Category: Recent works

Consulting

Areas of Expertise

My involvement in Information Security consulting projects started while I as pursuing my PhD in Information Security, in Royal Holloway. Since then I manage to get involved in a number of Information Security and Smart Card related projects with a number of high profile clients. I also continue to act as a consultant on a variety of information security and smart card related topics:

  • Smart card physical security analysis
  • Multi-application smart card migration program planning
  • Project management for financial institutions and transport operators
  • Business case development for chip migration programs
  • Smart card application (Java card, SIM card, Multos) security review, design, development
  • Smart card security evaluations (Common Criteria) and Security Target, Protection Profile Development
  • Risk analysis on smart card technology, protocols and systems
  • Smart card security protocol design, review
  • Security of mobile phone platforms and secure elements
  • Contactless smart card/RFID security and Mifare card technology

Selected Projects

  • I was part of the team, along with colleagues from the Information Security Group/Smart Card Centre, which performed (2008) a counter expertise analysis of a report into the Dutch OV-Chipkaart transport system. This was in response to some recently published attacks on Mifare Classic smart cards. For more information please refer to the following links


    ISG_Dutch


    and


    SCC_Dutch


    for more details.

    This was a high profile piece of work, being reported extensively on the internet (see


    here


    ).
  • Since then we were involved in more work relating to Mifare and chip migration issues/planning for the Dutch transport system.
  • I was also involved in preparing an evaluation paper for different options in which security controllers can exist in Mobile devices. The document was also presented as an ETSI internal document and an early version can by found


    here
  • I was also involved in the preparation and delivery of a smart card security training course for the Information Security department major financial institution.
  • Security Analysis of Public Key Cryptography in Smart cards and Devices/Tools with Restricted Processing Resources.
  • Security Analysis of a smart card system for the provision of wireless telecommunications services.

Books

Books
Konstantinos Markantonakis, Keith Mayes

ISBN: 978-1-4614-7914-7 (Print) 978-1-4614-7915-4 (Online)
Keith E. Mayes, Konstantinos Markantonakis (eds.):
“Smart Cards, Tokens, Security and Applications”
ISBN: 978-0-387-72197-2 (Print) 978-0-387-72198-9 (Online)
Publisher: Springer US, 2008
DOI: 10.1007/978-0-387-72198-9
sct Title: Smart Cards, Tokens, Security and Applications

Second Edition: 2017

Editors
Keith Mayes
Konstantinos Markantonakis

Publisher: Springer International Publishing

Hardcover ISBN:978-3-319-50498-8

DOI: 10.1007/978-3-319-50500-8

Book Editor
P. Samarati, M. Tunstall, J. Posegga, K. Markantonakis, D. Sauveron (Eds.). Information Security Theory and Practices. Security and Privacy of Pervasive Systems and Smart Devices. Fourth IFIP WG 11.2 International Workshop, WISTP 2010, Passau, Germany, April 12-14, 2010. Springer Lecture Notes in Computer Science Series, Vol. 6033, 2010, 386 p. ISBN: 978-3-642-12367-2.
J.A. Onieva, D. Sauveron, S. Chaumette, D. Gollmann, K. Markantonakis (Eds.). Information Security Theory and Practices. Smart Devices, Convergence and Next Generation Networks. Second IFIP WG 11.2 International Workshop, WISTP 2008, Seville, Spain, May 13-16, 2008. Springer Lecture Notes in Computer Science Series, Vol. 5019, 2008, 151 p. ISBN: 978-3-540-79965-8.

D. Sauveron, K. Markantonakis, A. Bilas, A. J.-J. Quisquater (Eds.). Information Security Theory and Practices. Smart Cards, Mobile and Ubiquitous Computing Systems. First IFIP TC6 / WG 8.8 / WG 11.2 International Workshop, WISTP 2007, Heraklion, Crete, Greece, May 9-11, 2007. Springer Lecture Notes in Computer Science Series, Vol. 4462, 2007, 255p. ISBN: 978-3-540-72353-0.
S. Rho , D. Sauveron, K. Markantonakis (Eds.). Special Issue on Advanced Semantic and Social Multimedia Technologies for Future Computing Environment Multimedia Tools and Applications, vol 64, N°2, 2013. Springer.

