Dr Steven J. Murdoch

[ Portrait photographer Roland Eva | More photos ]

I am a researcher in the Security Group of the University of Cambridge, based in the Computer Laboratory, a fellow of Christ's College, and a member of the Tor project.

Some of my writings can be found on the Security Group blog: Light Blue Touchpaper.

Cambridge students may be interested in my Part II project proposals.

[ follow me on Identi.ca ]

News and Updates

05 March 2013
Added slides for my invited talk at OWASP Belgium: “Banking security: attacks and defences”.

17 January 2013
Added “How Certification Systems Fail: Lessons from the Ware Report”, which appeared in the Nov/Dec 2012 edition of IEEE Security & Privacy.

12 September 2012
Added slides for my invited talk at CHES 2012: “Banking security: attacks and defences”.

11 September 2012
Added “Chip and Skim: cloning EMV cards with the pre-play attack”, the paper accompanying my invited talk at CHES 2012.

22 September 2011
Added “Wall 2.0”, an article published in The European, in both German and the original English.

[ older news ]

Professional activities

Program committee member

CCS 2011

18th ACM Conference on Computer and Communications Security, 17–21 October 2011, Chicago, IL, US. Submission deadline: 6 May 2011 (see CFP for details).

ESORICS 2011

16th European Symposium on Research in Computer Security, 12–14 September 2011, Leuven, BE. Submission deadline: 21 March 2011.

PETS 2011

11th Privacy Enhancing Technologies Symposium (PETS), 27–29 July 2011, Waterloo, ON, Canada. Submission deadline: 28 February 2011 (see CFP for details).

General chair

Financial Cryptography 2011

Financial Cryptography and Data Security '11, 15th International Conference, 28 February–4 March 2011, St. Lucia. Organized by the International Financial Cryptography Association.

Previous programme committee membership

ACM Conference on Computer and Communications Security: 2007, 2008, 2010.

Privacy Enhancing Technologies Symposium (PETS): 2007, 2008, 2009.

Financial Cryptography and Data Security (FC): 2010.

Workshop on Privacy in the Electronic Society (WPES): 2006, 2007, 2009.

ACM Symposium on Applied Computing (Computer Security track): 2007.

Workshop on Foundations of Security and Privacy (FCS-PrivMod): 2010.

FIDIS/IFIP Internet Security & Privacy Summer School: 2008.

Journal reviewing

Includes IEEE Transactions on Dependable and Secure Computing (2009), ACM Transactions on Information and System Security (2008), IEEE Transactions on Software Engineering (2008), IEEE/ACM Transactions on Networking (2007), IEEE Security & Privacy (2007), The Triple Helix (2008), Identity in the Information Society (2008).

Consultancy

For information on my availability for consultancy or expert witness work, please contact me.

Research interests

• Side-channels, covert channels, watermarking and steganography
• Operating system and network security
• Data collection and visualisation techniques
• Software engineering, maintainability and reverse-engineering
• Cryptography and security protocols
• Distributed databases, filesystems and versioning
• Smartcards and financial security
• Privacy, anonymity and traffic analysis
• Structured information formats (XML, SGML, LDAP, etc.) and markup languages
• Physical security and optical document security

Projects

Currently, my most active research topics are on anonymous communications (specifically the Tor Project) and banking security. For other activities, see my project list.

Recent publications

A full list of my papers can be found on the publications page.

