Secure brokerage mechanisms for mobile electronic commerce

The possibility of making the Internet accessible via mobile devices has generated an important opportunity for electronic commerce. Nevertheless, some deficiencies deter a massive use of m-commerce applications. Security and easiness of use are unavoidable conditions. The use of brokerage systems constitutes an interesting solution to speed up the information delivery to the users. Moreover, brokers can use mobile agents to efficiently and easily perform the search and retrieval of commercial information in the Internet. Although the mobile agent technology is a very suitable choice for the m-commerce scenario, there are security issues that hinder its use. In particular, an important aspect that must be solved for the m-commerce scenario is the mobile agent protection from manipulation attacks performed by malicious hosts. The first part of this paper describes a mechanism to reach this protection. We describe how to use software watermarking techniques in the mobile agent to detect manipulation attacks, and how the broker can be used to punish the malicious hosts. Once an m-commerce site is selected by the user, an end-to-end secure transaction must be established. The transaction can use several protocols, from a simple secure TLS channel to send a credit card number until a sophisticated payment protocol. In any case, Public Key Certificates (PKCs) are required for these protocols. It must be stressed that certificates management is a heavy process and that clients in the brokerage scenario are usually resource-limited. For this reason, the best option is that clients delegate this task to the broker. Notice that the broker is a Trusted Third Party (TTP) and, in general, it is not resource-limited. Therefore, the broker is appropriate for storing and managing PKCs. The second part of this paper addresses this issue, with a particular emphasis in the certificate status management which is the most complex task of certificate management.