Book Chapters

Smart Cards
Konstantinos Markantonakis, Keith Mayes, Damien Sauveron, and Michael Tunstall
Chapter in H. Bidgoli, Ed., Handbook of Technology Management, vol. 2, Supply Chain Management, Marketing and Advertising, and Global Management, pp. 248–264, Wiley, 2010.
[ Ordering Information ]
Smart Cards: Communication Protocols and Applications
Konstantinos Markantonakis, Keith Mayes, Damien Sauveron, and Michael Tunstall
Chapter in H. Bidgoli, Ed., Handbook of Computer Networks, vol. 3, pp. 251–268, Wiley, 2007.
[ Ordering Information ]
Smart Card Security
Konstantinos Markantonakis, Keith Mayes, Michael Tunstall, Damien Sauveron, and Fred Piper
Chapter in N. Nedjah, A. Abraham, and L. M. Mourelle, Eds., Computational Intelligence in Information Assurance and Security,  vol. 57 of Studies in Computational Intelligence, pp. 201–233, Springer-Verlag, 2007.
Springerlink ]

Presentations

8a. Invited keynote to a major international conference

Delivered

  • 2017, Bucharest, Romania, “Ambient Sensing Based Relay Attack Detection in Smartphone Contactless Transactions”, International Conference on Security for Information Technology and Communications (SECITC) 2017.

  • 2015, Bucharest, Romania, Keynote Talk, 8th International Conference on Security for Information Technology and Communications, SECITC 2015, “Secure and Trusted Application Execution on Embedded Devices”

  • 2012, Nijmegen, The Netherlands, Keynote Talk, The 8th Workshop on RFID Security and Privacy, “Interplay of Business Objectives and Academic Research – Holders of NFC Mobile Service Destiny”

  • 2012, London, UK, Keynote Talk, The 7th International Conference for Internet Technology and Secured Transactions (ICITST-2012) , Smart cards, Secure Elements and NFC Security – The Status Quo”

  • 2012, Hangzhou, China, Keynote Talk, 8th International Conference on Information Security Practice and Experience (ISPEC 2012), “Are smart cards the weakest link? Is `practical information security research’ still significant?”

 

8b. An invited symposium/workshop/summer school presentation

  • Cyber Physical System Security”, Intensive Programme on Information and Communications Security (IPICS), Corfu, Greece, July 2017

  • Cyber Physical System Security”, Intensive Programme on Information and Communications Security (IPICS), Leuven, Belgium, July 2016

  • Cyber Physical System Security”, Intensive Programme on Information and Communications Security (IPICS), Mytelene, Greece, July 2015

  • Secure Application Execution on Cyber Physical Devices”, Summer School on “Design and security of cryptographic algorithms and devices for real-world applications”, Šibenik – Croatia 01 June – 06 June 2014

  • Embedded System Security Lesson Learned”, Intensive Programme on Information and Communications Security (IPICS), Mytelene, Greece, July 2014

  • Smart Cards: State-of-the-Art to Future Directions”, Invited Paper, IEEE International Symposium on Signal Processing and Information Technology, December 12-15, 2013 – Athens, Greece.

  • “Cyber Physical Systems”, Intensive Programme on Information and Communications Security (IPICS), Samos, Greece, August 2013.

  • Smart card Security”, ICareNet 2013, 3rd of December 2012, Network of Excellence – Winter School, Imperial College, London.

  • “Embedded System Security”, Intensive Programme on Information and Communications Security (IPICS), Vienna, Austria, August 2012

  • “Embedded System Security”, Intensive Programme on Information and Communications Security (IPICS), Corfu, Greece, August 2011

  • “Hardware Token Security”, Intensive Programme on Information and Communications Security (IPICS), Samos, Greece, August 2010

  • “Smart card Security”, Intensive Programme on Information and Communications Security (IPICS), Vienna, Austria, August 2009

8c. An invited presentation to another academic department (UK or international)

  • Embedded Devices, Platforms and Applications”, Invited Lecture in the MSc Programme in Digital Systems Security, University of Piraeus, Greece, 18 January,   2017

  • Embedded Devices, Platforms and Applications”, Invited Lecture in the MSc Programme in Digital Systems Security, University of Piraeus, Greece, 1st December   2015

  • Embedded Devices, Platforms and Applications”, Invited Lecture in the MSc Programme in Digital Systems Security, University of Piraeus, Greece, 13th January  2015

  • Embedded Systems Security”, Invited Day Course, KTH, Stockholm, Sweden, April 2015.

