware is difficult to make. Moreover, people are usually not very keen on running "black box" systems over which they have no control. If the specifications of the system are known, it may be possible to write a software simulator of the system and force the agent to run on it.
While protecting the content of a program running on a distant host looks clearly like an impossible task, it is possible in some cases to cryptographically hide the function performed by the program. For example, imagine an agent requesting if the novartis.com domain is free, the name "novartis" being secret at that time. Instead of asking "is novartis.com free?" the agent looks at every registered domain name, computes a hash function on this name, and compares the result with a hashed name stored in its data. If the two hash values correspond, it means that the domain name is already registered -- the platform can then know what this name was, but it is not so important anymore. If no correspondence is found, the agent knows that the domain is free, but the platform has no information about which domain it was looking for. The agent doesn't know the name either and thus cannot register it but only report the information to its owner.
Research conducted on this subject  seems promising but for the time being remains limited and of little practical use.
A very important security property in the context of electronic commerce is nonrepudiation, the impossibility for a party to deny a transaction. This is usually provided by the use of digital signatures. Signatures made by a registry to confirm an operation are nonrepudiatable. However, in our agent's context, a registrar never signs directly any request, since requests are made by his or her agent on the registry's platform and a registrar could pretend that his or her agent did not sign a request but the registry used the agent's private key to sign it. As we have seen, this may be a difficult task for the registry, but there is no good known technical solution to prevent the registrar from doing this and thus no guarantee of nonrepudiation.
The solution to this problem is actually more organizational than technical and relies on the fact that we are working in a closed market, where only known and authorized actors are operating. In this situation, an actor found guilty of fraudulent behavior would be quickly ejected from the market, and the actor's loss would certainly be greater than the gain obtained from such behavior.
It is worth noting that registries must in any case be fully trusted by the registrars since they are in charge of the domain name databases, and it is thus reasonable for the registrars to assume that the registries are fair. The system should work with a gentleman's agreement like the ones used in practice by the banks or credit card companies by allowing a short time to revoke any erroneous request.
A working implementation has been finished at the end of 1999, and we used it for test purposes without access to a real domain name database. Further tests were scheduled with Switch (registration service for .ch and .li domains) and CORE (Council of Registrars) to allow our prototype to access their databases in order to use it in real situations, but we have not been able to conduct these tests yet.
The draft of the SRS protocol proposed the use of PGP  (Pretty Good Privacy) 5.0 to handle cryptographic issues like the signature of the requests. We decided to use GPG  (Gnu Privacy Guard) 1.0 instead for the requests' signatures as well as the encryptions and signatures needed for the transport of the agents. GPG went out in the beginning of September 1999 and is fully compatible with PGP. Contrary to PGP, which is no longer free for commercial use, GPG is available under the GNU General Public License (GPL), doesn't use patented algorithms, and has been developed in Europe and is thus not constrained by any export restrictions. In addition, it can easily be integrated with Java or another platform and used as a security tool.
Actually, as long as the specification of the SRS protocol and the DNX platform have not been definitely decided, we call GPG from Java as an external process. While this approach is much less efficient than using an internal library, it is much simpler and more flexible, especially since high performance was not our main goal. We'll use another system when the specifications are settled.
The use of a closed market makes key certification easier. Since any actor must be known by others, no external certification is really needed. If the system were opened, trusted third parties (TTPs) would become necessary in order to guarantee key certification. The registries could easily act as TTPs, since they have a central place and must already be trusted by all users, as we've seen above. We propose elsewhere a more general model where the role of TTP is assumed by specific actors different from the registries.
The use of agents complicates key management, since private keys may move with the agents. To minimize the danger of stolen keys, each agent must carry its own, and even if two agents belong to the same entity, they cannot share a set of keys.
The design of the DNX platform shows that it is possible to use mobile agents to provide value-added services for the Internet domain name market with a reasonable level of security. This model could easily be adapted to other markets, and it requires only slight modifications to an existing system to work with mobile agents, since the communication between the agent's platform and the system can be based on already used protocols, like SRS in DNX. Several other electronic commerce applications for which security is a critical component could be envisaged from the DNX model, such as an agent-based platform for electronic auctions.
In the remaining part of the Internet domain name market, the part not covered by DNX, the relations between the user who wants to buy domains (registrant) and a registrar are by definition open. Due to the limitations we discussed above, it is unlikely that an agent's system like this one could be used in a fully opened market. However, we have studied other models and have considered opening this market, but this is not described in this paper (see ).
While the use of the JavaSeal kernel solves most of the security problems related to the execution of the agent, its philosophy of hiding most Java classes and allowing only strictly controlled communications between agents makes it quite difficult to program and use and limits its performance. We have to keep in mind that JavaSeal remains an experimental system. However, the quick evolution in the mobile agent's platform seems encouraging with regard to future developments and better performance in this field.
The authors would like to thank Jarle Hulaas and Prof. Jürgen Harms for their contribution to this project. The research described in this paper was funded by the Swiss National Scientific Foundation under grant SPP-ICS-ElCom 5003-054540.