T-110.5291 Seminar on Network Security P (5 cr)

Topics


Theme: Security and Privacy in Digital Services

The development of new digital services is changing our lives and, at the same time, making us more vulnerable to malicious activities. Online services, mobile devices, and ubiquitous computing are all connected to each other and the open communication networks. This exposes them to hackers, cyber criminals, terrorism and even warfare. The topic of this year’ seminar is security solutions that can make everyday services and infrastructure safer and more reliable.

Potential research topics for the seminar include, for example, the security of network infrastructure, cloud computing, mobile applications, ubiquitous computing platforms, and machine-to-machine communication. We invite the students and tutors to think about the new security threats created by our increasing dependence on technology in both work and personal life, as well as about how to increase the security of everyday technologies and protect the privacy of their users.

 

Topics:

  1. A Physical device for sharing security credentials. - Tutor Ahmed Abu Shohel
  2. ICN for mobile usage - Tutor Andrey Lukyanenko
  3. Generic TCP - Tutor Andrey Lukyanenko
  4. Reputation in Bittorrent - Tutor Andrey Lukyanenko
  5. Privacy issue of Internet interaction. - Tutor Yan Zheng
  6. Trust management in mobile cloud computing. - Tutor Yan Zheng
  7. Trust management in Internet of Things. - Tutor Yan Zheng
  8. Physical security weaknesses, hacking techniques and counter measures in computer-based devices. - Tutor Juha Sääskilahti
  9. What's Going on with Quantum Computation and Cryptography? - Tutor Miika Komu
  10. Tickets and Gossip - Tutor Jan-Erik Ekberg
  11. Assurance, Compliance and Certification - Tutor Jan-Erik Ekberg
  12. Possibility of using mobile phone as POS terminals. - Tutor Sandeep Tamrakar
  13. Future of Mobile wallet - Tutor Sandeep Tamrakar
  14. Mobile application security in a marketplace world - Tutor Mario Di Francesco
  15. Third-party authentication and social web applications: the OAuth case - Tutor Mario Di Francesco
  16. Security challenges of HTML5 in Mobile Devices. - Tutor Yrjö Raivio
  17. Communication security in HTML5 - Tutor Jukka K. Nurminen
  18. Access control in HTML5 - Tutor Jukka K. Nurminen / Tuomas Aura
  19. Electricity consumption of security - Tutor Jukka K. Nurminen
  20. Security analysis of Bitcoin - Tutor Tuomas Aura / Miika Komu
  21. Cryptographic protocols for Internet-of-Things (IoT) - Tutor N. Asokan
  22. Clique-sourcing for detecting inappropriate content/applications - Tutor N. Asokan
  23. Botnets in the wild - Tutor Aapo Kalliola
  24. Internet topology - Tutor Aapo Kalliola
  25. Strong mobile authentication and the threats related - Tutor Matias Seppovaara
  26. Can symmetric cyphers be safely used as hash functions - Tutor Andrei Gurtov
  27. Implicit ECQV certificates - Tutor Andrei Gurtov

Topic by Ahmed Abu Shohel

1. A Physical device for sharing security credentials

A sample scenario:
Think of a conference room or a coffee shop where access (credentials) to the WiFi is controlled so that only valid facility users can use the WiFi access point.

How it can work:
In our system, there is a physical device which is responsible for sharing credentials. The physical device (e.g., a device with NFC capability but not limited to) within the facility securely shares the information (e.g., credentials, SSID etc. for WiFi access) to another NFC (not limited to NFC technology) enabled device ( e.g., to a mobile phone of an attendee). When a person enters the area, he/she will touch (e.g., it can be other kind of gesture or technique) his mobile device with the physical device to receive credentials for WiFi access. The person may or may not be registered earlier with the system.

Expected output:
The goal of this paper is to identify vulnerabilities and define a threat model for such a system. An initial starting point can be a threat model of NFC technology. However the paper should focus on the situational context of a conference room or a Coffee shop.

References: provided after the topic is assigned.