  • Multi-Application Smart card Operating Systems”, Invited Lecture in the BSc Programme in Computer Science, University of Bordeux and University or Limoges, February and March 2015

  • Embedded System Security”, Khalifa University, April 2014.

  • Multi-application Smart Embedded Devices”, Invited Lecture in the MSc Programme in Digital Systems Security, University of Piraeus, Greece, 13th November 2013

  • University of Athens, MSc in Computer Science, Invited talk on “Embedded System Security”, April 2013.

  • “Smart card Security Theory and Practice”, PRActical aspeCts on SEcurity (PRACSE 09), organised by the Athens Institute of Technology (AIT), June 2009.

  • From Smart card to Smart card system security”, PRActical aspeCts on SEcurity (PRACSE’08), organised by the Athens Institute of Technology (AIT), May 2008.

  • Smart card Security”, Institute of Computer Science (ICS) Foundation for Research and Technology – Hellas (FORTH), Heraklion, Greece, February 2008.

Publications

Conference contribution

2017

CC105🔗Mtita, C, Laurent, M, Sauveron, D , Akram, RN , Markantonakis, K & Chaumette, S 2017, Serverless Protocols for Inventory and Tracking with a UAV. in Digital Avionics Systems Conference (DASC), 2017 IEEE/AIAA 36th. IEEE Computer Society Press, St. Petersburg, Florida, USA, pp. 1-11, The 36th IEEE/AIAA Digital Avionics Systems Conference , St. Petersburg, United States, 17-21 September. DOI: 10.1109/DASC.2017.8102113

CC104🔗Gurulian, I , Markantonakis, K , Shepherd, C, Frank, E & Akram, R 2017, Proximity Assurances Based on Natural and Artificial Ambient Environments. in 10th International Conference, SecITC 2017, Bucharest, Romania, June 8–9, 2017, Revised Selected Papers. Security and Cryptology, vol. 10543, Springer, 10th International Conference on Security for Information Technology and Communications, Bucharest, Romania, 8 July. DOI: 10.1007/978-3-319-69284-5

CC103🔗Shepherd, C , Akram, RN & Markantonakis, K 2017, EmLog: Tamper-Resistant System Logging for Constrained Devices with TEEs. in 11th IFIP International Conference on Information Security Theory and Practice (WISTP’17). Springer.

CC102🔗Gurulian, I , Shepherd, C , Markantonakis, K, Frank, E , Akram, R & Mayes, K 2017, On the Effectiveness of Ambient Sensing for Detecting NFC Relay Attacks. in Trustcom/BigDataSE/ICESS, 2017 IEEE. 16th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, Sydney, Australia, 1-4 August. DOI: 10.1109/Trustcom/BigDataSE/ICESS.2017.218

CC101🔗Gurulian, I , Markantonakis, K , Akram, R & Mayes, K 2017, Artificial Ambient Environments for Proximity Critical Applications. in ARES ’17: Proceedings of the 12th International Conference on Availability, Reliability and Security. ACM. DOI: 10.1145/3098954.3098964

CC100🔗Shepherd, C , Akram, R & Markantonakis, K 2017, Establishing Mutually Trusted Channels for Remote Sensing Devices with Trusted Execution Environments. in 12th International Conference on Availability, Reliability and Security (ARES ’17). ACM, pp. 1-10, 12th International Conference on Availability, Reliability and Security , Reggio Calabria, Italy, 29-31 August. DOI: 10.1145/3098954.3098971

CC99🔗Lee, R , Markantonakis, K & Akram, R 2017, Provisioning Software with Hardware-Software Binding. in FARES ’17 Proceedings of the 12th International Workshop on Frontiers in Availability, Reliability and Security. ACM. DOI: 10.1145/3098954.3103158

CC98🔗Kyrillidis, L , Cobourne, S , Mayes, K & Markantonakis, K 2017, A Smart Card Web Server in the Web of Things. in SAI Intelligent Systems Conference 2016 (IntelliSys 2016). Lecture Notes in Networks and Systems , vol. 16, Springer, pp. 769-784. DOI: 10.1007/978-3-319-56991-8_55

