Raja Naeem Akram | Royal Holloway, University of London (original) (raw)

Papers by Raja Naeem Akram

Research paper thumbnail of Binding Hardware and Software to Prevent Firmware Modification and Device Counterfeiting

Proceedings of the 2nd ACM International Workshop on Cyber-Physical System Security - CPSS '16, 2016

Research paper thumbnail of Challenges of security and trust of mobile devices as digital avionics component

2016 Integrated Communications Navigation and Surveillance (ICNS), 2016

Research paper thumbnail of Remote attestation mechanism for embedded devices based on physical unclonable functions

Research paper thumbnail of Enhancing Java Runtime Environment for Smart Cards Against Runtime Attacks

Lecture Notes in Computer Science, 2015

Research paper thumbnail of A Set of Efficient Privacy Protection Enforcing Lightweight Authentication Protocols for Low-Cost RFID Tags

2015 IEEE Trustcom/BigDataSE/ISPA, 2015

Research paper thumbnail of Let’s Get Mobile: Secure FOTA for Automotive System

Lecture Notes in Computer Science, 2015

Research paper thumbnail of Don't Brick Your Car: Firmware Confidentiality and Rollback for Vehicles

2015 10th International Conference on Availability, Reliability and Security, 2015

Research paper thumbnail of Enhancing EMV Online PIN Verification

2015 IEEE Trustcom/BigDataSE/ISPA, 2015

Research paper thumbnail of Challenges of security and trust in Avionics Wireless Networks

2015 IEEE/AIAA 34th Digital Avionics Systems Conference (DASC), 2015

Research paper thumbnail of Recovering from a lost digital wallet: A smart cards perspective extended abstract

Pervasive and Mobile Computing, 2015

Research paper thumbnail of A Novel Consumer-Centric Card Management Architecture and Potential Security Issues

Multi-application smart card technology has gained momentum due to the Near Field Communication (... more Multi-application smart card technology has gained momentum due to the Near Field Communication (NFC) and smart phone revolution. Enabling multiple applications from different application providers on a single smart card is not a new concept. Multi-application smart cards have been around since the late 1990s; however, uptake was severely limited. NFC has recently reinvigorated the multi-application initiative and this time around a number of innovative deployment models are proposed. Such models include Trusted Service Manager (TSM), User Centric Smart Card Ownership Model (UCOM) and GlobalPlatform Consumer-Centric Model (GP-CCM). In this paper, we discuss two of the most widely accepted and deployed smart card management architectures in the smart card industry: GlobalPlatform and Multos. We explain how these architectures do not fully comply with the UCOM and GP-CCM. We then describe our novel flexible consumer-centric card management architecture designed specifically for the UCOM and GP-CCM frameworks, along with ways of integrating the TSM model into the proposed card management architecture. Finally, we discuss four new security issues inherent to any architecture in this context along with the countermeasures for our proposed architecture.

Research paper thumbnail of Collaborative and Ubiquitous Consumer Oriented Trusted Service Manager

Near Field Communication (NFC) enables a mobile phone to emulate a contactless smart card. This ... more Near Field Communication (NFC) enables a mobile phone to emulate a contactless smart card. This has reinvigorated the multiapplication smart card initiative. Trusted Service Manager (TSM) is an entity that is trusted by all stakeholders in the proposed and trialled NFC-based smart card ecosystem. However, TSM-based models have the potential to create market segregation that might lead to limited or slow adoption. In addition, all major stakeholders (e.g. Telecom and banks) are pushing for their own TSM models and this might hinder deployment. In this paper we present a Collaborative and Ubiquitous Consumer Oriented Trusted Service Manager (CO-TSM)-based model that combines different TSM models while providing scalability to the overall architecture. In addition, our proposal also provides flexibility to both consumers and application providers. To support our proposal, we present a core architecture based on two contrasting approaches: the Issuer Centric Smart Card Ownership Model (ICOM) and the User Centric Smart Card Ownership Model (UCOM). Based on the core architecture, we then describe our proposal for an application download framework and a secure channel protocol. Finally, the implementation experience and performance measurements for the secure channel protocol are discussed.