Tutor: Ahmed Abu Shohel

Topics by Andrey Lukyanenko

2. ICN for mobile usage

Information centric networking is a new vision for the future internet. There were some discussions on the technology and it was considered to be safer, more secure and more mobile. The studies of these however are always limited and different aspects of the technology are not well understood. While leading scientists in the field, discuss the problems of defining good identifiers (human readable, self-certifying and/or hierarchical). The topic is to understand and conduct study on usage of ICN in everyday environments (at home connecting different devices together, in public place receiving data from the environment, delay-tolerant network communications). The topic is primary focuses mobile usage and security.

References: provided after the topic is assigned

Tutor: Andrey Lukyanenko

3. Generic TCP

TCP is a standard. It is used every day on almost every machine (except some restricted sensors, RFIDS, etc). While it is standard, there are plenty versions of TCP in the wild – each optimized for own environment (e.g. TCP New Reno, Vegas, Cubic, DCTCP). However, now as we have such a big scope of TCP to use, the question is what exactly form of TCP to use, and based on what conditions. Here we assume we use some generic TCP protocol that may adapt to environment conditions in order to form a best version of TCP in the environment. The question here is how this theoretical protocol can be misused in order to achieve higher throughput, or any other benefits. For example we may use more aggressive versions of the protocol in Wireless environment, and receive higher share of the medium to us. (This work can also be done together with some coding if the student is interested).

References: provided after the topic is assigned

Tutor: Andrey Lukyanenko

4. Reputation in Bittorrent

There are a few forms of reputations for P2P infrastructure exists. One of them is very famous EigenTrust algorithm. This however provides a global unique reputation, which does not make any sense for individuals in P2P system. For example in network can come 2 nodes and locally give high reputation to each another (Sybil attack) while they do not have high reputation for any other node. This mutual increase in local reputation will increase their global reputation in EigenTrust mechanism, and thus breaks the whole idea of reputation. During this summer we developed a local reputation mechanism with globalizing view which provides for each peer in network unique reputation for any other node, however those are local, meaning that two different peers may easily have different reputation of common third peer. The task here depends on the student skills and will to study. It is either literature survey, where the student has to take a look on different reputation systems (EigenTrust, web-of-trust, etc) and find similar mechanism to ours and try to understand security aspects of those studies. Or if the student is willing to program, then the student should take our code in C++ written on OmNet++) and simulate Sybil attacks (or any other attack) and test/modify the suggested solution.

References: provided after the topic is assigned

Tutor: Andrey Lukyanenko

Topics by Yan Zheng

5. Privacy issue of Internet interaction

Google's business model is collecting internet users' usage information (e.g., through search behaviors and web usage behaviors) in order to grasp their preference, habits, willingness, etc., thus it can provide suitable advertisements. By losing somehow their private information (e.g., disclosing "what I want to find"), the users gain free Google services.

In addition, when an internet user interacts/access internet (e.g., social networking, VoIP, Blogging, instant messaging), his/her activities or personal information can be automatically collected by the third party, how to enhance the future internet user' privacy as his/her preference is an interesting topic worth our study.

I hope the candidate can discuss the privacy issue of future internet, how serious it is, how do users think about it (especially the Google and Facebook's business model). What kind of solution could be needed and expected by future internet users. What are innovated ideas related to this?

References: provided after the topic is assigned

Tutor: Yan Zheng

6. Trust management in mobile cloud computing

Cloud computing offers a new way of IT services by re-arranging various resources (e.g., storage, computing and services) and providing them to users based on their demand. Cloud computing provide a big resource pool by linking network resources together. It has desirable properties, such as scalability, elasticity, fault-tolerance, and pay-per-use. Thus, it becomes a promising service platform, rearranging the structure of Information Technology (IT). Meanwhile, with the rapid growth of mobile communications networking, and computing, as well as wide usage of mobile devices, cloud computing is moved to mobile domain. People nowadays use their mobile devices to perform various activities. Cloud computing provides a most rational way for mobile devices to access services and resources. The same as the Internet based cloud computing, one important issue in mobile cloud computing is trust, security and privacy. For example, personal data should be securely accessed at the data center of the cloud service provider (CSP). Personal access of some data should not be tracked by unauthorized users. Furthermore, whether it is reasonable to provide cloud services in a pervasive manner in mobile domain? What is the concern and challenges with regard to trust management in mobile cloud computing, focusing on security assurance, privacy preservation and trust establishment.

