Mobile Agent based Authentication for Wireless
Network Security
Olatunde O. Abiona
Department of Computer Information Systems,
Indiana University Northwest,
Gary, IN 46408, USA
o_abiona@yahoo.com
Abstract— The explosive growth witnessed by wireless networks
is largely due to the flexibility offered to both users and service
provider. However, the open wireless medium makes traditional
link-layer attacks readily available to anyone within the range of
the network. Confidentiality, integrity and authentication pose
several challenges to wireless network security implementations.
The IEEE 802.11i security framework has some flaws, making
the traditional cryptographic mechanism provide weak security
for the wireless environment. In this paper we explore the
feasibility of mobile agents to provide secured access control for
next generation wireless infrastructure networks.
Keywords- Authentication; Mobile agent; Next generation
networks; Wireless network security
I. INTRODUCTION
Wireless networks has been experiencing an explosive
growth similar to the Internet, this is largely due to the
attractive flexibility of anytime, anywhere network access
enjoyed by both users and service provider. While the
emergence new wireless technologies can enable truly
ubiquitous Internet access, it also raises issues regarding the
dependability of the Internet service delivered to users, which
may be impacted by the time-varying channel, limited
spectrum, mobility, and particularly the security issues
focused on in this paper.
Basically Wireless Local Area Network (WLAN) can
operate in two modes, the infrastructure based and the Ad hoc
networks. Many organizations are deploying the infrastructure
based wireless network to provide connectivity to locations
with difficult terrain, poor accessibility, or places difficult to
reach by direct cabling, to compliment the existing wired
networks. A lot of attention has been given to the provision of
these wireless networks, but little attention has been given to
the provision of adequate security for the emerging wireless
networks making the networks prone to traditional link-layer
attacks readily available due to proximity.
Wireless network security is more concentrated and
complex than security of wired network because wireless is
broadcast in nature, making it possible for anyone within the
range of a wireless device to eavesdrop and intercept the
packets sent without interrupting the flow of data between the
wireless device and the access point over the air. User
authentication is a reliable wireless security protocol for best
safeguard against the risk of unauthorized access to the
978-1-4244-2202-9/08/$25.00 © 2008 IEEE
Yu Cheng
Department of Electrical and Computer Engineering,
Illinois Institute of Technology,
Chicago, IL 60616, USA
cheng@iit.edu
wireless network. The security features for mobile
communication system include: confidentiality on the air
interface over the channel, anonymity of the user, and most
importantly, authentication of the users in order to prevent
fraudulent use of the system [1].
Wireless network security is different from wired network
security primarily because wireless gives potential attackers
easy transport access medium. This access significantly
increases the threat that any security architecture must address.
Unfortunately, the early IEEE 802.11standards failed to
account for it [2]. Hence the security schemes in wired
network cannot be used directly in wireless network.
A typical wireless infrastructure network consist of a
wireless device known as a station (STA) communicating with
a centralized stationary Access Point (AP) over a wireless
channel. Security threats against the wired network are equally
applicable to the wireless networks, but the wireless networks
suffer a number of additional vulnerabilities that make it more
challenging to secure [3].
• Open wireless medium: The security threats of
message eavesdropping and injection are universal in
any network; however, they are more severe in
wireless networks due to open wireless medium.
• Limited bandwidth: Wireless networks are
particularly vulnerable to denial-of-service (DoS)
attacks and in-band signaling.
• System Complexity: Wireless networks are far more
complex than the wired networks due to the special
needs for mobility support and efficient channel
utilization.
Mobile Agents (MA) is an effective paradigm for
distributed applications and is particularly attractive in a
dynamic network environment involving partially connected
computing elements [4]. MA is defined as a software
component which is either a thread or a code carrying its
execution state to perform the network function or an
application [5]. MA can act as a middleware and perform
network and other application related functions based on
underlying infrastructure: fixed wire network, wireless cellular
network or mobile ad hoc network [5]. MA paradigm is an
emerging technology for developing applications in open,
distributed and heterogeneous environment like the Internet.
