Ross Anderson

[Research] [Blog] [Politics] [My Book] [Music] [Contact Details]

Who controls the off switch? describes the strategic vulnerability created by the plan to replace 47m gas and electricity meters with ‘smart meters’ that can be switched off remotely; it will be presented at NIST this October. On the security economics of electricity metering looks more broadly at what's likely to go wrong with smart metering projects; it appeared at WEIS 2010 (coverage on CNET and Ecoseed). I'n next talking about critical infrastructure protection in September.

It's the Anthropology, Stupid! discusses how we might put context and emotion back in security decisions. I have put together a web page on psychology and security, which is a rapidly-growing research topic; see also the Workshop on Security and Human Behaviour which was held here in June.

Chip and Pin is Broken! We won a best-paper award at Oakland with a paper which shows how – a man-in-the-middle attack that allows a stolen card to be used with any pin. There was a TV piece on Newsnight; here's the trailer. Press: ZDnet, the Telegraph, the Mail, the Mirror and the Register; see also Bruce Schneier, the press release and our FAQ. This work follows several other recent papers on problems with bank systems, including one on Verified by VISA – the mechanism that asks for your card password when you shop online. We also have a tech report On the Security of Internet Banking in South Korea (see press coverage).

We won a vote to protect academic freedom in Cambridge. For more, see the recent lively Discussion in the Regent House; my article on the subject, and my Unauthorised History of Cambridge University.

2009 highlights included Database State, an influential report we wrote the failings of public-sector IT in Britain, and how to fix them (a number of its recommendations have been adopted as policy by the new government); The snooping dragon: social-malware surveillance of the Tibetan movement which explains how the Chinese intelligence services compromised many of the computers at the Dalai Lama's private office in the run-up to the Beijing Olympics; Eight Friends are Enough: Social Graph Approximation via Public Listings, which shows how little privacy you have on Facebook; and The Economics of Online Crime, which appeared in the Journal of Economic Perspectives. There are also videos of talks I gave on the dependability of socio-technical systems at the IET, Krakow and De Montfort, as well as a survey paper, the slides, and a podcast.

2008 highlights included a Workshop on Security and Human Behaviour at MIT that brought together psychologists with economists and security engineers; a major study of Security economics and European Policy for the European Commission; the second edition of my book "Security Engineering"; the discovery of serious vulnerabilities in Chip and PIN payment systems; an analysis of the failings of the Financial Ombudsman Service (see also a video from the World Economic Forum in November 2008); the FIPR submission to the Thomas-Walport Review; an editorial Patient confidentiality and central databases in the British Journal of General Practice; three videos on privacy made by ARCH; and a video on surveillance.

2007 highlights included technical papers on RFID and on New Strategies for Revocation in Ad-Hoc Networks (which explores when suicide attacks are a good strategy); a Google tech talk on searching for covert communities and villains online; a paper on fraud, risk and nonbank payment systems I wrote for the Fed; and a survey paper on Information Security Economics (of which a shortened version appeared in Science). I was a special adviser to House of Commons Health Committee for their Report on the Electronic Patient Record. Finally, following the HMRC data loss, I appeared in the debate on Newsnight.

2006 highlights included technical papers on topics from protecting power-line communications to the Man-in-the-Middle Defence, as well as a major report on the safety and privacy of children's databases for the UK Information Commissioner, which got a lot of publicity. I ended the year by debating health privacy on the Today programme with health minister Lord Warner, who resigned shortly aftewards.

2005 highlights included research papers on The topology of covert conflict, on combining cryptography with biometrics, on Sybil-resistant DHT routing, and on Robbing the bank with a theorem prover; and a big survey paper on cryptographic processors.

2004 highlights included papers on cipher composition, key establishment in ad-hoc networks and the economics of censorship resistance. I also lobbied for amendments to the EU IP Enforcement Directive and organised a workshop on copyright which led to a common position adopted by many European NGOs.

I am Professor of Security Engineering at the Computer Laboratory, and a Fellow of the Royal Society, the Royal Academy of Engineering, the Institution of Engineering and Technology, the Institute of Mathematics and its Applications, and the Institute of Physics.

My research students are Robert Watson, Joe Bonneau, Hyoungshick Kim, Shailendra Fuloria and Wei-Ming Khoo; Richard Clayton, Steven Murdoch and Sergei Skorobogatov are postdocs. Alumni include former postdocs Mike Bond, Vashek Matyas and Andrei Serjantov, while Jong-Hyeon Lee, Frank Stajano, Fabien Petitcolas, Harry Manifavas, Markus Kuhn, Ulrich Lang, Jeff Yan, Susan Pancho, Mike Bond, George Danezis, Sergei Skorobogatov, Hyun-Jin Choi, Richard Clayton, Jolyon Clulow, Hao Feng, Andy Ozment, Tyler Moore and Shishir Nagaraja have earned PhDs.

