Trusted computing and systems

We can use hardware to make systems more secure; however adding extra hardware is costly and can make the system inflexible. Since security is an evolving problem – where attackers compete to find flaws and vulnerabilities in defensive mechanisms – inflexibility can be a real issue. We are working to design security mechanisms that provide some flexibility and can still be cheaply implemented in hardware.

Projects

TimeTrust (Robust Timing via Hardware Roots of Trust and Non-standard Hardware)

In our TimeTrust project, we are using and building on the cryptographic functionalities of hardware roots of trust, such as Trusted Platform Modules, to create more secure real-life protocols, including contactless payments and timing/distance-dependent authentication.

For instance, in contactless payments, fraud can take the form of payments made when the payee and payment terminal are not in proximity. This project examines these issues and proposes solutions based on hardware roots of trust, accompanied by formal treatments of security and practical assessments. The TimeTrust solutions are designed to be easy to re-deploy in existing infrastructures, and developed in collaboration with major players in the electronic-payment market.

In the same area, a GCHQ-funded PhD studentship is currently being undertaken to investigate the cryptographic design and provable security of contactless Europay, Mastercard and Visa (EMV) payment systems.

ASTRID (AddreSsing ThReats for virtualIseD services)

Cloud-based services often follow the same logical structure as private networks, with the lack of physical boundaries and dependence on a third party’s infrastructural security mechanisms often undermining confidence in the overall security level of virtualised applications.

Prompted by this growing trend, the ASTRID project aims to build situational awareness for virtualised services to facilitate the detection of sophisticated cyber-attacks and prompt an automated response. This would effectively shift the responsibility for security, privacy and trustworthiness from developers or end users to service providers. It would foster the transition to novel microservices architectures that can support unified access and encryption management, correlation of events and information among different services/applications, support for legal interception and forensics investigation.

In this project, the focus is on detecting vulnerabilities and threats in individual applications as well as across the entire service graph, and also establishing trusted microservices. The novelty lies in decoupling detection algorithms from monitoring and inspection tasks, seeking better integration with virtualisation frameworks.

  • Budget: €3m
  • Funding body: EU H2020
  • Centre lead: Dr Mark Manulis
  • Co-investigator: Professor Steve Schneider
  • Partners: Ericsson, Consorzio Nazionale interuniversitario per le telecomunicazioni, Infocom, Politechnico di Torino, Technische Universitaet Berlin, DANMARKS TEKNISKE UNIVERSITET (DK), Agentscape and GIOUMPITEK MELETI SCHEDIASMOS YLOPOIISI KAI POLISI ERGON PLIROFORIKIS ETAIREIA PERIORISMENIS EFTHYNIS
  • Timeframe: 2018 - 2021.

FUTURE TPM (Future Proofing the Connected World: A Quantum-Resistant Trusted Platform Module)

Under the technical lead of the University of Surrey, a consortium of 15 academic and industry partners from across Europe are researching a Quantum-Resistant (QR) TPM - a hardware chip which is used as a ‘root of trust’ for a computing system.

The aim is to develop QR crypto algorithms that can be used in a new generation of TPM-based solutions to enable security when quantum computers become reality – which could be as little as 15 years away.

Three use cases are being developed to test the algorithms in sectors where privacy and security are crucial: Online banking, activity tracking in healthcare, and device management.

  • Budget: €5m
  • Funding: EU H2020
  • Centre lead: Professor Liqun Chen
  • Co-investigators: Dr Kaitai Liang
  • Consortium partners: TECHNIKON, UBITECH, IBM Research, Infineon Technologies, Suite5 Data Intelligence Solutions, INESC-ID, Huawei Technologies, VIVA Payment Services SA, Royal Holloway, University of London, University of Birmingham, Universite du Luxembourg, University of Piraeus Research Center, Technical University of Denmark
  • Timeframe: 2018 - 2021.