Application development

Projects (Research & Development)

At this page I will keep a list of projects which might be interesting for the R&D courses or for a Bachelor or Master project. If you are interested in one of these projects, or want some references concerning these topics, please contact me.

At the thesis projects page of the Digital Security group you can find more security related student projects offered by other members of the Digital Security group.

Security analysis of pinpad cardreaders

The company ReinerSCT offers cardreaders with a pinpad for secure entry of the PIN code. Furthermore, these devices provide a small text-based screen to show some messages to the user. These readers are certified for use with the new German ID card, and we are looking into them to improve the security of some of our applications. But the question is whether these devices (which allow software updates) are really secure.

The goal of this project is to find out whether these devices are really secure or whether we can tamper with them (for example show different messages on the display or learn the pincode of the user). For more information and ideas on how to attack these readers you can contact me or Roel Verdult.

OV-chipkaart on a NFC-enabled mobile phone

The current OV-chipkaart is broken, and a new card is being developed based on Java Card on a SmartMX chip. The benefit of Java Card is that it is (or should be) platform independent. This means that it should not matter whether is becomes installed on a chip from NXP or, for example, one from Gemalto. To go even further, it should not even matter whether this chip is embedded in a smart card or in any other device. Near Field Communication (NFC) is a technology which allows mobile phones to interact with a smart card, but also act like one. This means that you should be able to use you mobile phone as your OV-chipkaart.

The goal of this project is to find out if the OV-chipkaart applet (the Java Card application) can also be used on a NFC-enabled mobile phone and to investigate which benefits and/or drawbacks this has over the normal smart card approach. We already have an implementation of the OV-chipkaart applet which can be used as a starting point for developing the NFC-application.

Privacy-friendly OV-chipkaart using attributes

The current OV-chipkaart is not privacy-friendly, it contains an identifier (both the personal and the anonymous cards) which is used to track all transactions of a card. We believe that this can be done better by using attributes instead of identities as much as possible. For example you should be able to get on a train by just showing that you have a NS- or OV-jaarkaart.

The goal of this project is to find out how attribute-based credentials can be used to create a more privacy-friendly OV-chipkaart. We have already done a lot of research into attribute-based credential systems, and we even have implementations of them. The focus of this project is to investigate how these technologies can be used and to adapt the implementations to a working demonstrator for the OV-chipkaart scenario.

Web-based smart card interaction

Smart cards are becoming more and more ubiquitous. Currently they are mainly used for payment, transport or authorisation at special terminals. They can, however, also be used at home. Using a card-reader connected to your computer you are able to interact with a smart card. This opens up a whole new set of scenarios which involves reading out card information, like the balance on your card, or interaction with other applications. Most interesting are interaction with web pages where a smart card can, for example, be used to login or authorise a transaction. At this moment a few applications and browser-plugins are available which allow you to use an electronic ID card or bank card with a website. The drawback is that these available tools are card-specific. They can only be used in combination with a specific type of card.

The goal of this project is to design and develop a generic framework which will allow web-interaction with any kind of smart card (to avoid the need of a separate plugin for each new web-application). We already have a demo application, currently using an unstable ad-hoc implementation, which can be used as a test scenario for the new framework.

References:

Valid XHTML 1.1 Valid CSS 2.1