We use cookies on this site. By browsing our site you agree to our use of cookies. Close this message Find out more

More in this section Prospective PhD Students

Potential PhD Projects

The Information Security Group welcomes applications from prospective PhD students wishing to propose their own research projects or who wish to develop a detailed project in conjunction with their supervisor. This is the "normal" mode of application for PhD students.

However, we also welcome applications from prospective students wishing to work on specific topics or projects of particular interest to members of the ISG faculty.  A list of such projects and suggested research topics is provided below.  Prospective applicants with interest in any of these projects are encouraged to contact the listed supervisor directly, either before or in parallel with making a formal application to the college admissions office.

Note: these projects are provided as guidance for applicants who wish to enter the PhD programme with a developed project plan. In particular, unless explicitly stated in their description, the projects below do not necessarily include funding for the corresponding successful candidates.

1. Group-based cryptography

Supervisor: Professor Simon Blackburn

Over the past 10 years, various proposals have attempted to use group theory to construct secure cryptosystems. Most of these proposals have either been broken or are currently impractical, but there are many interesting combinatorial and computational problems that remain.

The project would aim to understand and then break one or more group-based cryptosystems, or to explore some of the pure combinatorial and computational problems motivated by the cryptographic applications. To be successful on this project, a good undergraduate mathematics degree is essential, including a sound knowledge of undergraduate group theory and general algebra. Some knowledge of Mathematica, Maple, Sage or a similar system, and a knowledge of combinatorics, is desirable but not essential.

References: S.R. Blackburn, C. Cid and C. Mullan, 'Group theory in cryptography', Groups St Andrews 2009 in Bath, Volume 1, C.M. Campbell, M.R. Quick, E.F. Robertson, C.M. Roney-Dougal, G.C. Smith and G. Traustason (Eds) (Cambridge University Press, Cambridge, 2011) 133-149. See http://arxiv.org/abs/0906.5545.

2. Authorization in workflow systems

Supervisor: Professor Jason Crampton

Many modern business processes are automated and can be modeled as workflows in which each business process is decomposed into a number of different tasks.  A variety of constraints may be imposed on those tasks: we may restrict the order in which those tasks are performed; we may specify which users are authorized to perform particular tasks; and we may encode business rules as constraints on the users who execute particular subsets of tasks.  

The existence of such constraints gives rise to many interesting modelling and computational questions.  To what extent can we encode business rules and statutory requirements on business information processing as constraints on workflow tasks?  What are the most appropriate ways of representing workflows in order to capture real-world requirements?  What questions can we now ask about the resulting representations?  What algorithms can be developed for solving these problems?  What are the computational complexities of those algorithms and do efficient approximate algorithms exist for those questions that are computationally hard to answer?  

3. Cryptographic enforcement of authorization policies

Supervisor: Professor Jason Crampton

An essential part of computer security is the specification and enforcement of authorization policies, which define which interactions between (authenticated) users and (protected) resources are permitted (and which are prohibited).  The enforcement of authorization policies typically relies on the implementation of a trusted software component that intercepts all attempted interactions and determines whether they are authorized before releasing the target resource to the requesting user.  

An alternative approach - which requires fewer assumptions about the security of the storage environment - is to encrypt resources and to restrict access to those resources by providing users with the appropriate cryptographic keys.  This approach gives rise to several questions.  Which application areas are suitable for cryptographically-enforced access control?  What authorization policies can be enforced efficiently using cryptographic techniques?  What security properties and security models are appropriate and what cryptographic primitives can achieve the desired properties?

4. Relationship-based access control

Supervisor: Professor Jason Crampton

An authorization policy is used to determine whether an interaction between a user and a resource is permitted.  There are very few generic models for authorization policies, the most important being those based on a protection matrix, information flow and roles.  Recent research, partly inspired by the extremely rapid growth in the use of social networks and peer-to-peer networks, has suggested that the relationship between the user and the resource is the most relevant criterion for deciding whether an interaction should be permitted.  In some ways, this can be regarded as a natural generalization of the owner-group-world permission model familiar to Unix users.  So called relationship-based access control is an emerging area of research with many potential lines of enquiry, both at the theoretical and practical level, and has many possible applications.

5. Identity management

Supervisor: Professor Chris Mitchell

Recent years have seen a significant number of proposals for identity management systems capable of greatly simplifying the task of user authentication to, and user authorisation at, web service providers.

Examples of such systems include OAuth 2.0, OpenID Connect, CardSpace, Liberty/Kantara, OpenID, SAML and Shibboleth. Apart from OAuth, OpenID Connect and OpenID, all of which have relatively limited support for privacy, for a variety of reasons such systems have not had the expected practical impact, despite their obvious security and privacy advantages.

This issue has been addressed in work by three recent research students at Royal Holloway, namely Waleed Alrodhan, Haitham Al-Sinani and Wanpeng Li, who have focussed on removing some of the obstacles to greater adoption of identity management systems (including such issues as interoperability and system scope), and looking at real world vulnerabilities in deployed systems. A previous PhD student, Andreas Pashalidis, also examined practical identity management issues, in his case focussing on supporting Internet single sign-on. There is scope for a wide range of further research in this area, which remains a highly important topic in both academia and in practice.