1075
 Agents have the ability to decide autonomously where to
migrate to after they are dispatched; hence MA technology
offers several advantages in many application areas, such as e-
commerce, mobile computing, network management and
information retrieval [5]. MAs are designed to execute locally
on data at their destination, thus reducing network traffic and
latency. Furthermore, MA asynchronous interaction can
provide efficient solution in the case of unreliable and low
bandwidth connection, to support mobile users that could
disconnect while their agent still roam in the network. The
proposed MA based authentication architecture will prevent
the transmission of authentication information over the air
eliminating the possibility of man-in-the-middle attack with
rogue access point and eavesdropping since authentication
information are carried by encrypted MAs. Furthermore,
mobile clients requires authentication at the various access
point to maintain their connection to the network, the
proposed MA architecture is effective for moving
dynamically both code and state during every authentication
process since the operation performed are always the same. In
this paper we explore the possibilities of using MAs to provide
secure access control for next generation wireless
infrastructure networks.
The rest of the paper is organized as follows: In Section II
we discuss the security challenges in wireless networks, and in
section III the security issues with mobile agents and possible
solutions. In section IV we propose the Mobile Agent
Authentication Architecture (MA3) and in section V we
describe the proposed mobile agent platform and finally the
paper concludes in section VI.
II. SECURITY CHALLENGES IN WIRELESS NETWORKS
Securing a wireless network poses unique challenges
compared to a wired network due to the open nature of the
access medium, in general wireless networks suffer from
security threats of wired networks and additional
vulnerabilities making it more challenging to secure. Wireless
network security is different from wired network security
primarily because it gives potential attackers easy transport
medium access. This access significantly increases the threat
that any security architecture must address. Unfortunately, the
early IEEE 802.11standards failed to account for it [2]. Hence
the security schemes in wired network cannot be used directly
in wireless network. The fact that data is being broadcast via
radio waves rather than transmitted over a wire introduces
security challenges namely:
• How can you prevent user credentials from being
hijacked during authentication negotiation?
• Once authentication is complete, how can you protect
the privacy of the data being transmitted between
client and access point? And finally
• How can you make sure the authorized user connects
to the right network?
The concerns are that of authentication, data privacy and
rogue access point.
Authentication - Most password-based protocols in use today
rely on a hash of the password with a random challenge. The
server issues a challenge, the client hashes that challenge with
the password and forwards a response to the server, and the
server validates that response against the user's password
retrieved from its database. Legacy password protocols are
easily subjected to eavesdropping and man-in-the-middle
attacks. An eavesdropping attacker can easily mount a
dictionary attack against such password protocols. A man-in-
the-middle attacker can pass through the entire authentication,
and then hijack the connection and act as the user.
Data Privacy - Another concern is the security of the wireless
data connection between the client and access point
subsequent to authentication. While client and access point
could easily negotiate keys subsequent to authentication, if the
keys are not cryptographically related to the prior
authentication the data session would be subject to a man-in-
the-middle attack. Therefore it is incumbent upon the
authentication negotiation to result in keys that may be
distributed to both client and access point to allow the
subsequent data connection to be encrypted.
Rogue Access Point - A final security challenge results from
the possibility that someone could install a WLAN access
point and network and fool your user into doing work on that
network. Rogue access points are those installed by users
without coordinating with the IT unit. Because access points
are inexpensive and easy to install, rogue installations are
becoming more common.
Limited Bandwidth – The networks that connect handheld
wireless devices such as phones and Personal Digital
Assistants (PDAs) suffer from low bandwidth and high
incidence of network errors. Mobility can also result in the
loss or degradation of wireless connections [6]. Limited
communication bandwidth may also be a target for malicious
attacks such as DoS attack. To implement such attack, the
malicious node may send vicious queries flooding to target
nodes to consume the bandwidth and occupy the shared
wireless media, which make the network service unavailable
to other nodes [4]. Apart from the limitation in bandwidth
constraint, each node in a wireless communication and mobile
computing has limited transmission range and limited power
supply.