My research topics include:

• Economics and psychology of information security – including security and human behaviour
• Peer-to-Peer and social network systems – including the Eternity Service, cocaine auctions and suicide bombing
• Reliability of security systems – including bank fraud and hardware hacking
• Robustness of cryptographic protocols – including API attacks
• Analysis and design of cryptographic algorithms – including Tiger and Serpent
• Information hiding – including Soft Tempest and stego file systems
• Security of clinical information systems – including NHS databases
• Privacy and freedom issues – including FIPR

Most of my papers are available in html and/or pdf. By default, when I post a paper here I license it under the relevant Creative Commons license, so you may redistribute it with attribution but not modify it. I may subsequently assign the residual copyright to an academic publisher.

Economics and Psychology of information security

As systems scale globally and acquire millions of users who may be competitors or even in conflict, things often go wrong not for technical reasons but as a result of misplaced incentives. A common failing is that the people who could protect them are not the people who suffer the costs of failure. It's not enough for security engineers to understand ciphers; we have to understand game theory and microeconomics too. This has led to a rapidly growing interest in ‘security economics’, a discipline I helped to found. This discipline is not just limited to security, but is also starting to embrace dependability and software economics; at the other end, it's growing through bevaioural economics into the psychology of security. I maintain the Economics and Security Resource Page and a similar web page on Security Psychology. My research contributions include the following.

• The Security and Human Behaviour workshop brings security engineers together with psychologists, behavioral economists and others. This is great fun and hugely productive. See the papers, liveblog and audio for 2009; and the papers, liveblog and audio for the first meeting in 2008.
• Here is our big survey paper, Information Security Economics – and Beyond. There's a video of me giving a survey talk at De Montfort, and a journal version in Phil Trans Roy Soc A (Aug 2009). Earlier versions appeared in August 2007 at Crypto (here are the slides), in January 2007 at Softint, and as a book chapter. A shorter survey was published in Science in late 2006.
• The Economics of Online Crime appeared in the Journal of Economic Perspectives; it looks at the econometrics of fraud and phishing, and makes a number of suggestions for improving the responses of banks and law-enforcement agencies.
• We have two papers on security economics in banking. The first is on Verified by VISA – the mechanism that asks for your card password when you shop online. This is an example of how a poor design can win out if it has strong deployment (see also blog post and slides). The second is On the Security of Internet Banking in South Korea; it analyses the effects of Korea's decision ten years ago to use national cryptography standards for Internet banking rather than just using the same protocols as the rest of the world.
• On the security economics of electricity metering appeared at WEIS 2010 and warns that the government's smart meter programme probably won't work. Other papers on security economics and control systems include Security Economics and Critical National Infrastructure, which appeared at WEIS 2009; Certification and Evaluation at IEEE ETFA 2009; and The Protection of Substation Communications, SCADA Security Scientific Symposium, 2010.
• We did a study of security economics in the Single Market for the European Network and Information Security Agency. We looked at the market failures underlying spam, phishing and other online problems, and made concrete policy proposals. A shorter version (62 pages) appeared at WEIS 2008 and an even shorter version (25 pages), at ISSE.
• Closing the Phishing Hole – Fraud, Risk and Nonbanks reports research on payment regulation commissioned by the US Federal Reserve. This paper identified speedy asset recovery as the best way to deter online fraud; fraud is made easy by systems like Western Union that make it hard to recover stolen funds.
• The topology of covert conflict asks how the police can best target an underground organisation given some knowledge of its patterns of communication, and how might they in turn might react to various law-enforcement strategies. We present a framework combining ideas from network analysis and evolutionary game theory to explore the interaction of attack and defence strategies in networks. Although we started out thinking about computer viruses, our work suggests explanations of a number of aspects of modern conflict generally.
• Why Information Security is Hard – An Economic Perspective was the paper that got information security people thinking about economics. It applies microeconomic analysis to explain many phenomena that security folks had found to be pervasive but perplexing. Why do mass-market software products such as Windows contain so many security bugs? Why are their security mechanisms so difficult to manage? Why are government evaluation schemes, such as the Orange Book and the Common Criteria, so bad?
• My `Trusted Computing' FAQ undermined the Trusted Computing Group's initiative to install DRM hardware in every computer, PDA and mobile phone. `TC' was designed to please Hollywood by making it hard to pirate music and videos – and to please the software industry by locking in customers more tightly. But it could have damaged privacy, censorship, and innovation. Cryptography and Competition Policy – Issues with `Trusted Computing' is an economic analysis I gave at WEIS2003 and also as an invited talk at PODC 2003. A shortened version of the paper appeared in a special issue of Upgrade (there's also a French translation). I spoke about TC at the "Trusted Computing Group" Symposium, which helped drive German government policy. The row about `Trusted Computing' was ignited by a paper on the security of free and open source software I gave at Softint 2002 in Toulouse; see coverage in the New York Times and The Register.
• In the first part of my Toulouse paper, I show that the usual argument about open source security – whether source access makes it easier for the defenders to find and fix bugs, or makes it easier for the attackers to find and exploit them – is misdirected. Under standard assumptions used by the reliability growth modelling community, the two will exactly cancel each other out. That means that whether open or closed systems are more secure in a given situation will depend on whether, and how, the application deviates from the standard assumptions. These ideas aare developed in a later paper, Open and Closed Systems are Equivalent (that is, in an ideal world) which appeared as a chapter in Perspectives on Free and Open Source Software. See press coverage in slashdot, news.com and The Register.
• On Dealing with Adversaries Fairly applies election theory (also known as social choice theory) to the problem of shared control in distributed systems. It shows how a number of reputation systems proposed for use in peer-to-peer applications might be improved. It appeared at WEIS 2004.
• The Economics of Censorship Resistance examines when it is better for defenders to aggregate or disperse. Should file-sharers build one huge system like gnutella and hope for safety in numbers, or would a loose federation of fan clubs for different bands work better? More generally, what are the tradeoffs between diversity and solidarity when conflict threatens? (This is a live topic in social policy - see David Goodhart's essay, a response in the Economist, and a post by Clay Shirkey.) This paper also appeared at WEIS 2004.
• Here are papers on The Initial Costs and Maintenance Costs of Protocols, which I gave at Security Protocols 2005, and How Much is Location Privacy Worth? which I gave at WEIS 05.