I hope the candidate studies the background and principle of MCC, characteristics, recent research work, and future research trends, then analyses the features and infrastructure of mobile cloud computing. It is expected that the candidate analyses the challenges of mobile cloud computing with regard to trust management, summary of some research projects related to this area, and points out promising future research directions.

References: provided after the topic is assigned

Tutor: Yan Zheng

7. Trust management in Internet of Things

Internet of Things is uniquely identifiable objects (things) and their virtual representations in an Internet-like structure. Equipping all objects in the world with minuscule identifying devices could be transformative of daily life. The smart objects in IoT are most likely human-carried or human-operated devices. The Internet of Things (IoT) integrates a large amount of everyday life devices from heterogeneous network environments, bringing a great challenge into security and reliability management. I hope the candidate studies the trust, security and privacy issue of IoT, the current research status in this area, and points out promising future research trends.

References: provided after the topic is assigned

Tutor: Yan Zheng

Topic by Juha Sääskilahti

8. Physical security weaknesses, hacking techniques and counter measures in computer-based devices.

Many computer –based devices have nowadays good level of protection on the network (IP) interfaces. For example home-based devices such as PC computers, set-top boxes for TV viewing, ADSL modems, digi boxes etc., as well as public infrastructure components, such as web servers, WLAN APs etc. typically have a properly protected IP interface with firewalls and encryption. However, the devices might have some physical weaknesses, such as local serial cable connection, which could be used for bypassing logical protection. ATM machines, public ticketing machines etc. that are exposed to the public typically have heavy set of physical protection applied – in addition to guarding surveillance cameras and other external protection. Devices at home, however, are fully exposed to persistent hackers – who have unlimited time and depending on motivation varying resources to hack the device.

The goal of this assignment is to survey typical physical security weaknesses and related hacking techniques in home devices, as well as consider countermeasures for these.

References: provided after the topic is assigned

Tutor: Juha Sääskilahti

Topic by Miika Komu

9. What's Going on with Quantum Computation and Cryptography?

Quantum computation has been touted as the holy grail for security as it comes with a promise to replace traditional cryptography [1]. For this reason, it might replace VPNs [2] or be used to improve privacy in cloud networking [3,4,5] that is troubled by multi-tenancy issues.

In this topic, the student learns how quantum cryptography works in practice [6] at least superficially. The main goal of this work is to separate the realistic networking-related applications from the hype [7,8,9] instead of deep analysis of the underlying physics [10]. The students surveys also other references and writes a high-level overview of the present state and especially applications of quantum computation and cryptography.

References:

  1. Post-quantum cryptography
  2. http://conferences.sigcomm.org/sigcomm/2003/papers/p227-elliott.pdf
  3. http://www.sciencemag.org/content/335/6066/303.abstract
  4. http://www.techweekeurope.co.uk/news/boffins-propose-secure-method-for-quantum-computing-in-the-cloud-55509
  5. http://medienportal.univie.ac.at/presse/aktuelle-pressemeldungen/detailansicht/artikel/quantum-physics-enables-perfectly-secure-cloud-computing/
  6. http://michaelnielsen.org/blog/quantum-computing-for-the-determined/
  7. http://nextbigfuture.com/2010/09/quantum-computing-separating-hope-from.html
  8. http://www.networkworld.com/news/2011/092611-quantum-computing-250825.html
  9. http://www.computerworld.com/s/article/9224670/IBM_touts_quantum_computing_breakthrough
  10. http://arstechnica.com/science/2012/04/decision-to-entangle-effects-results-of-measurements-taken-beforehand/

Tutor: Miika Komu

Topics by Jan-Erik Ekberg

10. Tickets and Gossip

High-speed proximity radios are constantly evolving - NFC [1] is an established technology for pairing, bootstrapping and (with NFC smart cards - payment). Similar radios are emerging [2] that enable several decades of improvement for the speed of the radio communication between a Reader/Mobile phone/PC and a passive tag or another active device.

Based on internal user studies, one of the more promising use cases of these radio technologies going forward is one where a payment - like transaction is combined with a rights-protected data transaction. E.g. when you board a bus and pay with your bus card (or mobile phone), you may have the option to receive rights-protected data - say an afternoon tabloid e.g. for consumption during the bus ride.