CC97🔗Shepherd, C, Petitcolas, F , Akram, R & Markantonakis, K 2017, An Exploratory Analysis of the Security Risks of the Internet of Things in Finance. in J Lopez, S Fischer-Hübner & C Lambrinoudakis (eds), Trust, Privacy and Security in Digital Business: 14th International Conference, TrustBus 2017, Lyon, France, August 30-31, 2017, Proceedings. Lecture Notes in Computer Science, vol. 10442, Springer-Verlag, pp. 164-179, 14th International Conference on Trust, Privacy & Security in Digital Business, Lyon, France, 28-31 August. DOI: 10.1007/978-3-319-64483-7_11

CC96🔗Jayasinghe, D , Markantonakis, K , Akram, R & Mayes, K 2017, Enhancing EMV Tokenisation with Dynamic Transaction Tokens. in G Hancke & K Markantonakis (eds), Radio Frequency Identification and IoT Security: RFIDSec 2016. Lecture Notes in Computer Science , vol. 10155, Springer, pp. 107-122. DOI: 10.1007/978-3-319-62024-4_8

CC95🔗Umar, A , Gurulian, I , Mayes, K & Markantonakis, K 2017, Tokenisation Blacklisting using Linkable Group Signatures. in Security and Privacy in Communication Networks: 12th EAI International Conference on Security and Privacy in Communication Networks. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering. DOI: 10.1007/978-3-319-59608-2_10

CC94🔗Shepherd, C , Akram, R & Markantonakis, K 2017, Towards Trusted Execution of Multi-modal Continuous Authentication Schemes. in Proceedings of the 32nd ACM SIGAPP Symposium On Applied Computing (SAC ’17). ACM, Marrakech, Morocco, pp. 1444-1451. DOI: 10.1145/3019612.3019652

CC93🔗Haken, G , Markantonakis, K , Gurulian, I , Shepherd, C & Akram, R 2017, Evaluation of Apple iDevice Sensors as a Potential Relay Attack Countermeasure for Apple Pay. in Proceedings of the 3rd ACM International Workshop on Cyber-Physical System Security: CPSS ’17. ACM, New York, pp. 21-32 , 3rd ACM Cyber-Physical System Security Workshop (CPSS 2017), Abu Dhabi, United Arab Emirates, 2-2 April. DOI: 10.1145/3055186.3055201

CC92🔗Umar, A , Akram, RN , Mayes, K & Markantonakis, K 2017, Ecosystems of Trusted Execution Environment on Smartphones – A Potentially Bumpy Road. in P Urien & S Piramuthu (eds), Mobile and Secure Services (MobiSecServ), 2017 Third International Conference on. IEEE, 3rd International Conference on Mobile and Secure Services (MobiSecServ), Miami Beach, 11-12 February. DOI: 10.1109/MOBISECSERV.2017.7886559

CC91🔗Jayasinghe, D , Cobourne, S , Markantonakis, K , Akram, RN & Mayes, K 2017, Philanthropy On The Blockchain. in The 11th WISTP International Conference on Information Security Theory and Practice (WISTP’2017). Lecture Notes in Computer Science (LNCS), Springer.

CC90🔗Gurulian, I , Akram, R , Markantonakis, K & Mayes, K 2017, Preventing Relay Attacks in Mobile Transactions Using Infrared Light. in SAC ’17: Proceedings of the 32nd Annual ACM Symposium on Applied Computing. ACM, pp. 1724-1731, The 32nd ACM Symposium on Applied Computing, Marrakesh, Morocco, 3-6 April. DOI: 10.1145/3019612.3019794

CC89🔗Shepherd, C , Gurulian, I, Frank, E , Markantonakis, K , Akram, R , Mayes, K & Panaousis, E 2017, The Applicability of Ambient Sensors as Proximity Evidence for NFC Transactions. in Mobile Security Technologies (MoST ’17), IEEE Security & Privacy Workshops. IEEE, IEEE Mobile Security Technologies (MOST) 2017, San Jose, United States, 25-25 May.

