Sheila Cobourne

Distributed e-voting using the Smart Card Web Server

Voting in elections is the basis of democracy, but citizens may not be able or willing to go to polling stations to vote on election days. Remote e-voting via the Internet provides the convenience of voting on the voters own computer or mobile device, but Internet voting systems are vulnerable to many common attacks, affecting the integrity of an election. Distributing the processing of votes over many web servers installed in tamper-resistant, secure environments can improve security: this is possible by using the Smart Card Web Server (SCWS) on a mobile phone Subscriber Identity Module (SIM). This paper proposes a generic model for a voting application installed in the SIM/SCWS, which uses standardised Mobile Network Operator (MNO) management procedures to communicate (via HTTPs) with a voting authority to vote. The generic SCWS voting model is then used with the e-voting system Prêt à Voter. A preliminary security analysis of the proposal is carried out, and further research areas are identified. As the SCWS voting application is used in a distributed processing architecture, e-voting security is enhanced because to compromise an election, an attacker must target many individual mobile devices rather than a centralised web server.

Using the Smart Card Web Server in Secure Branchless Banking

In remote areas of developing countries, the mobile phone network may be the only connection with outside organizations such as banks. SMS messages are used in branchless banking schemes such as M-PESA in Kenya, but can be vulnerable to SMS spoofing exploits. This paper proposes a branchless banking system for withdrawal, deposit and transfer transactions, using an application on the phone’s tamper-resistant Subscriber Identity Module (SIM) equipped with a Smart Card Web Server (SCWS) and public key cryptography capabilities.

Authentication based on a changeable biometric using gesture recognition with the Kinect

Biometric systems either use physiological or behavioural characteristics to identify an individual. However, if a biometric is compromised it could be difficult or impossible to change it. This paper proposes a biometric authentication system based on gesture recognition, where gestures can be easily changed by the user. The system uses a Kinect™ device to capture and extract features, as it provides 20 skeleton tracking points: we use just six of these in our system. The Dynamic Time Warping (DTW) algorithm is used to find an optimal alignment between gestures which are time-bound sequences. We tested the system on a sample of 38 volunteers. Ten volunteers provided reference gestures of their own design and 28 volunteers attempted to attack these reference gestures by both guessing and copying. Guessing the gesture was unsuccessful in all cases, but when the attacker had previously seen a video of the reference gesture the experiment gave us an estimation of the True Positive Rate (TPR) of 0.93, False Positive Rate (FPR) of 0.017 and Equal Error Rate (EER) of 0.028.

Remote E-Voting Using the Smart Card Web Server

Voting in elections is the basis of democracy, but voting at polling stations may not be possible for all citizens. Remote Internet e-voting uses the voters own equipment to cast votes, but is potentially vulnerable to many common attacks, which affect the elections integrity. Security can be improved by distributing vote processing over many web servers installed in tamper-resistant, secure environments, using the Smart Card Web Server SCWS on a mobile phone Subscriber Identity Module SIM. A generic voting model is proposed, using a SIM/SCWS voting application with standardised Mobile Network Operator MNO management procedures to process the votes cast. E-voting systems Pret i Voter and Estonian I-voting are used to illustrate the generic model. As the SCWS voting application is used in a distributed processing architecture, e-voting security is enhanced: to compromise an election, an attacker must target many individual mobile devices, rather than a centralised web server.

Virtual World Authentication Using the Smart Card Web Server

Virtual Worlds (VWs) are persistent, immersive digital environments, in which people utilise digital representation of themselves. Current management of VW identity is very limited, and security issues arise, such as identity theft. This paper proposes a two-factor user authentication scheme based on One Time Passwords (OTPs), exploiting a Smart Card Web Server (SCWS) hosted on the tamper-resistant Subscriber Identity Module (SIM) within the user’s mobile phone. Additionally, geolocation attributes are used to compare phone and PC locations, introducing another obstacle for an attacker. A preliminary security analysis is done on the protocol, and future work is identified.