System Complexity - Wireless networks are far more complex
than the wired networks due to the special needs for mobility
support and efficient channel utilization. It should be noted that
each complexity in the system, adds additional security
vulnerability to the wireless networks especially in systems
with large user population and complex infrastructure [3].
III. SECURITY ISSUES WITH MOBILE AGENTS AND
SOLUTIONS
Threats to security can be classified into three main classes
namely: disclosure of information, denial of service and
corruption of information. MA security can be considered
using a simple model consisting of an agent and the agent
platform. An agent is comprised of the code and the state
information for carrying out some computation, mobility
enables the agent to move among agent platform and the agent
platform provides the computational environment for the agent
to operate. The platform from which the agent was dispatched
1076
is known as the home platform, this is the most trusted
environment for an agent. An agent system model is shown in
figure 1. One or more hosts may comprise an agent platform,
and an agent platform may support multiple computational
environments or meeting places, where agents can interact.
MA’s moving around the network is not safe. There are four
threat categories identified: The Agent-to-Platform, Agent-to-
Agent, Platform-to-Agent, Other-to-Agent Host attacks are the
kinds of security attacks that are possible in a Mobile Agent
System [6].
Figure 1. Agent System Model
Agent-to-Platform attacks represent the set of threats in which
agents exploit security weakness of agent platform, Threats
include:
• Masquerading
• Denial of service and
• Unauthorized access.
Agent-to-Agent attacks represent the set of threats in which
agents exploit security weakness of other agents. Threats
include:
• Masquerading
• Unauthorized access
• Denial of service and
• Repudiation.
Platform-to-Agent attacks represent the set of threats in which
platforms compromise the security of agents. Threats include:
• Masquerading
• Denial of service
• Eavesdropping and
• Alteration.
Other-to-Agent-Platform attacks represent the set of threats in
which external entities, including agents and agent platforms,
threaten the security of an agent platform. Threats include:
• Masquerading
• Denial of service
• Unauthorized access and
• Copy and replay.
We will describe available technologies and research efforts
addressing the security issues arising from the mobility property
of mobile agents. First we consider technologies protecting the
executing agent platform from agents, and then we consider
mechanisms addressing various security aspects of the mobile
agent.
A. Protecting the Agent Platform
A major concern with agent system implementation is to
ensure that agents are not able to interfere with one another or
with the agent platform. Some techniques used for protecting
agent platforms are described in details in [7,8]. This includes:
• Software-based fault isolation (sandboxes)
• Safe code interpretation
• Signed code
• State appraisal
• Path Histories and
• Proof Carrying code
Another technique proposed in [9] replaced the Trusted
Processing Environment (TPE) by a software machine called
SVM (Secure Virtual Machine). The secure virtual machine
SVM is a software layer installed between the operating
system and the agent environments. The platforms to be
visited by the agent must have a certified SVM. On a platform,
SVM receive an agent and creates an instance of SVM to
execute only this agent in an allocated memory space called
closed environment. Finally, before migration, the agent will
be associated with a signed stamp that contains the actual
platform time and the next platform time.
B. Protecting Agents
Most of the attempts to counter the threats posed to mobile
agents have addressed a particular part of the problem. While
countermeasures directed towards platform protection
emphasizes active preventive measures, countermeasures
directed towards agent protection tend towards detection
measures as a deterrent. Once an agent has arrived at a
platform, little can be done to stop the platform from treating
the agent in any manner. The problem is usually referred to as
the malicious platform problem. Some techniques used for
protecting agents are described in details in [7,8]. This
includes:
• Contractual agreements
• Trusted hardware
• Trusted nodes
• Mutual itinerary recording
• Execution Tracing
• Environment key generation
• Co-operating agents
• Encrypted payload
• Computing with encrypted functions
• Undetachable signatures
• Obfuscated code
Furthermore, there are no known techniques for
establishing the lower bounds on the complexity for an attacker
to reverse engineer an agent’s code.
