Security/Privacy – Student Projects

[ TAKEN ] Propose a model for Public Key Infrastructure (PKI) enabling a Post-Quantum cryptographic transition without hybrid signatures

Stephen Farrell (email | all projects)

TAKEN The transition to a putative post-quantum PKI often leads people to propose hybrid signature schemes as a part of their transition model. PKI libraries however, are highly complex, and liable to be mis-used, leading to vulnerabilites, so adding significant complexity to such libraries is undesirable. The task here is to propose PKI transition schemes … Read more

[ TAKEN ] Develop a model for deployment of Encrypted Client Hello (ECH) enabling co-operating “front-ends”

Stephen Farrell (email | all projects)

[TAKEN] The ECH scheme is largely expected to be deployed by large-scale CDNs, which has some undesirable centralisation aspects. ECH also defines a “split-mode” where one server acts as a “front-end” for another. The task here is to model how a loose network of TLS servers could fairly act as front-ends for one another, yet … Read more

[ TAKEN ] Develop a “stealthy” Encrypted Client Hello (ECH) scheme

Stephen Farrell (email | all projects)

TAKEN The task is to develop and implement a partial equivalent to the ECH scheme, that could be adopted by co-operating TLS clients and servers but that does not “stand out” and hence could be deployed (albeit at limited scale) if the standard approach to ECH fails to be widely deployed due to blocking of … Read more

[ TAKEN] Continue development of (parts of) an Internet scanning infrastructure tailored to Ireland

Stephen Farrell (email | all projects)

TAKEN Scanning public-facing Internet services in order to detect security- and privacy-relevant patterns and problems is becomming well-trodden ground. Typical studies attempt Internet-scale IPv4 scans, e.g., to detect uses of outdated ciphers in uses of the Transport Layer Security (TLS) protocol. More local scans (e.g., https://eprint.iacr.org/2018/299) could however produce results that are easier to translate … Read more

[ TAKEN ] Compare censorship experienced in Ireland with another country

Stephen Farrell (email | all projects)

TAKEN The project is to survey censorship measurement tools and data sets (e.g. https://ooni.org/ and similar), to compare and contrast those, and then use some subset of the identified tooling and data to compare the censorship situation for Internet users based in Ireland against the position of users based in some other country, to be … Read more

[ TAKEN ] DNS Abuse Transparency

Stephen Farrell (email | all projects)

TAKEN. Bad actors abuse DNS names for various purposes, e.g. for phishing sites. DNS infrastructure providers (registrars and registries) handle abuse complaints in such cases and may “take down” a DNS name is abuse if proven. They may also proactively prevent registration of some names (e.g. those usable for “typosquatting”), or even (in theory) censor … Read more

[Taken] Generative models for biometrics authentication through physiological signals

Andrea Patane (email | all projects)

Biometric authentication refers to systems that verify the identity of a user by unique traits such us fingerprints, voices or particular physiological features (such as ECG which will be the focus of the project). After having developed such a system based on publicly available data, this project will investigate the possibility of bypassing it using … Read more

[ TAKEN ] Where’d those keys come from?

Stephen Farrell (email | all projects)

TAKEN Mobile COVID-tracking applications were deployed during the pandemic based on the Google/Apple Exposure Notification (GAEN) scheme. That scheme involved devices publishing a set of up to 14 cryptographic keys after a user tested positive. Those keys were then made available to other devices by services operated by national health authorities. We were downloading the … Read more

Finding Open Source Code Within Obfuscated Android Apps

Doug Leith (email | all projects)

It is generally easy to decompile java apps to recover the source code. To discourage reverse engineering etc, app developers therefore often obfuscate the code as part of their compilation pipeline. Obfuscation typically involves replacing all class, method and field names with random strings of characters. That makes it hard to find out whether an … Read more

How Private Are Android Apps Really

Doug Leith (email | all projects)

In this project we’ll look at the data shared by a set of similar apps on Android phones with a view to assessing their privacy. Typically there have been no measurements studies of the actual data shared by apps “in the wild”. Since network traffic is encrypted the project will involve some “white hat” hacking … Read more