CC88🔗Jayasinghe, D , Markantonakis, K , Gurulian, I , Akram, R & Mayes, K 2017, Extending EMV Tokenised Payments To Offline-Environments. in The 15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom-16). IEEE Computer Society, pp. 1-8. DOI: 10.1109/TrustCom.2016.0095

CC87🔗Mansor, H , Markantonakis, K , Akram, R , Mayes, K & Gurulian, I 2017, Log your car: The non-invasive vehicle forensics. in Y Xiang, K Ren & D Feng (eds), he 15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom-16)., TrustCom Paper 147, IEEE Computer Society, pp. 1-9. DOI: 10.1109/TrustCom.2016.0164

CC86🔗Shepherd, C, Arfaoui, G , Gurulian, I , Lee, R , Markantonakis, K , Akram, R, Sauveron, D & Conchon, E 2017, Secure and Trusted Execution: Past, Present and Future — A Critical Review in the Context of the Internet of Things and Cyber-Physical Systems. in Y Xiang, K Ren & D Feng (eds), The 15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom-16). ., TrustCom Paper 342, IEEE Computer Society, pp. 1-10. DOI: 10.1109/TrustCom.2016.0060

CC85🔗Akram, R, Bonnefoi, P-F, Chaumette, S , Markantonakis, K & Sauveron, D 2017, Secure Autonomous UAVs Fleets by Using New Specific Embedded Secure Elements. in Y Xiang, K Ren & D Feng (eds), the 15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom-16)., TrustCom Paper 297, IEEE Computer Society. DOI: 10.1109/TrustCom.2016.0116

CC84🔗Hassan, M , Markantonakis, K & Akram, R 2017, Can you call the software in your device firmware? in e-Business Engineering (ICEBE), 2016 IEEE 13th International Conference on. IEEE Computer Society Press, Macau, China, pp. 1-8, The 13th IEEE International Conference on e-Business Engineering (ICEBE 2016), Macau, China, 4-6 November. DOI: 10.1109/ICEBE.2016.040

CC83🔗Mansor, H , Markantonakis, K , Akram, R , Mayes, K & Gurulian, I 2017, Log Your Car: Reliable Maintenance Services Record. in Information Security and Cryptology: 12th International Conference, Inscrypt 2016, Beijing, China, November 4-6, 2016, Revised Selected Papers. vol. 10143, Lecture Notes in Computer Science , vol. 10143, Springer, pp. 484-504, 12th International Conference on Information Security and Cryptology (Inscrypt), Beijing, China, 4-6 November. DOI: 10.1007/978-3-319-54705-3_30

Chapter

2017

CH20🔗Markantonakis, K & Akram, RN 2017, Multi-Application Smart Card Platforms and Operating Systems. in K Mayes & K Markantonakis (eds), Smart Cards, Tokens, Security and Applications. Springer International Publishing, Cham, pp. 59-92. DOI: 10.1007/978-3-319-50500-8_3

CH19🔗Sauveron, D , Akram, RN & Markantonakis, K 2017, Smart Card Reader and Mobile APIs. in K Mayes & K Markantonakis (eds), Smart Cards, Tokens, Security and Applications. Springer International Publishing, Cham, pp. 305-349. DOI: 10.1007/978-3-319-50500-8_12

Paper

2017

PA12🔗Akram, RN , Markantonakis, K , Mayes, K, Habachi, O, Sauveron, D, Steyven, A & Chaumette, S 2017, ‘ Security, Privacy and Safety Evaluation of Dynamic and Static Fleets of Drones‘ Paper presented at The 36th IEEE/AIAA Digital Avionics Systems Conference , St. Petersburg, United States, 17/09/1721/09/17, pp. 1-12. DOI: 10.1109/DASC.2017.8101984

PA11🔗Gurulian, I, Hancke, G , Markantonakis, K & Akram, RN 2017, ‘ May The Force Be With You: Force-Based Relay Attack Detection‘ Paper presented at 17th Smart Card Research and Advanced Application Conference, Lugano, Switzerland, 13/11/1715/11/17, .

PA10🔗Ducray, B , Cobourne, S , Mayes, K & Markantonakis, K 2017, ‘ Comparison of Dynamic Biometric Security Characteristics against other Biometrics‘ Paper presented at IEEE International Conference on Communications, Paris, France, 21/05/1725/05/17, . DOI: 10.1109/ICC.2017.7996938

PA9🔗Ducray, B , Cobourne, S , Mayes, K & Markantonakis, K 2017, ‘ Gesture Recognition Implemented on a Personal Limited Device.‘ Paper presented at International Conference on Information and Communication Systems, Irbid, Jordan, 4/04/176/04/17, . DOI: 10.1109/IACS.2017.7921966
Umar, A., Mayes, K., Markantonakis, K.:

Performance variation in host-based card emulation compared to a hardware security element
. Mobile and Secure Services (MOBISECSERV), 2015 First Conference on. p. 1-6 (2015).