1077
 IV. PROPOSED MOBILE AGENT AUTHENTICATION
ARCHITECTURE (MAAA OR MA3)
The proposed MA3 is based on the traditional network
architecture, which is hierarchical. The system architecture for
MA3 is shown in figure 2. In MA3 there are two types of
agents namely:
• Supplicant Mobile Agent (SMA)
• Authentication Server Agent (ASA)
The SMA is a mobile agent while the ASA is a static agent. A
static agent is similar to a mobile agent, except that the static
agent does not have the ability to move.
INTERNET
LAN
Authenticator Authenticator Authenticator
Authentication Server
Supplicant Supplicant
Movement Movement
Figure 2. MA3 System Architecture
• SMA is a mobile agent that represents the clients in a
wireless network, e.g. Wireless laptop card.
• ASA is a static agent representing the authentication
server. ASA agent is contacted by the SMA agent in
order to authenticate a wireless client to an
authenticator i.e. the access point.
authentication. The mobile client will continue to have access
to the network as long as the authentication is successful.
Below are a list of some mobile agents; Aglets, Voyager,
Odyssey, Concordia, ARA, Mole, Agent TCL, TACOMA and
SHIP-MAI. The four commonly used application environment
for MA has been described in [10]. The proposed modification
to the IEEE 802.1x protocol is the installation of an agent
platform on the supplicant for the SMA and Agent platforms
on the authentication server to enable agents operate in that
environment.
A. Security Model For MA3
The proposed security model for MA3 is similar the IEEE
802.1x authentication protocol setup, involving the following
three components [11]:
• Supplicant
• Authenticator and
• Authentication server.
The security framework in MA3 comprises of the following:
• Supplicant Platform
• Supplicant Mobile Agent (SMA)
• Supplicant Mobile Agent with Certificate (SMA
Cert)
• Authenticator (Access Point)
• Authentication Server Platform
• Authentication Server Agent with certificate (ASA
Cert)
The proposed mobile agent authentication model is shown
in figure 3. Agent platforms are installed on both the
Supplicant supplicant and the authentication server to enable MA run
directly on them. When a supplicant come within the range of
an authenticator, the authenticator sends a request for
identification of the supplicant, the supplicant will then
dispatch the SMA carrying all the required authentication
information for the supplicant i.e. username, password and
platform details for that particular user to the authentication
server platform.
Supplicant Authenticator

In order to protect the wireless networks from parking lot Supplicant

Platform Access Wired
attackers, strong access control, ideally on per packet basis Point Network
must be enforced. Furthermore, mutual authentication should SMA

also be performed, since access points are untrusted entities Cert SMA
from the supplicant’s point of view. User authentication is best 1
safeguard against the risk of unauthorized access to the
wireless networks. However, one emerging technology could
Cert
be much more adaptive than others in such environment. This 2 ASA
SMA
technology is the mobile agent. In this paper we propose the
3
MA3 as a solution to the security problem inherent in IEEE
Authentication
802.1x authentication and key management for the next Server Platform
generation wireless networks.
Wireless infrastructure networks consist of one or more APs Authentication Server
used by wireless and/or mobile client to gain access into the
network. Inside the wireless card is the SMA; as the mobile Figure 3. The Security Model for MA3
client roams around the network after authentication so does
the SMA move from one AP to another, re-authenticate the
mobile client using certificates acquired from previous

1078
 The ASA Cert is a static agent residing on the authentication
server platform; the ASA Cert combines two functions:
• Certificate Authority- in charge of the issuing and the
management of certificates
• Authentication server- for authenticating users, agent,
and platforms.
The SMA will meet with the ASA Cert for the authentication
process. A mutual authentication between SMA and ASA Cert
is carried out. If the authentication process is successful, then
the network port on the authenticator opens and the supplicant
will now have access to the network. The SMA will now be
issued a certificate to become SMA Cert before returning to
the supplicant platform.
