Transporting mobile code with internal authentication and tamper detection

Mobile code opens a world of possibilities for Battlespace digitization. However, due to security issues associated with transporting code over such networks, mobile code in the battlefield may present serious risks. Attackers may attempt to thwart the end-user's mission by manipulating or destroying code prior to its final destination. To combat such acts, we propose an authentication method that can reside on any Internet server/client without the typical constraints that exist for firewalls and certificates. Our method consists of the construction of a digital signature at the server based on the characteristics of the mobile code itself. This signature, or mark, is then embedded within the code in a hidden manner using steganographic methods. Upon receipt of the mobile code, the client can use the key to extract the embedded mark and regenerate a mark from the received code. The two marks are compared to verify the integrity of the code and the authenticity of the sender. This technique is implemented for HTML code and the effectiveness of tamper detection is demonstrated. Mobile code authentication techniques, such as this, can provide the security necessary to permit the exploitation of this powerful computing medium on the networked battlefield.