Traditionally, card emulation mode in Near Field Communication devices makes use of a hardware Secure Element (SE) as a secure storage and execution environment for applications. However, a different way of card emulation that bypasses the SE has emerged, referred to as Host-based Card Emulation (HCE). HCE relies on the phone CPU for processing power, sharing it with other running processes. This produces variable readings in terms of response times from the phone. This paper investigates this variability in HCE implementation as compared to an SE implementation. We also discuss how our findings may call into question the use of HCE in time critical scenarios.

 

Akram, R.N., Markantonakis, K., Sauveron, D.:

A novel consumer-centric card management architecture and potential security issues
. Information Sciences. – (2015).Website

Abstract Multi-application smart card technology has gained momentum due to the Near Field Communication (NFC) and smart phone revolution. Enabling multiple applications from different application providers on a single smart card is not a new concept. Multi-application smart cards have been around since the late 1990s; however, uptake was severely limited. {NFC} has recently reinvigorated the multi-application initiative and this time around a number of innovative deployment models are proposed. Such models include Trusted Service Manager (TSM), User Centric Smart Card Ownership Model (UCOM) and GlobalPlatform Consumer-Centric Model (GP-CCM). In this paper, we discuss two of the most widely accepted and deployed smart card management architectures in the smart card industry: GlobalPlatform and Multos. We explain how these architectures do not fully comply with the {UCOM} and GP-CCM. We then describe our novel flexible consumer-centric card management architecture designed specifically for the {UCOM} and GP-CCM frameworks, along with ways of integrating the {TSM} model into the proposed card management architecture. Finally, we discuss four new security issues inherent to any architecture in this context along with the countermeasures for our proposed architecture.

 

Hili, G., Cobourne, S., Mayes, K., Markantonakis, K.:

Practical Attacks on Virtual Worlds
. In:
Lopez, J., Ray, I., and Crispo, B. Risks and Security of Internet and Systems. p. 180-195. Springer International Publishing (2015).Website

 

Mansor, H., Markantonakis, K., Mayes, K.:

CAN Bus Risk Analysis Revisit
. In:
Naccache, D. and Sauveron, D. Information Security Theory and Practice. Securing the Internet of Things. p. 170–179. Springer (2014).Website

In automotive design process, safety has always been the main concern. However, in modern days, security is also seen as an important aspect in vehicle communication especially where connectivity is very widely available. In this paper, we are going to discuss the threats and vulnerabilities of a CAN bus network. After we have considered a number of risk analysis methods, we decided to use FMEA. The analysis process allowed us to derive the security requirements of a CAN bus. Experimental setup of CAN bus communication network were implemented and analysed.

 

Jayasinghe, D., Markantonakis, K., Mayes, K.:

Optimistic Fair-Exchange with Anonymity for Bitcoin Users
. To appear in the 11th IEEE International Conference on e-Business Engineering (IEEE ICEBE-14). IEEE Computer Society, Guangzhou, China (2014).

Fair-exchange and anonymity are two important attributes in e-commerce. It is much more difficult to expect fairness in e-commerce transactions using Bitcoin due to anonymity and transaction irreversibility. Genuine consumers and merchants who would like to make and receive payments using Bitcoin may be reluctant to do so due to this uncertainty. The proposed protocol guarantees strong-fairness while preserving anonymity of the consumer and the merchant, using Bitcoin as a payment method which addresses the aforementioned concern. The involvement of the trusted third party (TTP) is kept to a minimum, which makes the protocol optimistic and the exchanged product is not revealed to TTP. It achieves dispute resolution within the protocol run without any intervention of an external judge. Finally we show how the protocol can be easily adapted to use other digital cash systems designed using public ledgers such as Zerocoin/Zerocash.

 

Abughazalah, S., Markantonakis, K., Mayes, K.:

Secure Improved Cloud-Based RFID Authentication Protocol
. To be published in the 9th DPM International Workshop on Data Privacy Management. Springer, Berlin Heidelberg (2014).