• How Certification Systems Fail: Lessons from the Ware Report
  Steven J. Murdoch, Mike Bond, Ross Anderson
  The heritage of most security certification standards in the banking industry can be traced back to a 1970 report by a task force operating under the auspices of the US Department of Defense. Since then, standards have changed, both in their approach and scope, but what lessons can we learn from the original work?
  IEEE Security and Privacy, Volume 10, Number 6, pages 40–44, November–December 2012. [ accepted version | DOI link to edited version ]
• Chip and Skim: cloning EMV cards with the pre-play attack
  Mike Bond, Omar Choudary, Steven J. Murdoch, Sergei Skorobogatov, Ross Anderson
  EMV, also known as “Chip and PIN”, is the leading system for card payments worldwide. It is used throughout Europe and much of Asia, and is starting to be introduced in North America too. Payment cards contain a chip so they can execute an authentication protocol. This protocol requires point-of-sale (POS) terminals or ATMs to generate a nonce, called the unpredictable number, for each transaction to ensure it is fresh. We have discovered that some EMV implementers have merely used counters, timestamps or home-grown algorithms to supply this number. This exposes them to a “pre-play” attack which is indistinguishable from card cloning from the standpoint of the logs available to the card-issuing bank, and can be carried out even if it is impossible to clone a card physically (in the sense of extracting the key material and loading it into another card). Card cloning is the very type of fraud that EMV was supposed to prevent. We describe how we detected the vulnerability, a survey methodology we developed to chart the scope of the weakness, evidence from ATM and terminal experiments in the field, and our implementation of proof-of-concept attacks. We found flaws in widely-used ATMs from the largest manufacturers. We can now explain at least some of the increasing number of frauds in which victims are refused refunds by banks which claim that EMV cards cannot be cloned and that a customer involved in a dispute must therefore be mistaken or complicit. Pre-play attacks may also be carried out by malware in an ATM or POS terminal, or by a man-in-the-middle between the terminal and the acquirer. We explore the design and implementation mistakes that enabled the flaw to evade detection until now: shortcomings of the EMV specification, of the EMV kernel certification process, of implementation testing, formal analysis, or monitoring customer complaints. Finally we discuss countermeasures.
  Accompanying invited talk at CHES 2012 (arXiv:1209.2531), Leuven, Belgium, 11 September 2012. [ paper ]
• Wall 2.0
  Steven J. Murdoch
  The “Great Firewall of China” inherited its name (and technology) from network firewall products, designed to protect a company from attackers on the Internet. Physical firewalls are designed to protect a building from the spread of fire, network firewalls are designed to protect the controlled corporate environment from the more the chaotic Internet, and the Great Wall of China was designed to protect from outside invaders. The analogy is clear, but can be misleading – Internet censorship is different in many ways to physical walls.
  The European, 13 August 2011. [ article (English and German) | original (German) ]
• Might Financial Cryptography Kill Financial Innovation? – The Curious Case of EMV
  Ross Anderson, Mike Bond, Omar Choudary, Steven J. Murdoch, Frank Stajano
  The credit card system has been one of the world’s great successes because of its adaptability. By the mid-1990s, a credit card had become a mechanism for authenticating a transaction by presenting a username (the card number) and a password (the expiry date, plus often a CVV) that was already used in mail order and could be adapted with little fuss to the Internet. Now banks in Europe, and increasingly elsewhere, have moved to the EMV “Chip and PIN” system which uses not just smart cards but also “trusted” hardware. The cryptography supported by this equipment has made some kinds of fraud much rarer – although other kinds have increased, and the jury is still out on the net effect. In the USA in particular, some banks and others oppose EMV on the grounds that it will damage innovation to move to a monolithic and inflexible system.
  We discuss the effects that cryptographic lock-down might have on competition and innovation. We predict that EMV will be adapted to use cards as keys; we have found, for example, that the DDA signature can be used by third parties and expect this to be used when customers use a card to retrieve already-purchased goods such as air tickets. This will stop forged credit cards being used to board airplanes.
  We also investigate whether EMV can be adapted to move towards a world in which people can use bank cards plus commodity consumer electronics to make and accept payments. Can the EMV payment ecology be made more open and competitive, or will it have to be replaced? We have already seen EMV adapted to the CAP system; this was possible because only one bank, the card issuer, had to change its software. It seems the key to innovation is whether its benefits can be made sufficiently local and incremental. We therefore explore whether EMV can be adapted to peer-to-peer payments by making changes solely to the acquirer systems. Finally, we discuss the broader issue of how cryptographic protocols can be made extensible. How can the protocol designer steer between the Scylla of the competition authorities and the Charybdis of the chosen protocol attack?
  Financial Cryptography and Data Security, St Lucia, 28 February–04 March 2011. [ paper ]
• Impact of Network Topology on Anonymity and Overhead in Low-Latency Anonymity Networks
  Claudia Diaz, Steven J. Murdoch, Carmela Troncoso
  Low-latency anonymous communication networks require padding to resist timing analysis attacks, and dependent link padding has been proven to prevent these attacks with minimal overhead. In this paper we consider low-latency anonymity networks that implement dependent link padding, and examine various network topologies. We find that the choice of the topology has an important influence on the padding overhead and the level of anonymity provided, and that Stratified networks offer the best trade-off between them. We show that fully connected network topologies (Free Routes) are impractical when dependent link padding is used, as they suffer from feedback effects that induce disproportionate amounts of padding; and that Cascade topologies have the lowest padding overhead at the cost of poor scalability with respect to anonymity. Furthermore, we propose an variant of dependent link padding that considerably reduces the overhead at no loss in anonymity with respect to external adversaries. Finally, we discuss how Tor, a deployed large-scale anonymity network, would need to be adapted to support dependent link padding.
  10th Privacy Enhancing Technologies Symposium (PETS 2010), Berlin, Germany, 21–23 July 2010. [ paper | slides ]