The assignment targets this use case but can take many forms. The student may explore security protocols that combine payment/ticketing-like transactions with DRM to enable business models like discounts (if both services are consumed in parallel). Another alternative is to design DRM systems that could be applicable to a passive wireless tag with access control but limited computation capabilites. A third could be a system design around this use case - possibly replacing the high-speed proximity transfer with a localized WLAN service constrained to the moving vehicle (as the high-speed radios are not yet readily available).

References:

  1. http://www.nfc-forum.org/home/
  2. Pelissier, Jantunen & al: A 112 Mb/s Full Duplex Remotely-Powered Impulse-UWB RFID Transceiver for Wireless NV-Memory Applications, IEEE Journal of Solid-State Circuits, April 2011

Tutor: Jan-Erik Ekberg

11. Assurance, Compliance and Certification

In order for smart cards and security devices to be used for services with high risk - like smart cards used as credit cards, network routers used in military installations or mobile phones used in government networks there typically is a requirement by the receiving business entity for third-party certification. The traditional setting for this is Common Criteria certification (Europe) and NIST accreditation for U.S. government use. These system validate a device consisting of hardware and software against a (security) profile to a certain "level of assurance", e.g. smart cards are typically certified to CC EAL 4+. The level accounts for the depth of testing and process validation deployed. Certification is as a rule carried out by independent third-party laboratories at a cost to the certifier. Higher levels of certification typically also require process validation, i.e. the certification work must be conducted in parallel with the development work.

Common criticism against the current certification process is that it is costly, slow and does not apply well to updates during the lifecycle of the device - e.g. a software patch might even require a completely new certification round. All of these properties are starkly in conflict with "the internet way of thinking" i.e. release early - release often".

As a response to this, The National Technical Authority for Information Assurance - i.e. the British authority responsible for nationial information security has introduced a completely new assurance scheme, the Commercial Product Assurance (CPA).

The student assigment is to review well-established compliance methodologies, public evidence about their success in the marketplace and e.g. trends of usage / deployment, and from this background especially evaluate the relative strengths of the new CPA process.

References:

  1. http://www.commoncriteriaportal.org/
  2. http://www.nist.gov/manuscript-publication-search.cfm?pub_id=904985
  3. http://www.cesg.gov.uk/servicecatalogue/CPA/Pages/CPA.aspx

Tutor: Jan-Erik Ekberg

Topics by Sandeep Tamrakar

12. Possibility of using mobile phone as POS terminals.

Traditionally, individuals who sells handfull of goods ocasionally accepts cash or cheques in exchanges of the goods they sell. For example, Sunday market sellers, food sellers during restaurant days. Today, cash and cheques are disappearing from major cities around the world and the use of electronic payment system such as Debit card and Credit cards are becoming popular. The point-of-sales terminals used to accept these debit / credit cards requires a dedicated card reader hardwares and these devices comes at a price. Also, these terminals requires subscription fees and service charges for its use. Therefore, POS terminals are not an attractive solution for occasional sellers.

Now with the ubiquitously available wireless Internet and Internet-enabled person devices such as mobile phones, new methods of mobile based payments systems are emerging. For example, square service provides a small magnetic card reader that can be attached to a smart phone and use the phone as a POS terminal that accepts payments from magnetic cards [1]. Similarly Paypal is bringing mobile payment solutions [2]. The goal of this work is to survey different mobile based payment solutions and study the possibility of using mobile phone as POS terminals which could be easy to use and cost effective.

References:

  1. Square
  2. Paypal brings mobile payments to UK stores
  3. Might Financial Cryptography Kill Financial Innovation? - The curious case of EMVR. Anderson, M. Bond, O. Choudary, S. J. Murdoch, and F. Stajano. Financial cryptography kill financial innovation? - the curious case of emv.

Tutor: Sandeep Tamrakar

13. Future of Mobile wallet

The concept of mobile phone based payment and mobile wallet is not new. However, the widespread integration of Near Field Communication (NFC) on a mobile phone has once again brought the concept into the highlight. Different companies are proposing their own solutions to this concept. For example Google wallet: In short, the second version of the Google Wallet allows user to store different types of payment card information on the cloud which can be then linked to a virtual card ID stored on the embedded secure element on the mobile phone for the NFC payment [1]. Similarly, Nokia has completed trials on NFC phone based public transport ticketing system in Long Island Railway Road New York [2]. Also HTC has announced NFC and microSD card based mobile banking [3].