Our annual bash is the Workshop on Economics and Information Security. My Economics and Security Resource Page provides a guide to the literature and to what else is on. There is also a web page on the economics of privacy, maintained by Alessandro Acquisti.

Since about 2000, there has been an explosion of interest in peer-to-peer networking &ndash the business of building useful systems out of large numbers of intermittently connected machines. One of the seminal papers was The Eternity Service, which I presented at Pragocrypt 96. I had been alarmed by the Scientologists' success at closing down the penet remailer in Finland, and have more than once been threatened by lawyers who did not want me to comment on the security of their clients' systems. Yet the modern era only started once the printing press enabled seditious thoughts to be spread too quickly and widely to ban. What would it mean when books no longer existed as tens of thousands of paper copies, but as a single file on a single server? Might this return us to government control of information? So I invented the Eternity Service as a means of putting electronic documents beyond the censor's grasp. The Eternity Service inspired second-generation censorship-resistant systems such as Publius and Freenet; the current descendant of these early systems is wikileaks. Our contribution to that is in helping to maintain Tor, the anonymity service used by wikileaks and by many others.

But history never repeats itself exactly, and the biggest deal turned out to be not sedition, or vulnerability disclosure, or even pornography, but copyright. Hollywood's action against Napster led to our ideas being adopted in peer-to-peer filesharing systems. Many of these developments were described here, and discussed at conferences like this one. See also Richard Stallman's classic, The Right to Read.

Many of the ideas in early peer-to-peer systems reemerged in the study of ad-hoc and sensor networks and are now spilling over into social networking systems. My contributions since the Eternity paper include the following.