Relevant joint publications on identity management by the above-referenced students can be found here.

6. Trusted computing

Supervisors: Dr Allan Tomlinson and Professor Chris Mitchell

We are interested in new research projects in a broad range of areas relating to trusted computing and its applications. We have an established record of research in trusted computing, dating back to 2003, and in the summer of 2010 we hosted the European Trusted Infrastructure Summer School (ETISS 2010). We are particularly interested in the following research areas:

  • trusted computing and virtualization;
  • trusted computing and mobile devices - use and application of MTMs;
  • new directions for trusted computing, focussing on the new application possibilities supported by TPM v2.0
  • trusted computing as a universal security infrastructure, i.e. considering ways in which the ubiquitous deployment of trusted computing can help bootstrap new possibilities for personal and enterprise security.

We are also happy to take on research students looking at other aspects of trusted computing.

7. MACs: theory and practice

Supervisor: Professor Chris Mitchell

Message Authentication Codes (MACs) have been a fundamentally important cryptographic primitive in commercial applications for 30 years, and they remain of vital importance today. Despite their wide use, it is interesting to observe that practice and theory have diverged widely in recent years. For example, whilst a well-developed theory for MACs constructed from block ciphers exists (notably for so called CBC-MACs), schemes favoured by theory have by no means replaced previously used schemes such as the ANSI retail MAC. This latter scheme appears to offer a reasonable level of security (which explains its continued use) but lacks any formal security proof. This project seeks to reconcile this and other differences between theory and practice by developing the theory and also considering practical cryptanalysis.

Relevant publications on MAC security by Chris Mitchell can be found here.

Smart Card Centre (SCC) PhD projects.

The SCC supervises PhD projects in the area of applied security and systems. Most of the projects are industry inspired and in some cases supported by funding from our Industry Members. A small selection of proposed SCC PhD projects is found below: for full list of projects, please visit the SCC project page.

Note that for the projects below, there is limited funding, mainly in the form of full-time PhD EU/Home fees, to be offered. Please request more information when you contact the potential supervisor Professor Konstantinos Markantonakis.

1. Mobile Devices

Supervisor: Professor Konstantinos Markantonakis

We are interested in a broad range of new research projects relating to mobile devices, their security and applications. The spread and use of mobile devices, including mobile phones and tablets, has proliferated over the last few years. Although these devices offer powerful execution and communication capabilities, at the same time, it is one of their greatest advantages, i.e. portability, which poses significant risks. This thread of research effort involves the identification of these critical challenges in an attempt to propose efficient solutions. In particular, we are interested in the following areas:

  • Mobile device malware and botnets. Modern mobile devices present close resemblance to traditional computing environments. It is evident that traditional challenges (e.g. viruses, root-kits and malware) will attempt to find their place into these “new” and more-or-less always connected to the internet devices. The project should investigate ways in which mobile devices can be infected with malware and propose adequate countermeasures. The work should extend into the design and implementation of desired functionality, based on the above principles of root-kits and mobile agents that will improve the overall security of these devices.
  • Investigate whether applications and services fulfill their pre-download claims after they are downloaded in these devices. For example, a number of applications state their requirements in terms of access to services and personal data (e.g. call lists, contacts, sms, diary) when they are about to be downloaded. This should form a “contract” between the application and the underlying platform. This work should examine how this notion of “contracts” can be formalised, enforced and extended to cover other cases as well.

2. Financial Systems and Payment Cards

Supervisor: Professor Konstantinos Markantonakis

The Europay-MasterCard-Visa (EMV) standard has played a crucial role in the provision of a unified, relatively secure and robust infrastructure for chip based payment transactions. EMV is widely adopted across the globe as the interoperable standard for card based payments. Since its adoption (in the so called Chip-and-PIN programme) in the UK, there has been a dramatic fall in card present transaction fraud levels. However, over the last few years, a number of EMV protocol weaknesses have come into light which, if exploited, may have the effect of undermining consumer confidence in the payment technology. At the same time new payment vehicles, e.g. contactless cards, mobile phones, Near Field Communications (NFC), peer-to-peer payment protocols have reached maturity and they have been deployed in a number of real world environments. This project will investigate the critical aspects of “card” based payment standards including:

  • EMV payment specifications against known, assumed vulnerabilities.
  • The use of contactless, mobile/NFC devices as the underlying payment platform.
  • Explore countermeasures against a number of practical and theoretical attacks, including relay attacks.
  • Identify new innovative ways in which payments can be linked with delivery of physical and digital products.

Funding: The offer is for a full time student and UK/EU fees will be paid by the ISG Smart Card Centre (SCC). Additionally, an assistantship (value £7,000 per annum) will be offered.


Comment on this page

Did you find the information you were looking for? Is there a broken link or content that needs updating? Let us know so we can improve the page.

Note: If you need further information or have a question that cannot be satisfied by this page, please call our switchboard on +44 (0)1784 434455.

This window will close when you submit your comment.

Add Your Feedback