B. MA3 System Operation
The overall system operation is shown in figure 4. The
wireless client card is the supplicant, the supplicant
authenticates with the authentication server through the mobile
agent platform installed in the authentication server ASA. The
SMA migrates to the authentication server platform carrying
with it the authentication data from the supplicant. On
reaching the authentication server platform, the ASA and the
SMA exchange a series of challenge and response to
authenticate the supplicant. If the authentication process is
successful, the authentication server sends a success extensible
authentication protocol (EAP) message to the authenticator
and the supplicant and the authenticator share EAP over LAN
(EAPOL) key exchange. If all the exchanges are successful,
then the authenticator will allow traffic flow through the
controlled port permitting the client access to the network. On
the other hand if the authentication process fails, the
wireless/mobile client is denied access to the network.
Authenticator
Supplicant
Platform
LAN
Internet
SMA
EAP messages
(RADIUS)
SMA ASA
Platform Authentication Server
3
Figure 4. MA System Operation
3 Figure 5. Agent Migration Process
In MA two types of agent are used, one of the agents will
reside in the client network interface card, while the other
resides in the authentication server. Similarly there are agent
platform installed on the client card and the authentication
server. However, no modifications will be made to the
authenticator (Access Point) design.
C. Agent Migration in MA3
In MA3, the supplicant agent is the only mobile agent in the
system; providing better security for the wireless/mobile client
during the authentication process in a wireless network.
During the authentication of a wireless client, the client
identification and password are sent over free air from the
supplicant through the authenticator using the uncontrolled
port to the authenticator. The use of mobile agent for
authentication will provide a more secure transmission of this
information since the agents themselves are secured. Rather
than sending messages over free air, the SMA, collects all the
authentication information from the supplicant and then
travels to the authentication server platform in order to meet
with ASA for the authentication process. The SMA and ASA
will exchange several challenge and response. If the process is
successful, then the authentication server will send EAP
success to the authenticator, there by allowing the supplicant
to connect through controlled port to the LAN and Internet.
Whenever the client moves from one authenticator to
another, the SMA is again authenticated at the new
authenticator, if the authentication process is successful, the
authentication server immediately sends an EAP success
message to the new authenticator and the supplicant will
continue to connect to the LAN and Internet. But, if the
authentication process fails, then the authentication server
immediately sends an EAP failure to the authenticator, to
disconnect the supplicant from the network. Figure 5 shows
the migration process in MA3. Since the clients are mobile, the
certificate issued during the initial authentication if still valid,
could help speed up multiple authentications at the various
APs.
Authenticator
Supplicant
Platform
4 LA Internet
SMA
3
1 2 EAP
SMA ASA
5
Platform
Authentication server
SMA
7
6
Platform EAP
Supplicant
Authenticator
After a successful authentication, the proposed system also
conducts re-authentication as part of its security features to
prevent a client from changing his identity during a session or
while connected and roaming in the network. Re-
authentication is carried out periodically using the following
steps: the authenticator sends a request for authentication; the
1079
supplicant deploys the SMA with the identity of the client to
the authentication server. The SMA and ASA will exchange a
series of challenge and response, again to verify the identity of
the client. If the process is successful, the authentication server
sends an EAP success to the authenticator and the supplicant
remain connected. If however, the process fails, the
authentication server sends an EAP failure to the
authenticator, disconnecting the suplicant from the network.
Figure 6 shows the authentication and re-authentication
process in MA3. In this work, we explored the feasibility of
introducing mobile agents to secure authentication for next
generation wireless infrastructured networks. The inherent
secure features of mobile agents provide an attractive means to
enhance access control in a wireless environment resulting in a
more secure transmission for the authentication session.
Supplicant
Authenticator
Platform
4 • Integrity
LAN
SMA 5
3
EAP messages
(RADIUS)
1
2
SMA ASA
Platform Authentication Server
Figure 6. Authentication and Re-authentication Process
V. PROPOSED MOBILE AGENT PLATFORM
The Aglets Software Development Kit is an environment
for programming MA in Java. The aglet is able to execute, halt
its execution on one host, dispatch itself to another host, and
resume execution there. The aglet is capable of moving both
the code as well as the data. The aglet is well suited for the
internet environment. The proposed mobile agent platform is
listed below.