• Eight Friends are Enough: Social Graph Approximation via Public Listings shows how easy it is for an outsider to work out the structure of friendships on Facebook. (For more, see our blog on Facebook's technical privacy and its democracy theatre.)
• New Strategies for Revocation in Ad-Hoc Networks won the best paper award at ESAS07. In it we show how to use suicide bombing for revocation in networks. Suicide attacks are found widely in nature, from bees to helper T-cells; this model may help explain why (press coverage here and here). The idea was developed further in Fast exclusion of errant devices from vehicular networks at SECON 08.
• I worked on the security of Homeplug, an industry standard for broadband communication over the power mains. A paper on what we did and why appeared at SOUPS 2006. This is a good worked example of how to do key establishment in a real peer-to-peer system. The core problem is this: how can you be sure you're recruiting the right device to your network, rather than a similar one nearby?
• Sybil-resistant DHT routing appeared at ESORICS 2005 and showed how we can make peer-to-peer systems more robust against disrutpive attacks if we know which nodes introduced which other nodes. The convergence of computer science and social network theory is an interesting recent phenomenon, and not limited to search and recommender systems.
• Key Infection - Smart trust for Smart Dust appeared at ICNP 2004 and presents a radically new approach to key management in sensor and peer-to-peer networks. Peers establish keys opportunistically and use resilience mechanisms against later node compromise. This work challenges the assumption that authentication is largely about bootstrapping.
• The Economics of Censorship Resistance examines when it is better for defenders to aggregate or disperse. Should file-sharers build one huge system like gnutella and hope for safety in numbers, or would a loose federation of fan clubs for different bands work better?
• A New Family of Authentication Protocols presented our "Guy Fawkes Protocol", which lets users sign messages using only two computations of a hash function and one reference to a timestamping service. It led to many protocols for signing digital streams and also raised foundational questions about the nature of a digital signature.
• The Resurrecting Duckling: Security Issues for Ad-hoc Wireless Networks was very influential. It describes how to do key management between low-cost devices without either the costs or privacy problems of central servers. (There's also a journal version of the paper here.)
• The Cocaine Auction Protocol explored how transactions can be conducted between mutually mistrustful principals with no trusted arbitrator, while giving a high degree of privacy against traffic analysis.
• The Eternal Resource Locator: An Alternative Means of Establishing Trust on the World Wide Web investigated how to protect naming and indexing information and showed how to embed trust mechanisms in html documents. It was motivated by a medical school project to protect the electronic version of the British National Formulary: see Secure Books: Protecting the Distribution of Knowledge. Later work included some thinking on how to secure a digital repository; and Jikzi, an authentication framework for electronic publishing, on which there are both general and technical papers. (Jikzi also led to a startup.)
• The XenoService - A Distributed Defeat for Distributed Denial of Service described defeating DDoS attacks using a network of web hosts that can respond to an attack on a site by replicating it rapidly and widely. It used Xen, a hypervisor developed at Cambridge for distributed hosting, which led to another startup.

• The snooping dragon: social-malware surveillance of the Tibetan movement explains how the Chinese intelligence services compromised many of the computers at the Dalai Lama's private office, and what this means for information security (also slides).
• Optimised to Fail: Card Readers for Online Banking documents the shortcomings of the CAP card readers used for online banking; see also our blog, press coverage and the later journal version.
• Thinking inside the box: system-level failures of tamper proofing documented serious vulnerabilities in Chip and PIN payment terminals and won the Best Practical Paper award at the 2008 Oakland conference. It was also featured on Newsnight; see the video and the viewers' comments. Here are some frequently asked questions, our press release, and coverage in the Register, the Newsnight blog and the Telegraph. My paper Failures on Fraud appeared in a central bankers' magazine and argued that all this is yet another symptom of the failure of bank regulation.
• Why Cryptosystems Fail may have been cited more than anything else I've written. This version appeared at ACMCCS 93 and explains how ATM fraud was done in the early 1990s. Liability and Computer Security - Nine Principles took this work further, and examines the problems with relying on cryptographic evidence. The recent introduction of EMV ('chip and PIN') was supposed to fix the problem, but hasn't: Phish and Chips documents protocol weaknesses in EMV, and A Note on EMV Secure Messaging in the IBM 4758 CCA documents even more. The Man-in-the-Middle Defence shows how to turn protocol weaknesses to advantage. See my paper RFID and the Middleman for the likely next wave of frauds.
• On a New Way to Read Data from Memory describes techniques we developed that use lasers to read out memory contents directly from a chip, without using the read-out circuits provided by the vendor. The work builds on methods described in Optical Fault Induction Attacks, which showed how laser pulses could be used to induce faults in smartcards that would leak secret information. That paper appeared at CHES 2002; it made the front page of the New York Times and also got covered by slashdot.
• After we discovered the above attacks, we developed a CPU technology that uses redundant failure-evident logic to thwart attacks based on fault induction or power analysis. Our first paper on this technology won the best presentation award in April at Async 2002. Our journal paper, Balanced Self-Checking Asynchronous Logic for Smart Card Applications, has details and test results.
• Our classic paper on hardware security, Tamper Resistance – A Cautionary Note, describes how to penetrate the smartcards and secure microcontrollers of the mid-1990s. It kicked off the modern academic study of hardware security and won a Best Paper award. Our second paper on the subject was Low Cost Attacks on Tamper Resistant Devices, which describes a number of further tricks. See also the home page of our hardware security laboratory, and Markus Kuhn's page of links to hardware attack resources.
• On the Reliability of Electronic Payment Systems describes work I did to help develop prepayment utility metering, which made possible the electrification of millions of homes in Africa. It appeared in the May 1996 issue of the IEEE Transactions on Software Engineering. An ealier version, entitled Cryptographic Credit Control in Pre-Payment Metering Systems, appeared at Oakland 95. A later paper on this subject discussed how we could apply what we'd learned to support utility meter interworking in the UK after deregulation.
• On the Security of Digital Tachographs successfully predicted how the introduction of smartcard-based digital tachographs throughout Europe from 2005 would affect fraud and tampering.
• How to Cheat at the Lottery reports a novel and, I hope, entertaining experiment in software requirements engineering.
• The Grenade Timer describes a novel way to protect low-cost processors against denial-of-service attacks, by limiting the number of cycles an application can consume.
• The Millennium Bug – Reasons Not to Panic describes our experience in coping with the bug at Cambridge University and elsewhere. This paper correctly predicted that the bug wouldn't bite very hard. Journalists were not interested, despite a major press release by the University: I later discussed what we could learn from the incident in a radio interview with Stephen Fry.
• The Memorability and Security of Passwords -- Some Empirical Results tackles an old problem - how do you train users to choose passwords that are easy to remember but hard to guess? We did a randomized controlled trial with a few hundred first year science students which confirmed some folk beliefs, but debunked some others. This became one of the classic papers on security usability.
• Murphy's law, the fitness of evolving species, and the limits of software reliability applies the techniques of statistical thermodynamics to the failure modes of any complex system that evolves under testing. It provides a common mathematical model for the reliability growth of complex computer systems and for biological evolution. Its findings are in close agreement with empirical data, and it inspired later work in security economics.
• Security Policies play a central role in secure systems engineering. They provide a concise statement of the kind of protection a system is supposed to achieve. This article is a security policy tutorial.
• Combining cryptography with biometrics shows that in those applications where you can benefit from biometrics, you often don't need a large central database (as proposed for Britain's ID card). There are smarter and less privacy-invasive ways to arrange things.

