About me

I'm an external Ph.D. student in the Digital Security group at the Institute for Computing and Information Sciences of the Radboud University Nijmegen.

When I'm not working on my research I am Team Lead Security, Privacy and Trust at SURFnet, the National Research and Education Network (NREN) in The Netherlands. In my job I'm responsible for Internet innovation, mainly dealing with security, authentication and identity management.

Students: I have student assignments available, see below


My main interests in research are Trusted Execution Environments (TEE) and identity management, in particular anything dealing with two-factor authentication and privacy, such as for instance the IRMA project, which I am participating in on behalf of SURFnet.

I'm actively exploring the options for using Trusted Execution Environments as a means to improve the security and trust of user interaction in two-factor authentication systems. I'm currently working on building a small system called the 'Pivacy', which I hope to use to explore the possibilities of trusted user interaction in two-factor systems.

My work is supervised by Erik Poll.


Current research

Other academic work




Student assignments

Please contact me () if you are interested in one of the assignments listed below.

In Apps we trust: using your smart phone for strong authentication

Analyse and compare the security of mobile phone apps for strong (or at least, stronger) authentication, including tiqr (, Google Authenticator, and other OTP apps such as VASCO's Digipass for Mobile. A possible follow-up would be to consider possibilities of using security features of mobile phone platforms, such as Secure Elements or Trusted Execution Environments. This is a topic that could be investigated in collaboration with SURFnet and/or the Dutch banks. Interested students, please contact me, Eric Verheul, or Erik Poll.

(Note for Kerckhoffs students: also possible as Research A/B project)

Social login 4.0 - Using the privacy-friendly IRMA technology online with OpenID Connect

It is becoming more and more common to see web sites where you can log in using your social identity (e.g. your Facebook, Google or Twitter account). Most of these login scenarios are based on OAuth, OAuth2 and - in the near future - Open ID Connect. The problem with many of these logins is that relying parties (the site you log in to) often request a lot of personal data. From a privacy perspective that is undesirable.

The IRMA project on the other hand is "privacy-by-design". We differentiate between identifying and non-identifying information about a user (attributes) and put the user at the centre of all interactions. No data is revealed without the user's consent and the system is built to facilitate selective and minimal disclosure of personal information.

The goal of this student assignment is to investigate how we can marry IRMA's privacy friendly approach with OpenID Connect. Students are challenged to analyse how IRMA fits in the OpenID architecture and to build a prototype that demonstrates the use of IRMA credentials in an OpenID Connect identity provider.

Knowledge of OAuth2 and federated identity management helps, as well as good programming skills. We have OAuth2 software available in several programming languages (e.g. PHP and Java) that can be used as a starting point.

This research project may be performed in Nijmegen or at SURFnet in Utrecht.

Students interested in this project should contact me or Gergely Alpár.

Advancing detection of DNS(SEC) amplification and reflection attacks

The global DNS infrastructure has a long of history of being abused for "(Distributed) Denial of Service (DDoS)" attacks. DNS reflection and amplification attacks have the potential to paralyse entire institutions or networks. Although disruptive, these attacks took place on a relatively modest scale. In recent times, however, we see a worrying escalation in the application of this kind of attack. We see (attempts of) abuse of our DNS servers to facilitate these kinds of attacks. SURFnet and its connected institutions are also victims.

The goal of the thesis work will be to investigate whether, and if so how, it is possible to detect these kinds of attacks based on the characteristics of incoming DNS queries. Not only the query itself is of interest but also aspects like the query rate, parameters used in subsequent queries and the datagrams containing the queries and other protocol parameters in different network layers (DNS(SEC), UDP, TCP, IP, etc.).

Besides detection of (potential) attack attempts the research should also address how such attempts can (or cannot) be automatically blocked without hindering legitimate use of DNS(SEC).

Research on this assignment will be located at SURFnet's offices in Utrecht

Interested students please contact me or Aiko Pras (University of Twente)


+31-30-2305305 (SURFnet)
+31-24-3652298 (secretariat)
+31-30-2305329 (SURFnet)
E-mail (preferred)
Social media
Roland van Rijswijk on LinkedIn
@reseauxsansfil on Twitter
Visiting address (RU)
Room HG02.071
Faculty of Science (Huyghens Building)
Heijendaalseweg 135
6525 AJ Nijmegen
The Netherlands
General directions to the university
Visiting address (SURFnet)
SURFnet bv
Radboudburcht 273
3511 CK Utrecht
The Netherlands
Directions to SURFnet
Mail address
Roland van Rijswijk-Deij
Radboud University Nijmegen
FNWI, Digital Security, Mailbox 47
P.O. Box 9010
6500 GL Nijmegen
The Netherlands