[ TAKEN ] Propose a model for Public Key Infrastructure (PKI) enabling a Post-Quantum cryptographic transition without hybrid signatures

TAKEN The transition to a putative post-quantum PKI often leads people to propose hybrid signature schemes as a part of their transition model. PKI libraries however, are highly complex, and liable to be mis-used, leading to vulnerabilites, so adding significant complexity to such libraries is undesirable. The task here is to propose PKI transition schemes … Read more

[ TAKEN ] Develop a model for deployment of Encrypted Client Hello (ECH) enabling co-operating “front-ends”

[TAKEN] The ECH scheme is largely expected to be deployed by large-scale CDNs, which has some undesirable centralisation aspects. ECH also defines a “split-mode” where one server acts as a “front-end” for another. The task here is to model how a loose network of TLS servers could fairly act as front-ends for one another, yet … Read more

[ TAKEN] Continue development of (parts of) an Internet scanning infrastructure tailored to Ireland

TAKEN Scanning public-facing Internet services in order to detect security- and privacy-relevant patterns and problems is becomming well-trodden ground. Typical studies attempt Internet-scale IPv4 scans, e.g., to detect uses of outdated ciphers in uses of the Transport Layer Security (TLS) protocol. More local scans (e.g., https://eprint.iacr.org/2018/299) could however produce results that are easier to translate … Read more

[ TAKEN ] DNS Abuse Transparency

TAKEN. Bad actors abuse DNS names for various purposes, e.g. for phishing sites. DNS infrastructure providers (registrars and registries) handle abuse complaints in such cases and may “take down” a DNS name is abuse if proven. They may also proactively prevent registration of some names (e.g. those usable for “typosquatting”), or even (in theory) censor … Read more

[ TAKEN ] Where’d those keys come from?

TAKEN Mobile COVID-tracking applications were deployed during the pandemic based on the Google/Apple Exposure Notification (GAEN) scheme. That scheme involved devices publishing a set of up to 14 cryptographic keys after a user tested positive. Those keys were then made available to other devices by services operated by national health authorities. We were downloading the … Read more

Finding Open Source Code Within Obfuscated Android Apps

It is generally easy to decompile java apps to recover the source code. To discourage reverse engineering etc, app developers therefore often obfuscate the code as part of their compilation pipeline. Obfuscation typically involves replacing all class, method and field names with random strings of characters. That makes it hard to find out whether an … Read more

How Private Are Android Apps Really

In this project we’ll look at the data shared by a set of similar apps on Android phones with a view to assessing their privacy. Typically there have been no measurements studies of the actual data shared by apps “in the wild”. Since network traffic is encrypted the project will involve some “white hat” hacking … Read more