• ASDK free software by IBM
• Latest version is 2.0.2
• Good GUI
• Very accessible
• Good documentation
• Implemented standards; MASIF, and CORBA
• Communication; Message passing between agent,
socket
• Mobility; Java serialization
• Security policy; built in security mechanism
VI. CONCLUSION AND FUTURE WORK
The explosive growth of wireless network has made the
provision of adequate and effective security challenging for
such networks. User Authentication, a reliable wireless
security protocol is an effective technique for preventing
unauthorized access to such networks. A major weakness in
the security of wireless networks is the use of a shared
medium or free air. This has made it impossible to use
physical security controls to restrict access to the network. As
a result, strong access control and authentication becomes very
important for providing effective security for the next
generation wireless networks.
Unfortunately, the IEEE 802.1x authentication and key
management has some flaws in the composition of the
protocol. In this paper, we explore the feasibility of
introducing MAs to secure authentication for next generation
wireless infrastructure networks. The inherent secure features
of MAs provide an attractive means to enhance access control
in a wireless environment. To achieve this we propose the
MA3 to eliminate eavesdropping and man-in-the-middle attack
by hackers within the range of the wireless network.
However, there are still other security issues to be addressed
in the future. This includes:
• Confidentiality
Internet
• Availability and
• Anonymity
Future research should give consideration to all of the above
in the context of the MA technology. Further, since MAs have
strengths in a distributed and heterogeneous environment, the
proposed MA architecture may be consider in mobile ad hoc
networks in further work.
REFERENCES
[1] J. Zhu, and J. Ma, "A new authentication scheme with anonymity for
wireless environments,” IEEE Transactions on Consumer Electronics,
vol. 50, no 1, pp. 231–235, February 2004.
[2] W. A. Arbaugh, "Wireless security is different,” Magazine of IEEE
Computer Society, Computer, vol. 36, no 8, pp. 99–101, August 2003.
[3] H. Yang, F. Ricciato, L. Songwu, and L. Zhang, “Securing a wireless
world”, Proc of IEEE vol. 94, no 2, pp. 442–454, February 2006.
[4] L. Xia, and J. Slay, “Securing wireless ad hoc networks: towards a
mobile agent security architecture,” [online]. Available:
http://esm.cis.unisa.edu.au/new_esml/resources/publications/ 2004.
[5] S.P. Alampalayam, and A. Kumar, “An adaptive security model for
mobile agents in wireless networks,” in Proc. IEEE Global
Telecommunications Conference, 2003 (GLOBECOM '03), vol. 3. pp.
1516–1521, December 2003.
[6] L. Vasiu, and Q. H. Mahmoud, “Mobile agents in wireless devices,”
Magazine of IEEE Computer Society, Computer, vol. 37, no 2, pp. 104–
105, February 2004.
[7] W. Jansen, T. Karygiannis. NIST Special Publication 800-19 – “Mobile
Agent Security,” [online]. Available
http://csrc.nist.gov/publications/nistpubs/800-19/sp800-19.pdf
[8] N. Borselius, ”Mobile agent security,” Electronics and Communication
Engineering Journal, vol. 4, no 5, pp. 211–218, October 2002.
[9] H. Aouadi, and M. B. Ahamed, “Modile agents security,” in Proc. 2nd
International conference on Mobile Technology, Applications and
Systems, pp. 1–6, November 2005.
[10] Y. Wang, C. Wang, and L. Cheng-Horng, “Mobile agent protection and
verification in the internet environment,” in Proc. 4th International
Conference on Computer and Information Technology (CIT’04), pp.
482–487, September 2004.
[11] N. Aboudagga, M.T. Refaei, M. Eltoweissy, L.A. Dasilva and J.
Quisquater, “Authentication protocols for ad hoc networks: taxonomy
and research issues,” in Proc. 1st ACM International Workshop on QoS
and Security in Wireless and Mobile Networks, Montreal Quebec,
Canada, pp. 96–104, October 2005.
1080