The papers on physical security by Roger Johnston's team are also definitely worth a look, and there's an old leaked copy of the NSA Security Manual that you can download (also as latex).

• API Level Attacks on Embedded Systems are a novel and powerful way to attack cryptographic processors, and indeed any systems where more trusted systems talk to less trusted ones. The idea is that a "secure" device can often be defeated by sending it some sequence of transactions which its designer did not expect. We've defeated pretty well every security processor we've looked at, at least once. This line of research originated at Protocols 2000 with my paper The Correctness of Crypto Transaction Sets; more followed in yje first edition of my book. Robbing the bank with a theorem prover, shows how to apply advanced tools to the problem, and ideas for future research can be found in Protocol Analysis, Composability and Computation. For a snapshot of how this interacts with physical security, see our survey of cryptographic processors, a shortened version of which appeared in the February 2006 Proceedings of the IEEE. An up-to-date survey of API attacks can be found in the second edition of my my book.
• Programming Satan's Computer is a phrase Roger Needham and I coined to express the difficulty of designing cryptographic protocols; it has recently been popularised by Bruce Schneier (see, for example, his foreword to my book). The problem of designing programs which run robustly on a network containing a malicious adversary is rather like trying to program a computer which gives subtly wrong answers at the worst possible moment.
• Robustness principles for public key protocols gives a number of attacks on protocols based on public key primitives. It also puts forward some principles which can help us to design robust protocols, and to find attacks on other people's designs. It appeared at Crypto 95.
• The Cocaine Auction Protocol explores how transactions can be conducted between mutually mistrustful principals with no trusted arbitrator, even in environments where anonymous communications make most of the principals untraceable.
• The Initial Costs and Maintenance Costs of Protocols appeared at the 2005 Protocols Workshop and shows how economics can enter into protocol design.
• NetCard - A Practical Electronic Cash Scheme presents research on micropayment protocols for use in electronic commerce. We invented tick payments simultaneously with Torben Pedersen and with Ron Rivest and Adi Shamir; we all presented our work at Protocols 96.
• The GCHQ Protocol and its Problems pointed out a number of flaws in a key management protocol promoted by GCHQ as a European alternative to Clipper, until we shot it down with this paper at Eurocrypt 97. Many of the criticisms we developed here also apply to the more recent, pairing-based cryptosystems.
• The Formal Verification of a Payment System describes the first use of formal methods to verify an actual payment protocol, which was (and still is) used in an electronic purse product (VISA's COPAC card). This is a teaching example I use to get the ideas of the BAN logic across to undergraduates. There is further detailed information in a technical report, which combines papers given at ESORICS 92 and Cardis 94.
• An Attack on Server Assisted Authentication Protocols appeared in Electronics Letters in 1992. It breaks a digital signature protocol.
• On Fortifying Key Negotiation Schemes with Poorly Chosen Passwords presents a simple way of achieving the same result as protocols such as EKE, namely preventing middleperson attacks on Diffie-Hellman key exchange between two people whose shared secret could be guessed by the enemy.