Research paper thumbnail of Digital Trust - Trusted Computing and Beyond A Position Paper

The 7th IEEE International Symposium on Security, Privacy and Anonymity in Internet of Things (IEEE SpaIoT 2014) in conjunction with The 13th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom-14), Sep 2014

Along with the invention of computers and interconnected networks, physical societal notions like... more Along with the invention of computers and interconnected networks, physical societal notions like security, trust, and privacy entered the digital environment. The concept of digital environments begins with the trust (established in the real world) in the organisation/individual that manages the digital resources. This concept evolved to deal with the rapid growth of the Internet, where it became impractical for entities to have prior offline (real world) trust. The evolution of digital trust took diverse approaches and now trust is defined and understood differently across heterogeneous domains. This paper looks at digital trust from the point of view of security and examines how valid trust approaches from other domains are now making their way into secure computing. The paper also revisits and analyses the Trusted Platform Module (TPM) along with associated technologies and their relevance in the changing landscape. We especially focus on the domains of cloud computing, mobile computing and cyber-physical systems. In addition, the paper also explores our proposals that are competing with and extending the traditional functionality of TPM specifications.

Research paper thumbnail of Unified Model for Data Security - A Position Paper

The 1st International Workshop on the Emerging Future Internet and Network Security (IEEE EFINS 2014) in conjunction with The 13th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom-14), Sep 2014

One of the most crucial components of modern Information Technology (IT) systems is data. It can ... more One of the most crucial components of modern Information Technology (IT) systems is data. It can be argued that the majority of IT systems are built to collect, store, modify, communicate and use data, enabling different data stakeholders to access and use it to achieve different business objectives. The confidentiality, integrity, availability, auditability, privacy, and quality of the data is of paramount concern for end-users ranging from ordinary consumers to multi-national companies. Over the course of time, different frameworks have been proposed and deployed to provide data security. Many of these previous paradigms were specific to particular domains such as military or media content providers, while in other cases they were generic to different verticals within an industry. There is a much needed push for a holistic approach to data security instead of the current bespoke approaches. The age of the Internet has witnessed an increased ease of sharing data with or without authorisation. These scenarios have created new challenges for traditional data security. In this paper, we study the evolution of data security from the perspective of past proposed frameworks, and present a novel Unified Model for Data Security (UMDS). The discussed UMDS reduces the friction from several cross-domain challenges, and has the functionality to possibly provide comprehensive data security to data owners and privileged users.

Research paper thumbnail of Consumer-Centric Protection for Online Social Networks

1st Workshop on Social Network Security (SocialSec 2014) in conjunction with 15th IEEE International Conference on Information Reuse and Integration (IEEE IRI 2014), Aug 11, 2014

Online Social Networks (OSNs) are a unique construct that is shaped by the advancement and availa... more Online Social Networks (OSNs) are a unique construct that is shaped by the advancement and availability of Internet technologies. A large portion of internet users make use of OSN services to share and celebrate their personal lives with friends and family. A substantial proportion of these shared experiences revolve around privacy-sensitive information. The OSN services handling privacy-sensitive information deploy state-of-the-art security and privacy-preserving mechanisms. However, these protections are, to a great extent, not consumer-centric: this is the main focus of this study. In this paper, we define the notion of Consumer-Centric Protection (CCP) for OSNs. In this proposal, the individual user controls how her data can be accessed by her contacts (e.g. friends and family members) and others, thus giving control of user data back to the rightful owner --- the user. This work is still in progress and in this paper we present our preliminary results.