Although Radio Frequency IDentifi cation (RFID) systems promise a fruitful future, security and privacy concerns have affected the adoption of the RFID technology. Several studies have been proposed to tackle the RFID security and privacy concerns under the as- sumption that the server is secure. In this paper, we assume that the server resides in the cloud, which might be insecure. Hence, the tag’s data might be prone to privacy invasion and attacks. Xie et al. proposed a new scheme called cloud-based RFID authentication, which aimed to address the security and privacy concerns of RFID tag’s data in the cloud. In this paper, we showed that Xie et al. protocol is vulnerable to reader impersonation attacks, location tracking and tag’s data privacy invasion. Therefore, we proposed a new protocol that guarantees that the tag’s data in the cloud are anonymous, and cannot be compro- mised. Furthermore, the proposed protocol achieves mutual authentication between all the entities participating in a communication session, such as a cloud server, a reader and a tag. Finally, we analysed the proposed protocol informally and formally using a privacy model and CasperFDR. The results indicate that the proposed protocol achieves data secrecy and authentication for RFID tags.

 

Abughazalah, S., Markantonakis, K., Mayes, K.:

Secure Mobile Payment on NFC-Enabled Mobile Phones Formally Analysed Using CasperFDR
. Trust, Security and Privacy in Computing and Communications (TrustCom), 2014 13th IEEE International Conference on. IEEE Computer Society (2014).

Near Field Communication (NFC) mobile phones can be used as payment devices and can emulate credit cards. Although NFC mobile services promise a fruitful future, several issues have been raised by academics and researchers. Among the main concerns for the use and deployment of NFC-enabled mobile phones is the potential loss of security and privacy. More specifically, mobile phone users involved in a payment transaction conducted over a mobile handset require that such a system does not reveal their identity or any sensitive data. Furthermore, that all entities participating in the transaction are legitimate. To this end, we proposed a protocol that meets the mobile user’ requirements. The proposed protocol attempts to address the main security concerns and protects the customer privacy from any third party involved in the transaction. We formally analysed the protocol using CasperFDR and did not find any feasible attacks.

 

Akram, R.N., Markantonakis, K., Sauveron, D.:

Collaborative and Ubiquitous Consumer Oriented Trusted Service Manager
. In:
Liu, Y. The 13th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom-14). IEEE CS (2014).

Near Field Communication (NFC) enables a mobile phone to emulate a contactless smart card. This has reinvigorated the multiapplication smart card initiative. Trusted Service Manager (TSM) is an entity that is trusted by all stakeholders in the proposed and trialled NFC-based smart card ecosystem. However, TSM-based models have the potential to create market segregation that might lead to limited or slow adoption. In addition, all major stakeholders (e.g. Telecom and banks) are pushing for their own TSM models and this might hinder deployment. In this paper we present a Collaborative and Ubiquitous Consumer Oriented Trusted Service Manager (CO-TSM)-based model that combines different TSM models while providing scalability to the overall architecture. In addition, our proposal also provides flexibility to both consumers and application providers. To support our proposal, we present a core architecture based on two contrasting approaches: the Issuer Centric Smart Card Ownership Model (ICOM) and the User Centric Smart Card Ownership Model (UCOM). Based on the core architecture, we then describe our proposal for an application download framework and a secure channel protocol. Finally, the implementation experience and performance measurements for the secure channel protocol are discussed.

 

Akram, R.N., Markantonakis, K., Mayes, K.:

Rethinking the Smart Card Technology, Invited Paper
. In:
Tryfonas, T. and Askoxylakis, I. 16th International Conference on Human-Computer Interaction. Springer (2014).

Creating security architectures and processes that directly interact with consumers, especially in consumer electronics, has to take into account usability, user-experience and skill level. Smart cards provide secure services, even in malicious environments, to end-users with a fairly straightforward limited usage pattern that even an ordinary user can easily deal with. The way the smart card industry achieves this is by limiting users’ interactions and privileges on the smart cards they carry around and use to access different services. This centralised control has been the key to providing secure and reliable services through smart cards, while keeping the smart cards fairly useable for end-users. However, as smart cards have permeated into every aspect of modern life, users have ended up carrying multiple cards to perform mundane tasks, making smart card-based services a cumbersome experience. User Centric Smart Cards (UCSC) enable users to have all the services they might be accessing using traditional smart cards on a single device that is under their control. Giving “freedom of choice” to users increases their privileges, but the design requirement is to maintain the same level of security and reliability as traditional architectures while giving better user experience. In this paper, we will discuss the challenges faced by the UCSC proposal in balancing security with usability and “freedom of choice”, and how it has resolved them.

 

More