198 Chapter 5 Mobile Agent Security
communication channel. Agent β, therefore, also knows the name of the
that α is currently visiting. Now, agent β can verify that prev
. If they do not match, we have two possible error situations. First,
could have sent agent α to agency A
instead of A
wrong information for prev
(α). For example, agency A
may be malicious
and want to incriminate agency A
, which is actually not malicious at all.
It is not possible to determine which of the two agencies cheats.
Then, agent β can verify that A
(α); that is, it checks that
the current agency is really the one to which agent α wanted to migrate. In
this case, agency A
must masquerade its identity or deny communication
between the two agencies to mask the error situation. On the other hand, if
does not deny communication and does not masquerade, then β
will discovers that A
has sent the agent to a wrong agency.
This protocol has some drawbacks. First, communication between the
two agents is expensive. Second, the agent might be killed after the agent
has sent its position message to β but while it is still on agency A
the agent has been received by A
and before the agent has sent its new
To make this protocol work, it must be guaranteed that both agents α and
β are at each point in time on two hosts for which it is clear that they do not
work together. In the other case, the two malicious agencies might cooperate
to attack the protocol. For example, it could be possible that simply both
agents are killed at the same time.
Roth, therefore, proposes to mark all agencies with the colors white, gray,
and red. White agencies are benevolent. Possibly, only the home agency is
marked white. Gray agencies are not completely trusted, and red agencies
are those that might collaborate with some other agency to attack an agent.
Then, Roth deﬁnes the following condition to make his protocol work: The
two agents migrate into two disjunct sets of agencies, and no red agency
from one set is willing to cooperate with a red agency from the other set.
The question that remains is how this condition can be guaranteed.
5.6 Protecting Agencies
We now consider the problem of how agencies can be protected against
malicious agents. Actually, this problem is played down and regarded as
almost solved in large parts of the literature, because Java as a programming