Research paper thumbnail of End-to-End Secure and Privacy Preserving Mobile Chat Application

Eighth Workshop in Information Security Theory and Practice (WISTP 2014), Jun 2014

Since the 1990s, two technologies have reshaped how we see and experience the world around us. Th... more Since the 1990s, two technologies have reshaped how we see and experience the world around us. These technologies are the Internet and mobile communication, especially smartphones. The Internet provides a cheap and convenient way to explore and communicate with distant people. A multitude of services have converged on the smartphone platform, and potentially the most notable is social networking. With increased interconnectivity and use of online services, concerns about consumers' security and privacy are growing. In this paper, we evaluate the security- and privacy-preserving features provided by existing mobile chat services. This paper also puts forwards a basic framework for an End-to-End (E2E) security and privacy-preserving mobile chat service and associated requirements. We implemented the proposal to provide proof-of-concept and evaluate the technical difficulty of satisfying the stipulated security and privacy requirements.

Research paper thumbnail of Rethinking the Smart Card Technology

16th International Conference on Human-Computer Interaction, Jun 2014

Creating security architectures and processes that directly interact with consumers, especially i... more Creating security architectures and processes that directly interact with consumers, especially in consumer electronics, has to take into account usability, user-experience and skill level. Smart cards provide secure services, even in malicious environments, to end-users with a fairly straightforward limited usage pattern that even an ordinary user can easily deal with. The way the smart card industry achieves this is by limiting users' interactions and privileges on the smart cards they carry around and use to access different services. This centralised control has been the key to providing secure and reliable services through smart cards, while keeping the smart cards fairly useable for end-users. However, as smart cards have permeated into every aspect of modern life, users have ended up carrying multiple cards to perform mundane tasks, making smart card-based services a cumbersome experience. User Centric Smart Cards (UCSC) enable users to have all the services they might be accessing using traditional smart cards on a single device that is under their control. Giving "freedom of choice" to users increases their privileges, but the design requirement is to maintain the same level of security and reliability as traditional architectures while giving better user experience. In this paper, we will discuss the challenges faced by the UCSC proposal in balancing security with usability and "freedom of choice", and how it has resolved them.

Research paper thumbnail of Trusted Platform Module for Smart Cards

6th IFIP International Conference on New Technologies, Mobility and Security (NTMS), Mar 2014

Near Field Communication (NFC)-based mobile phone services offer a lifeline to the under-apprecia... more Near Field Communication (NFC)-based mobile phone services offer a lifeline to the under-appreciated multiapplication smart card initiative. The initiative could effectively replace heavy wallets full of smart cards for mundane tasks. However, the issue of the deployment model still lingers on. Possible approaches include, but are not restricted to, the User Centric Smart card Ownership Model (UCOM), GlobalPlatform Consumer Centric Model, and Trusted Service Manager (TSM). In addition, multiapplication smart card architecture can be a GlobalPlatform Trusted Execution Environment (TEE) and/or User Centric Tamper-Resistant Device (UCTD), which provide cross-device security and privacy preservation platforms to their users. In the multiapplication smart card environment, there might not be a prior off-card trusted relationship between a smart card and an application provider. Therefore, as a possible solution to overcome the absence of prior trusted relationships, this paper proposes the Trusted Platform Manager (TPM) concept for smart cards (embedded devices) that can act as a point of reference for establishing the necessary trust between the device and an application provider, and among applications.

Research paper thumbnail of Smart Cards: State-of-the-Art to Future Research Directions

IEEE International Symposium on Signal Processing and Information Technology (ISSPIT 2013), Dec 14, 2013

The evolution of smart card technology provides an interesting case study of the relationship and... more The evolution of smart card technology provides an interesting case study of the relationship and interactions between security and business requirements. This paper maps out the milestones for smart card technology, discussing at each step the opportunities and challenges. The paper reviews recently proposed innovative ownership/management models and the security challenges associated with them. The paper concludes with a discussion of possible future directions for the technology, and the challenges these present.

Research paper thumbnail of An Introduction to Java Card Programming

Springer, Sep 2013

Java Cards support a Java virtual machine that interprets code written in a subset of Java langua... more Java Cards support a Java virtual machine that interprets code written in a subset of Java language. This may help programmers with prior knowledge of Java language to program smart cards. However, the programming paradigm of Java Card can be articulated as somewhat different than traditional Java programming. In this chapter, we will provide an introduction to smart card programming using Java Card and the subtleties of a restricted environment on application design.