The goal of this work is to study different mobile wallet system that are being trialed, identify and understand the important issues such as key constrains, maturity of the systems, user acceptance, interoperability, standardization and the future of the mobile wallet.

References:

  1. google wallet
  2. Nokia to bring NFC to New York Commuters
  3. MicroSD Vendor Announces Taiwanese M-Payment Trial Using HTC NFC Phones

Tutor: Sandeep Tamrakar

Topics by Mario Di Francesco

14. Mobile application security in a marketplace world

In the last few years, the explosive growth in the number of mobile devices, including smartphones and tablets, has been followed by a tremendous increase in the number of mobile applications. Most of current systems adopts a marketplace model for the delivery of applications to mobile devices. They include Apple's App Store, Google Play, and Windows Phone Marketplace. Each solution offers some security features to protect users from malicious applications. However, this has not prevented malware to spread on mobile devices with a very high rate.

The student involved in this topic is expected to: learn the basic security mechanisms provided by the major mobile device platforms; review the approaches for mobile application security from a marketplace perspective; characterize the pitfalls of current systems and propose solutions to improve their security.

References:

  1. Kaspersky Lab, "Mobile Threats Double in Number"
  2. The Next Web, "Apple's app store, filled with 'App farms' being used to steal"
  3. Google Mobile Blog, "An Update on Android Market Security"

Tutor: Mario Di Francesco

15. Third-party authentication and social web applications: the OAuth case

Online social networks (OSNs) have recently become extremely popular. As a consequence, several web applications are exploiting social features made available by OSNs. Among those features, delegated authorization is the most widely used, wherein a third-party website exploits OSN user credentials to provide its own services. Currently, most of OSNs use OAuth for authorization purposes. However, delegated authorization poses some risks to security and privacy. Specifically, the original version (1.0) of OAuth had a security flaw, and there is still ongoing debate about the security of the most recent (2.0) version of the specifications.

The student involved in this topic is expected to: learn about authentication and authorization mechanisms used by OSNs; understand the security features of the OAuth specifications; review the weaknesses of the OAuth delegate authorization mechanism and propose solutions to overcome them.

References:

  1. Moo Nam Ko, G.P. Cheek, M. Shehab, and R. Sandhu, "Social-Networks Connect Services", IEEE Computer, 43(8):37-43, August 2010
  2. OAuth, "Security Advisories"
  3. R. Paul, "Compromising Twitter's OAuth security system", Ars Technica, September 10, 2010

Tutor: Mario Di Francesco

Topic by Yrjö Raivio

16. Security challenges of HTML5 in Mobile Devices

Summary:
HTML5 is a new set of standards that brings exciting new features to web programming. Also mobile browsers will support HTML5 and this will bring new opportunities for innovations. For example, HTML5 supports multimedia (audio and video) without 3rd party plug-ins, data storage to browser in offline-mode, networking features enabling push and efficient data transfer capabilities.

Research target:
HTML5 security is a huge research area. You should select a subtopic that is relevant in the mobile space. For example, you may research Push-technologies, Web Socket, data storage or Device APIs in security wise. Review the existing literature, summarize the challenges and highlight the main concerns and possible solutions.

References:

  1. ENISA, A Security Analysis of Next Generation Web Standards, 2011
  2. Michael Schmidt, Compass Security, HTML5 web security, v. 1.0, Dec 6, 2011
  3. Steve Hanna, Eui Chul Richard Shin, Devdatta Akhawe, Arman Boehm, Prateek Saxena and Dawn Song, The Emperor’s New APIs: On the (In)Secure Usage of New Client-side Primitives, 2010
  4. Robert McArdle, HTML5 Overview: A Look at HTML5 Attack Scenarios, 2011
  5. Shreeraj Shah, HTML5 Top 10 Threats Stealth Attacks and Silent Exploits, 2012

Tutor: Yrjö Raivio

Topics by Jukka K. Nurminen

17. Communication security in HTML5

One of the key new features in HTML5 is the Web Sockets protocol. In comparison to the current http requests, We Sockets enables bidirectional real-time communication between a web client and server, or any two nodes. For example, it can be used for streaming and asynchronous messaging to a web client. One exciting possibility is direct communication between clients. The goal of this seminar project is to understand the security policies and authentication and confidentiality mechanisms related to web sockets.

