Active Research

Mansor, H., Markantonakis, K., Mayes, K.: CAN Bus Risk Analysis Revisit. In: Naccache, D. and Sauveron, D. Information Security Theory and Practice. Securing the Internet of Things. p. 170–179. Springer (2014). WebsiteAbstract
In automotive design process, safety has always been the main concern. However, in modern days, security is also seen as an important aspect in vehicle communication especially where connectivity is very widely available. In this paper, we are going to discuss the threats and vulnerabilities of a CAN bus network. After we have considered a number of risk analysis methods, we decided to use FMEA. The analysis process allowed us to derive the security requirements of a CAN bus. Experimental setup of CAN bus communication network were implemented and analysed.
Tunstall, M., Markantonakis, K., Sauveron, D., Mayes, K.: Smart Cards. In: Bidgoli, H. Handbook of Technology Management. John Wiley & Sons (2009).
Jayasinghe, D., Markantonakis, K., Mayes, K.: Optimistic Fair-Exchange with Anonymity for Bitcoin Users. To appear in the 11th IEEE International Conference on e-Business Engineering (IEEE ICEBE-14). IEEE Computer Society, Guangzhou, China (2014).Abstract
Fair-exchange and anonymity are two important attributes in e-commerce. It is much more difficult to expect fairness in e-commerce transactions using Bitcoin due to anonymity and transaction irreversibility. Genuine consumers and merchants who would like to make and receive payments using Bitcoin may be reluctant to do so due to this uncertainty. The proposed protocol guarantees strong-fairness while preserving anonymity of the consumer and the merchant, using Bitcoin as a payment method which addresses the aforementioned concern. The involvement of the trusted third party (TTP) is kept to a minimum, which makes the protocol optimistic and the exchanged product is not revealed to TTP. It achieves dispute resolution within the protocol run without any intervention of an external judge. Finally we show how the protocol can be easily adapted to use other digital cash systems designed using public ledgers such as Zerocoin/Zerocash.
Abughazalah, S., Markantonakis, K., Mayes, K.: Secure Mobile Payment on NFC-Enabled Mobile Phones Formally Analysed Using CasperFDR. Trust, Security and Privacy in Computing and Communications (TrustCom), 2014 13th IEEE International Conference on. IEEE Computer Society (2014).Abstract
Near Field Communication (NFC) mobile phones can be used as payment devices and can emulate credit cards. Although NFC mobile services promise a fruitful future, several issues have been raised by academics and researchers. Among the main concerns for the use and deployment of NFC-enabled mobile phones is the potential loss of security and privacy. More specifically, mobile phone users involved in a payment transaction conducted over a mobile handset require that such a system does not reveal their identity or any sensitive data. Furthermore, that all entities participating in the transaction are legitimate. To this end, we proposed a protocol that meets the mobile user' requirements. The proposed protocol attempts to address the main security concerns and protects the customer privacy from any third party involved in the transaction. We formally analysed the protocol using CasperFDR and did not find any feasible attacks.
Kyrillidis, L., Mayes, K., Markantonakis, K.: Web Server on a SIM Card. Lecture Notes in Engineering and Computer Science. 2183, (2010).Abstract
In this paper we discuss the integration of a web server on a SIM card and we attempt an analysis from a security, management, operation and personalization perspective. A brief representation of the Smart Card Web Server (SCWS) will take place, along with a use case that will help the reader to identify the way that a SCWS can be used in practice, before we reach to a final conclusion.
Trusted Platform Module for Smart Cards
Akram, R.N., Markantonakis, K., Mayes, K.: Trusted Platform Module for Smart Cards. In: Alfandi, O. 6th IFIP International Conference on New Technologies, Mobility and Security (NTMS). IEEE CS, Dubai, UAE (2014).Abstract
Near Field Communication (NFC)-based mobile phone services offer a lifeline to the under-appreciated multiapplication smart card initiative. The initiative could effectively replace heavy wallets full of smart cards for mundane tasks. However, the issue of the deployment model still lingers on. Possible approaches include, but are not restricted to, the User Centric Smart card Ownership Model (UCOM), GlobalPlatform Consumer Centric Model, and Trusted Service Manager (TSM). In addition, multiapplication smart card architecture can be a GlobalPlatform Trusted Execution Environment (TEE) and/or User Centric Tamper-Resistant Device (UCTD), which provide cross-device security and privacy preservation platforms to their users. In the multiapplication smart card environment, there might not be a prior off-card trusted relationship between a smart card and an application provider. Therefore, as a possible solution to overcome the absence of prior trusted relationships, this paper proposes the Trusted Platform Manager (TPM) concept for smart cards (embedded devices) that can act as a point of reference for establishing the necessary trust between the device and an application provider, and among applications.