Research paper thumbnail of Binding Hardware and Software to Prevent Firmware Modification and Device Counterfeiting

Proceedings of the 2nd ACM International Workshop on Cyber-Physical System Security - CPSS '16, 2016

Research paper thumbnail of Challenges of security and trust of mobile devices as digital avionics component

2016 Integrated Communications Navigation and Surveillance (ICNS), 2016

Research paper thumbnail of Remote attestation mechanism for embedded devices based on physical unclonable functions

Research paper thumbnail of Enhancing Java Runtime Environment for Smart Cards Against Runtime Attacks

Lecture Notes in Computer Science, 2015

Research paper thumbnail of A Set of Efficient Privacy Protection Enforcing Lightweight Authentication Protocols for Low-Cost RFID Tags

2015 IEEE Trustcom/BigDataSE/ISPA, 2015

Research paper thumbnail of Let’s Get Mobile: Secure FOTA for Automotive System

Lecture Notes in Computer Science, 2015

Research paper thumbnail of Don't Brick Your Car: Firmware Confidentiality and Rollback for Vehicles

2015 10th International Conference on Availability, Reliability and Security, 2015

Research paper thumbnail of Enhancing EMV Online PIN Verification

2015 IEEE Trustcom/BigDataSE/ISPA, 2015

Research paper thumbnail of Challenges of security and trust in Avionics Wireless Networks

2015 IEEE/AIAA 34th Digital Avionics Systems Conference (DASC), 2015

Research paper thumbnail of Recovering from a lost digital wallet: A smart cards perspective extended abstract

Pervasive and Mobile Computing, 2015

Research paper thumbnail of A Novel Consumer-Centric Card Management Architecture and Potential Security Issues

Multi-application smart card technology has gained momentum due to the Near Field Communication (... more Multi-application smart card technology has gained momentum due to the Near Field Communication (NFC) and smart phone revolution. Enabling multiple applications from different application providers on a single smart card is not a new concept. Multi-application smart cards have been around since the late 1990s; however, uptake was severely limited. NFC has recently reinvigorated the multi-application initiative and this time around a number of innovative deployment models are proposed. Such models include Trusted Service Manager (TSM), User Centric Smart Card Ownership Model (UCOM) and GlobalPlatform Consumer-Centric Model (GP-CCM). In this paper, we discuss two of the most widely accepted and deployed smart card management architectures in the smart card industry: GlobalPlatform and Multos. We explain how these architectures do not fully comply with the UCOM and GP-CCM. We then describe our novel flexible consumer-centric card management architecture designed specifically for the UCOM and GP-CCM frameworks, along with ways of integrating the TSM model into the proposed card management architecture. Finally, we discuss four new security issues inherent to any architecture in this context along with the countermeasures for our proposed architecture.

Research paper thumbnail of Collaborative and Ubiquitous Consumer Oriented Trusted Service Manager

Near Field Communication (NFC) enables a mobile phone to emulate a contactless smart card. This ... more Near Field Communication (NFC) enables a mobile phone to emulate a contactless smart card. This has reinvigorated the multiapplication smart card initiative. Trusted Service Manager (TSM) is an entity that is trusted by all stakeholders in the proposed and trialled NFC-based smart card ecosystem. However, TSM-based models have the potential to create market segregation that might lead to limited or slow adoption. In addition, all major stakeholders (e.g. Telecom and banks) are pushing for their own TSM models and this might hinder deployment. In this paper we present a Collaborative and Ubiquitous Consumer Oriented Trusted Service Manager (CO-TSM)-based model that combines different TSM models while providing scalability to the overall architecture. In addition, our proposal also provides flexibility to both consumers and application providers. To support our proposal, we present a core architecture based on two contrasting approaches: the Issuer Centric Smart Card Ownership Model (ICOM) and the User Centric Smart Card Ownership Model (UCOM). Based on the core architecture, we then describe our proposal for an application download framework and a secure channel protocol. Finally, the implementation experience and performance measurements for the secure channel protocol are discussed.

