Faculty of Engineering, Built Environment and Information Technology
School of Information Technology
Department of Computer Science
Selected Highlights from Research Findings
The project aims to create an architecture that allows a single smart card to be used as an authentication token for multiple applications, as apposed to a single application in the way smart cards are currently used. Specifically, architecture and a protocol were created that allow the smart card to be used dynamically with multiple applications, in conjunction with a trusted third party (TTP) without requiring the smart card to be previously enrolled for use with a new application. However, for the authentication to be successful, the person using the smart card must have been already registered with the application. For example, the TTP issues the smart card to the user. The smart card can be used as a digital ID document as well as for any commercial transactions. In a commercial transaction, the user can say visit any store to buy goods from the merchant. The protocol makes use of secure transactions to allow the user to transact with an entity, e.g. a bank, to make a payment to the merchant, given the bank is also registered with the TTP. The great advantage is that the smart card need not be registered at the entity (bank), saving immensely on additional administration and overhead. A prototype has been developed to show that it is possible to access any application using the person's ID number as identification and a PIN as authentication. The architecture makes it impossible to perform replay and other traditional attacks possible with credit cards and other current electronic transactions. Furthermore it protects the person's privacy while accessing the various applications. In order to render any transaction safe the architecture also allows for robustness in the event of communication failures.
Contact person: Prof JHP Eloff.
Secure transfer of information to and from mobile devices is a vital part of our daily lives. However, the cryptography solutions on offer today are too complex to understand, or non-existent on certain mobile platforms due to resource constraints. We developed the Linca cryptography framework that can be used to ensure effective and simple application of cryptography within the resource constraint of mobile devices. The overall design of Linca was shown to be superior against two well-known cryptography packages namely: Bouncy Castle and Secure and Trust Service API. On top of Linca, we developed an SMS message encryption service, SMSSec. SMSSec is secure, easy to implement, has low computation needs, and does not store secret cryptographic keys. SMSSec has a two-phase protocol with the nth handshake being completed in two handshakes thus making SMSSec one of the least handshake required security protocols in the world. Performance analysis showed that the encryption speed on the mobile device is faster than the duration of the transmission. To achieve security in the mobile enterprise environment, this is deemed a very acceptable overhead. Linca and SMSSec are implemented in Java and C# and have been successfully executed on J2ME/MIDP enabled Smartphones, and Windows Mobile 5 Pocket PCs. SMSSec can also be used to secure data transferred over TCP/IP.
For this work, Johnny Lo received the 2007 S2A3 Bronze Medal for the best MSc thesis at the University of Pretoria.
Contact person: Prof JM Bishop.
The South African address standard development started in June 2006 and the working draft of the standard is now ready to be distributed to the standards committee for comments. Support from AfriGis and Thrip is gratefully acknowledged. The work on the standard contributes to the understanding of what an address is in SA, it shows the value of an address to society, the economy and governance, and on a technical level, for the first time, provides a data model to store all types of South African addresses. This is relevant to any organization that stores an address for a customer or client in a database, and if an organization implements this data model, the quality of the customer address data can be improved considerably. Some information (albeit a bit technical) about the standard is at http://www.cs.up.ac.za/~scoetzee/sans1883/.
Contact person: Ms SM Coetzee.