References:

  1. http://tools.ietf.org/html/rfc6455
  2. http://www.w3.org/TR/2009/WD-websockets-20091029/

Tutor: Jukka K. Nurminen

18. Access control in HTML5

Security of web browsers and applications is traditionally based on session identifiers and the same-origin policy. Attackers have found ways around these protection measures, for example the CSRF and XSS attacks, and additional security features have consequently been implemented in the web browsers. Confusion has also arisen from subtle differences between the ways in which the protection mechanisms are implemented in different browsers and web application frameworks. HTML5 promises to standardize many of the advanced HTML features so that it is easier to build rich, interoperable web applications. But what about the security model; has it been standardized? The goal of this seminar project is to write an up-to-date overview of the web browser and application security at the time of HTML5.

References:

  1. https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet http://www.w3.org/Security/wiki/Same_Origin_Policy
  2. http://tools.ietf.org/html/rfc6454

Tutor: Jukka K. Nurminen / Tuomas Aura

19. Electricity consumption of security

Recently the environmental impact of ICT sector has received a lot of attention. It is estimated that the environmental footprint of the whole ICT sector is at the same level as the airline industry. This is both an environmental concern and a major cost for many players in the ICT sector that spend a lot of electricity. Another new trend is that electricity pricing will be increasingly dynamic. In this way it might be possible to create major savings by delaying activities to time points when cheap and plentiful energy is available. In this task the goal is to understand the electricity consumption of the security solutions. How much of an average PC power is spent on antivirus, firewall and other similar software? How much a typical enterprise with dedicated boxes for firewalls, intrusion detection, etc. is spending? On the other hand it could also be studied how much electricity could be saved by a proper timing of the activities. Which security tasks can be delayed without major harm? In addition to performing a literature review, a simple calculation could be done to derive a rough estimate of electricity consumption of security solutions in some sample environment.

References:

  1. G. P. Fettweis and E. Zimmermann, "ICT energy consumption - trends and challenges, " in Proceedings of the 11th International Symposium on Wireless Personal Multimedia Communications, Lapland, Finland, September 2008.
  2. Potlapally, N.R.; Ravi, S.; Raghunathan, A.; Jha, N.K.; , "A study of the energy consumption characteristics of cryptographic algorithms and security protocols," Mobile Computing, IEEE Transactions on , vol.5, no.2, pp. 128- 143, Feb. 2006
  3. Goran Strbac, Demand side management: Benefits and challenges, Energy Policy, Volume 36, Issue 12, December 2008, Pages 4419-4426, ISSN 0301-4215, 10.1016/j.enpol.2008.09.030. http://www.sciencedirect.com/science/article/pii/S0301421508004606

Tutor: Jukka K. Nurminen

Topics by Tuomas Aura

20. Security analysis of Bitcoin

Bitcoin is an anonymous electronic currency that is independent of national banks and, in fact, has no single issuer. Instead, its security is based on distributed bookkeeping in a P2P network. A limited number of coins is issued over time as rewards for solving brute-force computing puzzles. The current size of the Bitcoint economy is in tens or hundreds of thousands dollars, and coins can be exchanged for other currencies.

Bitcoin topic A: The goal of this seminar project is to provide a technical introduction to Bitcoin and to its technical design principles and weaknesses.

Bitcoin topic B: The goal of this seminar project is to perform a high-level analysis of the economic and social aspects of Bitcoin. The analysis will require understanding of the technology but should be kept as independent of the technical implementation of Bitcoin as possible.