Protocols have been the stuff of high drama. Citibank asked the High Court to gag the disclosure of certain crypto API vulnerabilities that affect a number of systems used in banking. I wrote to the judge opposing this; a gagging order was still imposed, although in slightly less severe terms than Citibank had requested. The trial was in camera, the banks' witnesses didn't have to answer questions about vulnerabilities, and new information revealed about these vulnerabilities in the course of the trial may not be disclosed in England or Wales. Information already in the public domain was unaffected. The vulnerabilities were discovered by Mike Bond and me while acting as the defence experts in a phantom withdrawal court case, and independently discovered by the other side's expert, Jolyon Clulow, who later joined us as a research student. They are of significant scientific interest, as well as being relevant to the rights of the growing number of people who suffer phantom withdrawals from their bank accounts worldwide. Undermining the fairness of trials and forbidding discussion of vulnerabilities isn't the way forward. See press coverage by the Register, Slashdot, news.com, and Zdnet.

Reports of an attack on the hash function SHA have made Tiger, which Eli Biham and I designed in 1995, a popular choice of cryptographic hash function. I also worked with Eli, and with Lars Knudsen, to develop Serpent – a candidate block cipher for the Advanced Encryption Standard. Serpent won through to the final of the competition and got the second largest number of votes. Another of my contributions was founding the series of workshops on Fast Software Encryption.

Other papers on cryptography and cryptanalysis include the following.

• The Dancing Bear – A New Way of Composing Ciphers presents a new way to combine crypto primitives. Previously, to decrypt using (say) any three out of five keys, the keys all had to be of the same type (such as RSA keys). With my new construction, you can mix and match - RSA, AES, even one-time pad. The paper appeared at the 2004 Protocols Workshop; an earlier version came out at the FSE 2004 rump session.
• Two Remarks on Public Key Cryptology is a note on two ideas I floated at talks I gave in 1997-98, concerning forward-secure signatures and compatible weak keys. The first of these has inspired later research by others; the second gives a new attack on public key encryption.
• Two Practical and Provably Secure Block Ciphers: BEAR and LION shows how to construct a block cipher from a stream cipher and a hash function. We had already known how to construct stream ciphers and hash functions from block ciphers, and hash functions from stream ciphers; so this paper completed the set of elementary reductions. It also led to the "Dancing Bear" above.
• Tiger – A Fast New Hash Function defines a new hash function, which we designed following Hans Dobbertin's attack on MD4. This was designed to run extremely fast on the new 64-bit processors such as DEC Alpha and IA64, while still running reasonably quickly on existing hardware such as Intel 80486 and Pentium (the above link is to the Tiger home page, maintained in Haifa by Eli Biham; if the network is slow, see my UK mirrors of the Tiger paper, new and old reference implementations (the change fixes a padding bug) and S-box generation documents. There are also third-party crypto toolkits supporting Tiger, such as that from Bouncy Castle).
• Minding your p's and q's points out a number of things that can go wrong with the choice of modulus and generator in public key systems based on discrete log. It elucidated some of the previously classified reasoning behind the design of the US Digital Signature Algorithm, and appeared at Asiacrypt 96.
• Chameleon – A New Kind of Stream Cipher shows how to do traitor tracing using symmetric rather than public-key cryptology. The idea is to turn a stream cipher into one with reduced key diffusion, but without compromising security. A single broadcast ciphertext is decrypted to slightly different plaintexts by users with slightly different keys. This paper appeared at Fast Software Encryption in Haifa in January 1997.
• Searching for the Optimum Correlation Attack shows that nonlinear combining functions used in nonlinear filter generators can react with shifted copies of themselves in a way that opens up a new and powerful attack on many cipher systems. It appeared at the second workshop on fast software encryption.
• The Classification of Hash Functions showed that correlation freedom is strictly stronger than collision freedom, and shows that there are many pseudorandomness properties other than collision freedom which hash functions may need. It appeared at Cryptography and Coding 93.
• A Faster Attack on Certain Stream Ciphers shows how to break the multiplex shift register generator, which is used in satellite TV systems. I found a simple divide-and-conquer attack on this system in the mid 1980's, a discovery that got me "hooked" on cryptology. This paper is a refinement of that work.
• On Fibonacci Keystream Generators appeared at FSE3, and shows how to break "FISH", a stream cipher proposed by Siemens. It also proposes an improved cipher, "PIKE", based on the same general mechanisms.