Research paper thumbnail of Digital Trust - Trusted Computing and Beyond A Position Paper

The 7th IEEE International Symposium on Security, Privacy and Anonymity in Internet of Things (IEEE SpaIoT 2014) in conjunction with The 13th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom-14), Sep 2014

Along with the invention of computers and interconnected networks, physical societal notions like... more Along with the invention of computers and interconnected networks, physical societal notions like security, trust, and privacy entered the digital environment. The concept of digital environments begins with the trust (established in the real world) in the organisation/individual that manages the digital resources. This concept evolved to deal with the rapid growth of the Internet, where it became impractical for entities to have prior offline (real world) trust. The evolution of digital trust took diverse approaches and now trust is defined and understood differently across heterogeneous domains. This paper looks at digital trust from the point of view of security and examines how valid trust approaches from other domains are now making their way into secure computing. The paper also revisits and analyses the Trusted Platform Module (TPM) along with associated technologies and their relevance in the changing landscape. We especially focus on the domains of cloud computing, mobile computing and cyber-physical systems. In addition, the paper also explores our proposals that are competing with and extending the traditional functionality of TPM specifications.

Research paper thumbnail of Unified Model for Data Security - A Position Paper

The 1st International Workshop on the Emerging Future Internet and Network Security (IEEE EFINS 2014) in conjunction with The 13th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom-14), Sep 2014

One of the most crucial components of modern Information Technology (IT) systems is data. It can ... more One of the most crucial components of modern Information Technology (IT) systems is data. It can be argued that the majority of IT systems are built to collect, store, modify, communicate and use data, enabling different data stakeholders to access and use it to achieve different business objectives. The confidentiality, integrity, availability, auditability, privacy, and quality of the data is of paramount concern for end-users ranging from ordinary consumers to multi-national companies. Over the course of time, different frameworks have been proposed and deployed to provide data security. Many of these previous paradigms were specific to particular domains such as military or media content providers, while in other cases they were generic to different verticals within an industry. There is a much needed push for a holistic approach to data security instead of the current bespoke approaches. The age of the Internet has witnessed an increased ease of sharing data with or without authorisation. These scenarios have created new challenges for traditional data security. In this paper, we study the evolution of data security from the perspective of past proposed frameworks, and present a novel Unified Model for Data Security (UMDS). The discussed UMDS reduces the friction from several cross-domain challenges, and has the functionality to possibly provide comprehensive data security to data owners and privileged users.

Research paper thumbnail of Consumer-Centric Protection for Online Social Networks

1st Workshop on Social Network Security (SocialSec 2014) in conjunction with 15th IEEE International Conference on Information Reuse and Integration (IEEE IRI 2014), Aug 11, 2014

Online Social Networks (OSNs) are a unique construct that is shaped by the advancement and availa... more Online Social Networks (OSNs) are a unique construct that is shaped by the advancement and availability of Internet technologies. A large portion of internet users make use of OSN services to share and celebrate their personal lives with friends and family. A substantial proportion of these shared experiences revolve around privacy-sensitive information. The OSN services handling privacy-sensitive information deploy state-of-the-art security and privacy-preserving mechanisms. However, these protections are, to a great extent, not consumer-centric: this is the main focus of this study. In this paper, we define the notion of Consumer-Centric Protection (CCP) for OSNs. In this proposal, the individual user controls how her data can be accessed by her contacts (e.g. friends and family members) and others, thus giving control of user data back to the rightful owner --- the user. This work is still in progress and in this paper we present our preliminary results.