References:

  1. http://bitcoin.org/bitcoin.pdf
  2. https://bittiraha.fi/
  3. http://research.microsoft.com/pubs/156072/bitcoin.pdf
  4. http://www.techweekeurope.co.uk/news/bitinstant-bitcoin-paycard-details-mastercard-90204
  5. http://yro.slashdot.org/story/12/08/29/0349226/large-bitcoin-ponzi-scheme-collapses-with-a-loss-of-56-million
  6. http://www.cio.com.au/article/380394/open_source_identity_bitcoin_technical_lead_gavin_andresen/
  7. http://www.launch.co/blog/l019-bitcoin-p2p-currency-the-most-dangerous-project-weve-ev.html
  8. http://www.pcworld.com/article/230377/worlds_first_virtual_heist_bitcoin_user_loses_500000.html
  9. http://www.symantec.com/connect/blogs/all-your-bitcoins-are-ours

Tutor: Tuomas Aura / Miika Komu

Topics by N. Asokan

21. Cryptographic protocols for Internet-of-Things (IoT)

Connecting billions of sensors and actuators to the Internet is an exciting prospect which would make many new applications possible but first has to overcome several challenges. One of them is finding suitable security and privacy mechanisms whose computational and energy consumption requirements are not excessive for IoT devices -- not all IoT devices will be able to run full-fledged, standard cryptographic protocols that are widely used today. The goal of this topic is to survey the problem area and currently proposed solutions. An advanced and motivated student could also try to develop new techniques or adapt existing ones.

Pre-requisites: the student must have taken a basic course in cryptography and data security; familiarity with cryptographic algorithms and protocols.

References: provided after the topic is assigned.

Tutor: N. Asokan

22. Clique-sourcing for detecting inappropriate content/applications.

Social networks thrive on user-generated content and applications. Mobile device platforms are designed to encourage ordinary users to become "developers". While this triggers creativity and expands end user choice, it comes with the problem of how to enable ordinary users to detect and prevent running into inappropriate content/applications. There have been two ways to address this issue: one is to have centralized screening by experts and the other is to rely on crowd-sourcing, which is also, in effect centralized. In some cases, like deciding what is potentially "offensive", centralized vetting is not the best choice. A middle-ground is to investigate "clique-sourcing": i.e., gathering and accumulating feedback about an object from a user's own social graph (rather than from the entire social network). The goal of this topic is to quickly survey current proposals and to complete the implementation of a Facebook application that would let Facebook users to learn what their social network has to say about an app or any other piece of content before trying to use them.

Pre-requisites:the student must be familiar with and eager to do software development (Facebook app, backend server); familiarity with basic concepts of security and interest in data analytics would be useful.

References: provided after the topic is assigned.

Tutor: N. Asokan

Topics by Aapo Kalliola

23. Botnets in the wild

Botnets are currently the main source of spam, DDoS attacks and other malicious activity. There are (at least) hundreds of botnets with varying number of bots, with largest botnets having hundreds of thousand or millions of bots. Still, gaining information about real-life botnets is difficult, as they typically seek to avoid detection.

The partial purpose of this topic is to survey the current global botnet situation, form a view of the botnet capabilities and methods/expenses of gaining access to botnet capabilities. In addition to analysing the end-user point of view to botnets the topic also looks into means of defeating botnets. For this purpose the takedown mechanisms and the surrounding legal issues need to be covered. Perhaps a generalized mechanism for botnet detection and takedown can be derived from the analysis.

References: provided after the topic is assigned.

Tutor: Aapo Kalliola

24. Internet topology

While huge amounts of data travel through the internet every second our understanding of the topology of the internet is quite limited and not always up to date.

The purpose of this topic is to analyse existing research concerning the structure of the internet and available network topology datasets. A successful analysis could result in an understanding of what blind spots our current understanding may still contain, and observe the skewing limitations of available datasets.

In addition the security implications of increased interconnectivity have not been exhaustively discussed. New routing attack problems may have risen while the increased redundancy should improve the network.

References: provided after the topic is assigned.

Tutor: Aapo Kalliola

Topic by Matias Seppovaara

25. Strong mobile authentication and the threats related

Strong authentication can be integrated to mobile devices. In the seminar work you should outline few mobile authentication solutions and describe and evaluate what kinds of new threat scenarios emerge when authentication is integrated in the mobile device where the service requiring authentication is running on. You can assume that the strong authentication is used mainly for banking services.

References: provided after the topic is assigned.

Tutor: Matias Seppovaara

Topic by Andrei Gurtov

26. Can symmetric cyphers be safely used as hash functions

Will be provided after the topic is assigned.

References: provided after the topic is assigned.

Tutor: Andrei Gurtov

27. Implicit ECQV certificates

Will be provided after the topic is assigned.

References: provided after the topic is assigned.

Tutor: Andrei Gurtov