Recent talks

A full list of my talks can be found on the talks page. Talks accompanying papers can be found in the publications section.

• Banking security: attacks and defences
  Steven J. Murdoch
  Designers of banking security systems are faced with a difficult challenge of developing technology within a tightly constrained budget, yet which must be capable of defeating attacks by determined, well-equipped criminals. This talk will summarise banking security technologies for protecting Chip and PIN/EMV card payments, online shopping, and online banking. The effectiveness of the security measures will be discussed, along with vulnerabilities discovered in them both by academics and by criminals. These vulnerabilities include cryptographic flaws, failures of tamper resistance, and poor implementation decisions, and have led not only to significant financial losses, but in some cases unfair allocation of liability. Proposed improvements will also be described, not only to the technical failures but also to the legal and regulatory regimes which are the underlying reason for some of these problems not being properly addressed.
  Invited talk at OWASP Belgium, Leuven, Belgium, 05 March 2013. [ slides ]
• Banking security: attacks and defences
  Steven J. Murdoch
  Designers of banking security systems are faced with a difficult challenge of developing technology within a tightly constrained budget, yet which must be capable of defeating attacks by determined, well-equipped criminals. This talk will summarise banking security technologies for protecting Chip and PIN/EMV card payments, online shopping, and online banking. The effectiveness of the security measures will be discussed, along with vulnerabilities discovered in them both by academics and by criminals. These vulnerabilities include cryptographic flaws, failures of tamper resistance, and poor implementation decisions, and have led not only to significant financial losses, but in some cases unfair allocation of liability. Proposed improvements will also be described, not only to the technical failures but also to the legal and regulatory regimes which are the underlying reason for some of these problems not being properly addressed.
  Invited talk at CHES 2012, Leuven, Belgium, 11 September 2012. [ slides ]
• Chip & PIN is Broken: What Next?
  Steven J. Murdoch
  The EMV protocol, its flaws, and their impact on Chip & PIN security.
  MAS Information Technology Supervision Workshop 3 for Financial Regulators, Singapore, 14–18 March 2011. [ slides | slides (PDF) ]
• The Economics of Payment Card Security and Shifting Fraud Liability
  Steven J. Murdoch
  Introduction to security economics and its relevance to payment card security.
  MAS Cybercrime, eBanking and Payment Card Security Seminar, Singapore, 17 March 2011. [ slides | slides (PDF) ]
• Chip & PIN: 5 Years On
  Steven J. Murdoch
  Chip & PIN has now been deployed in the UK for 5 years. This talk will describe the experiences learned. Vulnerabilities discovered in the system will be discussed including PED tampering, YES-cards, and the recently published no-PIN attack. An introduction to the Chip & PIN (EMV) protocol is given, and the talk concludes with a discussion of its affect on fraud and whether Chip & PIN was a worthwhile investment.
  BCS Hertfordshire Branch, Hemel Hempstead, UK, 26 January 2011. [ slides | slides (PDF) | audio part 1 | audio part 2 | audio part 3 ]

Miscellaneous

• OpenID protocol diagram
  Steven J. Murdoch
  I found that the OpenID specifications did not give a clear overview of the protocol message flow. So I produced a protocol diagram, which summarises the roles of the various parties, messages sent between them and their important components. Not all details are covered, and only the normal protocol traces are considered so it certainly should not be considered as an alternative to the specification, but I hope it will provide some clarification.
  [ protocol diagram (PDF 68K) ]

Contact Details

email (preferred):

post:

phone:

mobile:

fax:

Last modified 2012-11-15 16:08:16 +0000