Research paper thumbnail of End-to-End Secure and Privacy Preserving Mobile Chat Application

Eighth Workshop in Information Security Theory and Practice (WISTP 2014), Jun 2014

Since the 1990s, two technologies have reshaped how we see and experience the world around us. Th... more Since the 1990s, two technologies have reshaped how we see and experience the world around us. These technologies are the Internet and mobile communication, especially smartphones. The Internet provides a cheap and convenient way to explore and communicate with distant people. A multitude of services have converged on the smartphone platform, and potentially the most notable is social networking. With increased interconnectivity and use of online services, concerns about consumers' security and privacy are growing. In this paper, we evaluate the security- and privacy-preserving features provided by existing mobile chat services. This paper also puts forwards a basic framework for an End-to-End (E2E) security and privacy-preserving mobile chat service and associated requirements. We implemented the proposal to provide proof-of-concept and evaluate the technical difficulty of satisfying the stipulated security and privacy requirements.

Research paper thumbnail of Rethinking the Smart Card Technology

16th International Conference on Human-Computer Interaction, Jun 2014

Creating security architectures and processes that directly interact with consumers, especially i... more Creating security architectures and processes that directly interact with consumers, especially in consumer electronics, has to take into account usability, user-experience and skill level. Smart cards provide secure services, even in malicious environments, to end-users with a fairly straightforward limited usage pattern that even an ordinary user can easily deal with. The way the smart card industry achieves this is by limiting users' interactions and privileges on the smart cards they carry around and use to access different services. This centralised control has been the key to providing secure and reliable services through smart cards, while keeping the smart cards fairly useable for end-users. However, as smart cards have permeated into every aspect of modern life, users have ended up carrying multiple cards to perform mundane tasks, making smart card-based services a cumbersome experience. User Centric Smart Cards (UCSC) enable users to have all the services they might be accessing using traditional smart cards on a single device that is under their control. Giving "freedom of choice" to users increases their privileges, but the design requirement is to maintain the same level of security and reliability as traditional architectures while giving better user experience. In this paper, we will discuss the challenges faced by the UCSC proposal in balancing security with usability and "freedom of choice", and how it has resolved them.

Research paper thumbnail of Trusted Platform Module for Smart Cards

6th IFIP International Conference on New Technologies, Mobility and Security (NTMS), Mar 2014

Near Field Communication (NFC)-based mobile phone services offer a lifeline to the under-apprecia... more Near Field Communication (NFC)-based mobile phone services offer a lifeline to the under-appreciated multiapplication smart card initiative. The initiative could effectively replace heavy wallets full of smart cards for mundane tasks. However, the issue of the deployment model still lingers on. Possible approaches include, but are not restricted to, the User Centric Smart card Ownership Model (UCOM), GlobalPlatform Consumer Centric Model, and Trusted Service Manager (TSM). In addition, multiapplication smart card architecture can be a GlobalPlatform Trusted Execution Environment (TEE) and/or User Centric Tamper-Resistant Device (UCTD), which provide cross-device security and privacy preservation platforms to their users. In the multiapplication smart card environment, there might not be a prior off-card trusted relationship between a smart card and an application provider. Therefore, as a possible solution to overcome the absence of prior trusted relationships, this paper proposes the Trusted Platform Manager (TPM) concept for smart cards (embedded devices) that can act as a point of reference for establishing the necessary trust between the device and an application provider, and among applications.

Research paper thumbnail of Smart Cards: State-of-the-Art to Future Research Directions

IEEE International Symposium on Signal Processing and Information Technology (ISSPIT 2013), Dec 14, 2013

The evolution of smart card technology provides an interesting case study of the relationship and... more The evolution of smart card technology provides an interesting case study of the relationship and interactions between security and business requirements. This paper maps out the milestones for smart card technology, discussing at each step the opportunities and challenges. The paper reviews recently proposed innovative ownership/management models and the security challenges associated with them. The paper concludes with a discussion of possible future directions for the technology, and the challenges these present.

Research paper thumbnail of An Introduction to Java Card Programming

Springer, Sep 2013

Java Cards support a Java virtual machine that interprets code written in a subset of Java langua... more Java Cards support a Java virtual machine that interprets code written in a subset of Java language. This may help programmers with prior knowledge of Java language to program smart cards. However, the programming paradigm of Java Card can be articulated as somewhat different than traditional Java programming. In this chapter, we will provide an introduction to smart card programming using Java Card and the subtleties of a restricted environment on application design.