Spring 2020

Note: Cybersecurity Masters students should carefully consider themselves if projects will meet the requirements of their course, and must clearly indicate that they are in the Cybersecurity program when contacting the project advisor. In some cases, the advisor may be open to adapting the project to meet the requirements of your program, but you will need to propose these adaptations yourself. Thank you for your understanding.

Implementation of an intuitive and insightful blockchain explorer (Bachelor/Master Semester)

Abstract

Using a blockchain often comes with a claim that everything is suddenly transparent and verifiable forever. While this statement remains true, it is in practice rare for users to actually verify the content of a blockchain and assert that a claimed state is true. It is also hard to see how the intrinseque mechanism of the blockchain works, ie. what is the content of each cryptographically linked block and how they participate in evolving the state of the blockchain. We think that part of this problem can be solved by offering the adequate tool, which comes as a “blockchain explorer”.

In this project you will implement a tool that can parse and display insightful information about a blockchain. This tool should provide an easy way for users to see and understand what’s inside a blockchain by offering an intuitive and powerful user interface. This tool would be implemented for the cothority blockchain (Byzcoin), which is a variant of a traditional blockchain developed by the DEDIS lab. A good example of a blockchain visualizer can be found at http://ethviewer.live.
This project request a strong interest in front-end development and usability/UX.

Contact: Noémien Kocher

Traffic Analysis of Encrypted Video and Audio Streaming (Master Semester)

Abstract

Most of video and audio streaming services that people use nowadays, such as Netflix, Hulu or Spotify, encrypt their streaming traffic. The two main reasons are DRM and privacy of their users’ choices. However, it turns out that sole encryption is often insufficient to provide privacy protection. An attacker might be able to identify what horror movies a user watches or what songs from 80s she listens to, by observing patterns of the encrypted traffic.

In this project, you will study techniques for analyzing encrypted media traffic, replicate existing attacks, implement novel defenses and then evaluate the efficiency of these defenses.

The requirements are basic knowledge of some scripting language, e.g., Python, and of networking. Familiarity with machine learning is preferable.

Contact: Kirill Nikitin

Browser Plugin for Anonymous and Secure Email Communication (Bachelor / Master Semester)

Abstract

Emails are still one of the most dominant ways for business and academic communication nowadays, but the email protocols do not provide any data protection by default. While OpenPGP is currently a de-facto standard for encrypting email content, it leaks important metadata in plain text, such as identities of recipients,  encryption algorithms used and an actual length of the content. In addition to deanonymizing the communicating parties, it can lead to various problems, as breaking archived-for-years emails due to a discovered vulnerability in an encryption algorithm or inferring the results of an email exchange by the content length.

In DEDIS, we have designed a novel technique that enables encoding encrypted data and its related metadata as a uniform random string, only comprehensible by the intended recipient. The goal of this master project is to develop a browser plugin for anonymous and secure email communication using the designed technique. The starting point can be an open-source PGP plugin, like Mailvelope or E2Email, where the PGP part will be substituted.

Substantial knowledge of JavaScript is required for this project.

Contact: Kirill Nikitin

Decentralised witnessing for safely working around app censorship (Bachelor Semester)

Abstract

Centralised app stores and source code repositories create a risk of censorship for publishers of tools that enable populations to coordinate their resistance to government policies. A simplistic citizen response to such censorship might be to side-load the censored app, but that opens them up to serious risks, not least that the censoring government might be motivated to circulate compromised versions of the app in order to target protesters.

A good long-term goal would be to decentralise app stores, but perhaps a useful immediate step would be to use decentralised witnessing to make it safer for citizens to opt-in to side-loading apps which have recently been censored by an app store.

Your task will be to propose and implement a proof of concept of a way that someone who wants to side-load a censored app can be protected from the risk that the side-loaded app has been modified from the last known good version, before it was censored.

Contact: Jeff Allen

Hacking sovereign identity (Bachelor Semester, Master Semester)

Abstract

Sovereign identity systems are a useful component of distributed and decentralised systems. Leveraging an existing digital identity ecosystem could make systems easier to use. But at what cost to the security of the system?

You will analyse an existing production-quality sovereign identity system in order to identify the components, and the claimed threat model that each need to withstand. Then you will target one or more of them, using industry standard auditing, fuzzing, and other hacking techniques. You will report your findings in accordance with industry standard responsible disclosure procedures.

Contact: Jeff Allen

Implementing a Decentralised Identity mobile wallet (Bachelor Semester)

Abstract

Existing wallet apps for decentralised identity (DID) technologies have problems with build stability, language choice, and debug-ability. Your task will be to prove that the various standards in development by the W3C and the Hyperledger Aries working group can be implemented in modern languages well adapted to native mobile development like Swift, Kotlin or Dart.

You will insure that TPMs are used to hold secret key material, and that other best practices from your chosen platform are followed. You will demonstrate your work with a series of checkpoints, showing how modern software is built via iterative development.

Previous experience with iOS or Android development will be necessary to undertake this project. No experience with DIDs is required.

Contact: Jeff Allen