Comparison of dynamic biometrie security characteristics against other biometrics

Biometrie data can be used as “something you are” in authentication systems, but if a biometrie is compromised by a malicious entity, the genuine user can no longer use it because it cannot be easily changed. Dynamic biometrics may offer a practical alternative, as they capture both an inherence factor along with a changeable knowledge factor in a single step. This paper investigates dynamic biometrics and whether they offer useful security authentication properties compared to conventional biometrics. In particular the paper focuses on one type of dynamic biometry, authentication based on Gesture Recognition, and presents a proof of concept experiment. Security characteristics of examples from three classes of dynamic biometrics are compared to a selection of common physiological (“fixed”) biometrics, leading to the conclusion that in addition to providing one-step, two factor authentication, dynamic biometry may provide privacy benefits in some circumstances.

Philanthropy on the Blockchain

One of the significant innovations that came out of Bitcoin is the blockchain technology. This paper explores how the blockchain can be leveraged in the philanthropic sector, through charitable donation services in fiat currency or Bitcoin via a web-based donor platform. The philanthropic model is then used for a case study providing humanitarian aid for a community living in a challenging geographical environment with limited internet availability. An SMS based mobile payment system is proposed for provisioning the received donations using the existing GSM network, very basic mobile phones and One Time Password (OTP) security tokens. The proposed scheme is finally evaluated for security while discussing the impact it has on charities and donors.

Gesture recognition implemented on a personal limited device

For a biometrics system, one of the principal challenges is to protect the biometric reference template, as if a malicious individual is able to obtain this template, the genuine user would not be able to reuse the biometric for any application. A solution may be to use a new form of authentication based on gesture recognition. This type of authentication has the added advantage that in the case of compromise, the gesture can be changed yet still retain the advantages of the biometric input. In this paper, we investigate whether it is feasible to implement a Gesture Recognition system on a personal limited device such as a smart card. To do this, we set out an experiment using sample gestures based on practical results of gesture authentication trials and an optimised version of Dynamic Time Warping (DTW) algorithm to analyse the data captured. We implemented them on both a contact Smart Card (SC) and the more powerful Samsung Galaxy S4 mobile phone, using Host Card Emulation (HCE). The result of this experiment was that it would take around a minute for the SC and a second for HCE.

A Smart Card Web Server in the Web of Things

The establishment of the Internet of Things (IoT) is gathering pace. The “things” will be counted in their billions, however interoperability problems may compromise the interconnectivity aspect. Isolated “things” are common and often make use of proprietary communication and security protocols that have not been subject to public scrutiny. By contrast the World Wide Web has well established technology and protocols and so there is interest in the so-called Web of Things (WoT) that would allow the “things” to communicate using standard web protocols. However, with so many readily accessible nodes we considered that the WoT should be underpinned by attack/tamper-resistant security modules that are compatible with the WoT protocols. This paper considers the use of the Smart Card Web Server (SCWS) capability to practically secure the WoT. Finally, the use of a SCWS is extended to provide a means of secure, local Single Sign-On (SSO).

Practical Attacks on Virtual Worlds

Virtual Worlds (VWs) are immensely popular online environments, where users interact in real-time via digital beings (avatars). However, a number of security issues affect VWs, and they are vulnerable to a range of attacks on their infrastructure and communications channels. Their powerful architecture can also be used to mount attacks against live Real World servers, by using malicious VW objects. Researching these attacks in commercial VWs would not be acceptable, as it would be contrary to the terms of conditions which govern acceptable behaviour in a particular VW. So in this paper, attacks were conducted/analysed in a laboratory-based test bed VW implementation developed specifically for the research, with custom built attack and analysis tools: commercial VWs were used for data gathering only. Results of these experiments are presented, and appropriate countermeasures proposed which could reduce the likelihood of the attacks succeeding in live VWs.