Abughazalah, S., Markantonakis, K., Mayes, K.: A Mutual Authentication Protocol for Low-Cost RFID Tags Formally Verified Using CasperFDR and AVISPA. The 5th International Workshop on RFID Security and Cryptography 2013 (RISC'13), Internet Technology and Secured Transactions. 50-55 (2013).Abstract
Although Radio Frequency IDentification (RFID) systems offer many remarkable characteristics, security and privacy concerns are not easy to address. In this paper, we aim to overcome some of the significant privacy and security concerns by proposing a simple and lightweight RFID mutual authentication protocol. Our protocol is utilising hash functions and simple bitwise operations in an attempt to extract the strengths found in previous protocols and avoid their deficiencies. We found that the majority of the proposed protocols fail to resist DoS attacks when the attacker blocks the messages exchanged between the reader and tag more than once. Moreover, recent research focused on the security side and ignored performance. Our proposed protocol aims to solve these issues. We provide an informal analysis along with automated formal analysis using CasperFDR and AVISPA. The results show that the proposed protocol guarantees secret data secrecy and authentication under the presence of a passive adversary.
Abughazalah, S., Markantonakis, K., Mayes, K.: A Vulnerability in the Song Authentication Protocol for Low-Cost RFID Tags. In: Janczewski, L.J., Wolfe, H.B., and Shenoi, S. The 25th IFIP International Information Security Conference (SEC 2013). p. 102-110. Springer Berlin Heidelberg, Auckland, New Zealand (2013).Abstract
In this paper, we describe a vulnerability against one of the most efficient authentication protocols for low-cost RFID tags proposed by Song. The protocol defines a weak attacker as an intruder which can manipulate the communication between a reader and tag without accessing the internal data of a tag. It has been claimed that the Song protocol is able to resist weak attacks, such as denial of service (DoS) attack. However, we found that a weak attacker is able to desynchronise a tag, which is one kind of DoS attack. Moreover, the database in the Song protocol must use a brute force search to retrieve the tag's records affecting the operational performance of the server. Finally, we propose an improved protocol which can prevent the security problems in Song protocol and enhance the server's scalability performance.
Msgna, M., Markantonakis, K., Naccache, D., Mayes, K.: Verifying Software Integrity in Embedded Systems: A Side Channel Approach. To appear in Constructive Side Channel Analysis and Secure Design (COSADE 2014). Springer, Paris, France (2014).Abstract
In the last few decades embedded processors have invaded the modern lifestyle. Embedded systems have hardware and software components. Assuring the integrity of the software is very important as it is the component that controls what the hardware does through its instructions. Although there exist a number of software integrity verification techniques, they often fail to work in embedded environment. One main reason is, the memory read protection, frequently implemented in today's microprocessors, that prevent the verifier from reading out the necessary software parts. In this paper we show that side channel leakage (power consumption) can be used to verify the integrity of the software component without prior knowledge of the software code. Our approach uses instruction-level power consumption templates to extract information about executed instructions by the processor. Then this information together with pre-computed signatures are used to verify the integrity of the executed application using RSA signature screening algorithm. The instruction-level templates are constructed ahead of time using few authentic reference processors.
Msgna, M., Markantonakis, K., Mayes, K.: Precise Instruction-Level Side Channel Profiling of Embedded Processors. To appear in 10th Information Security Practice and Experience Conference (ISPEC 2014). Springer, Fuzhou, China (2014).Abstract
Since the first publication, side channel leakage has been widely used for the purposes of extracting secret information, such as cryptographic keys, from embedded devices. However, in a few instances it has been utilised for extracting other information about the internal state of a computing device. In this paper, we show how to create a precise instruction-level side channel leakage profile of an embedded processor. Using the profile we show how to extract executed instructions from the device's leakage with high accuracy. In addition, we provide a comparison between several performance and recognition enhancement tools. Further, we also provide details of our lab setup and noise minimisation techniques, and suggest possible applications