OpenHaven: an Open Hardware Authentication Token
ChallengeIn today's reality most general purpose computers and mobile devices are infected with malware, and aims to develop techniques to mitigate or tolerate it. It is a considerable challenge. Malware on your computer means that everything you ever type or store in your computer is, in the worst case, immediately given to the adversary. The challenge in malware mitigation is to be able to perform secure computations under such stringent assumptions. Several attempts at malware mitigation have been proposed for the restricted case of user-authentication to remote services. These proposals include two-factor authentication, where the user performs some computation on another device, such as a smartphone, and then types the response into the browser of the authenticating computer. As smartphones and computers get more integrated and synchronised, this solution is vulnerable to a situation in which coordinated malware infects both the phone and computer. Existing secure tokens are limited to user-authentication and very simple data-signing scenarios. They don't solve more general data authentication problems found in contract and document signing, e-voting, e-commerce, and decryption. They are proprietary and closed-source, making their security hard to evaluate. They have significant usability obstacles and they are prohibitively costly to individuals and small companies.
Technical ApproachThe aim of OpenHaven is to design, develop, and produce an open-design, open-source, cost-effective, usable, re-programmable, verified, dedicated hardware authentication token. The OpenHaven token can be used for authenticating users to web services, but also for authenticating data in applications like signing documents, signing mandates and instructions, e-commerce, and electronic voting. The OpenHaven token will open up a range of possibilities for SMEs and individuals to develop cheap and immediately deployable solutions for a wide variety of user- and data-authentication problems. The workplan is to:
- Develop the hardware architecture and the basic software.
- Implement more complex protocols and build a basic prototype.
- Perform formal analysis in a rigurously defined attacker model.
- Implement countermeasures against side-channel attacks and rigorous testing.
Vacancy: Fully funded PhD studentship in Cyber Security
The School of Computer Science at Birmingham is one of the UK's leading computer science departments (ranked as the best UK Comp. Sci. department by the Guardian for 2014). We have a very active security research group and is a GCHQ/ESPRC centre of excellence in cyber security. The project will provide a tax free annual stipend of £22.000 per annum for 3.5 years. The project will additionally cover the college fees, provision for a laptop, equipment, software and travel to attend conferences and summer schools.
- The candidate MUST be a UK citizen. The studentship is sponsored by the Government Communications Headquarters (GCHQ) and the student may be invited to spend 2-4 weeks per year visiting GCHQ. Therefore, to be considered for this studentship, the candidate must be able to apply for UK security clearance.
- the ideal candidate will have a strong background in computer science, computer security, low level programming and/or formal methods. Experience in embedded programming, Arduino development, etc will be a plus.
How to Apply:To apply in the first instance you should send:
- your CV;
- a transcript with a list of all your courses and grades; and
- a description of your research interests and motivation