• Soft Tempest: Hidden Data Transmission Using Electromagnetic Emanations must be one of the more unexpected and newsworthy papers I've published. It is well known that eavesdroppers can reconstruct video screen content from radio frequency emanations; up till now, such `Tempest attacks' were prevented by shielding, jammers and so on. Our innovation was a set of techniques that enable the software on a computer to control the electromagnetic radiation it emanates. This can be used for both attack and defence. To attack a system, malicious code can hide stolen information in the machine's Tempest emanations and optimise them for some combination of reception range, receiver cost and covertness. To defend a system, a screen driver can display sensitive information using fonts which minimise the energy of RF emanations. This technology is now fielded in PGP and eslewhere. You can download Tempest fonts from here.
• There is a followup paper on the costs and benefits of Soft Tempest in military environments, which appeared at NATO's 1999 RTO meeting on infosec, while an earlier version of our main paper, which received considerable publicity, is available here. Finally, there's some software you can use to play your MP3s over the radio here, a press article here and information on more recent optical tempest attacks here.
• Hollywood once hoped that copyright-marking systems would help control the copying of videos, music and computer games. This became high drama when a paper that showed how to break the DVD/SDMI copyright marking scheme was pulled by its authors from the Information Hiding 2001 workshop, following legal threats from Hollywood. In fact, the basic scheme – echo hiding – was among a number that we broke in 1997. The attack was reported in our paper Attacks on Copyright Marking Systems, which we published at Info Hiding 1998. We also wrote Information Hiding – A Survey, which appeared in Proc IEEE and is a good place to start if you're new to the field. For the policy aspects, you might read Pam Samuelson. There is much more about the technology on the web page of my former student Fabien Petitcolas.
• Another novel application of information hiding is the Steganographic File System. It will give you any file whose name and password you know, but if you do not know the correct password, you cannot even tell that a file of that name exists in the system! This is much stronger than conventional multilevel security, and its main function is to protect users against coercion. Two of our students implemented SFS for Linux: a paper describing the details is here, while the code is available here. This functionality has since appeared in a number of crypto products.
• The threat by some governments to ban cryptography has led to a surge of interest in steganography - the art of hiding messages in other messages. Our paper On The Limits of Steganography explores what can and can't be done; it appeared in a special issue of IEEE JSAC. It developed from an earlier paper, Stretching the Limits of Steganography, which appeared at the first international workshop on Information Hiding in 1996. I also started a bibliography of the subject which is now maintained by Fabien Petitcolas.
• The Newton Channel settles a conjecture of Simmons by exhibiting a high bandwidth subliminal channel in the ElGamal signature scheme. It appeared at Info Hiding 96.

Here are my most recent papers on the subject.

• I was one of the authors of a 2006 report on the safety and privacy of children's databases, done for the UK Information Commissioner. It concluded that government plans to link up most of the public-sector databases that hold information on children were misguided: the proposed systems will be both unsafe and illegal. This report got a lot of publicity. I spoke on these issues on three videos made by Action on Rights for Children.
• I wrote a report for the National Audit Office on the health IT expenditure, strategies and goals of the UK and a number of other developed countries. This showed that the NHS National Program for IT is in many ways an outlier, and high-risk.
• Here is an article I wrote for Drugs and Alcohol Today analysing the likely effects of the NHS computing project on patient privacy, particularly in the rehabilitation field.
• In 2007 I acted as a Special Adviser to the House of Commons Health Select Committee's Report on the Electronic Patient Record. This concluded that the NHS computerisation project is failing to meet its core objectives, and that patient privacy is at risk as well as operational effectiveness. I was a Special Adviser to the Committee. (See the parliamentary debate on the report, press comment, and an article on the implications for HIV treatment.)
• Patient confidentiality and central databases appeared in the February 2008 British Journal of General Practice, calling on GPs to encourage patients to opt out of the NHS care records service.
• Database State is a report we wrote for the Joseph Rowntree Reform Trust on the failings of public-sector IT in Britain, and how to fix them. It pointed out that a number of health systems almost certainly break European law. There's coverage on the BBC, in the Guardian (also here), the Mail (also here), the Independent, the Telegraph, E-Health Insider and Liberty Central. This report had a lot of impact; the coalition government has promised to abolish (or at least significantly change) a number of the systems we fingered as unlawful.
• System security for cyborgs discusses technical, ethical and security-economics issues to do with implantable medical devices.

Civil servants started pushing for online access to everyone's records in 1992 and I got involved in 1995, when I started consulting for the British Medical Association on the safety and privacy of clinical information systems. Back then, the police were given access to all drug prescriptions in the UK, after the government argued that they needed it to catch the occasional doctor who misprescribed heroin. The police got their data, but they didn't catch Harold Shipman, and no-one was held accountable.

The NHS slogan in 1995 was `a unified electronic patient record, accessible to all in the NHS'. The slogan has changed several times, but the goal remains the same. The BMA campaigned against this in 1995-6, arguing that it would destroy patient privacy, and the government set up the Caldicott Committee to study the matter. Their report made clear that the NHS was already breaking confidentiality law by sharing data without consent; rather than cleaning up the mess, the Government legislated (and regulated, and again) to give itself the power to share health data as the Secretary of State saw fit. (We objected and pointed out the problems the bill could cause for researchers; similar sentiments were expressed in a BMJ editorial, and a Nuffield Trust impact analysis, and BMJ letters here and here. Ministers claimed the records were needed for cancer registries: yet cancer researchers work with anonymised data in other countries – see papers here and here.) There was a storm of protest in the press: see the Observer, the New Statesman, and The Register. But that died down; the measure has now been consolidated as sections 251 and 252 of the NHS Act 2006, the disgraceful Thomas-Walport review blessed nonconsensual access to health records (despite the FIPR submission, which pointed out that this was illegal) and a government committee called NHS Information Government Board now oversees this illegality.

We concluded at the time (correctly, as it turned out) that only a European law challenge could halt the slide toward surveillance. The NHS centralisation programme was in breach of the Declaration of Helsinki on ethical principles for medical research, and contravene the Council of Europe recommendation no R(97)5 on the protection of medical data, as well as the basic European privacy law used to decide the Helsinki case.

Here are some historical, but still relevant, papers that I mostly wrote in 1995-6, when the government last tried to centralise all medical records – and we saw them off.

• Security in Clinical Information Systems was published by the BMA in January 1996. It sets out rules that uphold the principle of patient consent independently of the details of specific systems. It was the medical profession's initial response to the safety and privacy problems posed by centralised NHS computer systems.
• An Update on the BMA Security Policy appeared in June 1996 and tells the story of the struggle between the BMA and the government, including the origins and development of the BMA security policy and guidelines.
• There are comments made at NISSC 98 on the healthcare protection profiles being developed by NIST for the DHHS to use in regulating health information systems privacy, which made a number of mistaken assumptions about threats and protection mechanisms.
• Remarks on the Caldicott Report raises a number of issues about the report of the Caldicott Committee, which was set up by the Major government to kick the medical privacy issue into touch until after the 1997 election. Its members failed to understand that medical records from which the names have been removed, but where NHS numbers remain, are not anonymous &ndash as large numbers of NHS staff need to map names to numbers in order to do their jobs.
• Information technology in medical practice: safety and privacy lessons from the United Kingdom provided an overview of the safety and privacy problems we encountered in UK healthcare computing in the mid-90s for readers of the Australian Medical Journal.
• The DeCODE Proposal for an Icelandic Health Database analyses a proposal to collect all Icelanders' medical records into a single database. I evaluated this for the Icelandic Medical Association and concluded that the proposed security wouldn't work. The company running it soon hit financial problems and has now filed for bankruptcy. The ethical issues were a factor: Iceland's Supreme Court allowed a woman to block access to her father's records because of the information they may reveal about her (see analysis. This effectively killed the vision of having the whole population on a database. I also wrote an analysis of security targets prepared under the Common Criteria for the evaluation of this database. See also BMJ correspondence and an article by Einar Arnason.
• Clinical System Security – Interim Guidelines appeared in the British Medical Journal on 13th January 1996. It advises healthcare professionals on prudent security measures for clinical data. The most common threat is that private investigators use false-pretext telephone calls to elicit personal health information from assistant staff.
• A Security Policy Model for Clinical Information Systems appeared at the 1996 IEEE Symposium on Security and Privacy. It presents the BMA policy model to the computer security community in a format comparable to policies such as Bell-LaPadula and Clark-Wilson. It had some influence on later US health privacy legislation (the Kennedy-Kassebaum Bill, now HIPAA).
• NHS Wide Networking and Patient Confidentiality appeared in the British Medical Journal in July 1995 and set out some early objections to the government's health network proposals.
• Patient Confidentiality &ndash At Risk from NHS Wide Networking went into somewhat more detail, particularly on the security policy aspects. It was presented at Health Care 96.
• Problems with the NHS Cryptography Strategy points out a number of errors in, and ethically unacceptable consequences of, a report on cryptography produced for the Department of Health. These comments formed the BMA's response to that report.

Two health IT papers by colleagues deserve special mention. Privacy in clinical information systems in secondary care describes a hospital system implementing something close to the BMA security policy (it is described in more detail in a special issue of the Health Informatics Journal, v 4 nos 3-4, Dec 1998, which I edited). Second, Protecting Doctors' Identity in Drug Prescription Analysis describes a system designed to de-identify prescription data for commercial use; although de-identification usually does not protect patient privacy very well, there are exceptions, such as here. This system led to a court case, in which the government tried to stop its owner promoting it &ndash as it would have competed with their (less privacy-friendly) offerings. The government lost: the Court of Appeal decided that personal health information can be used for research without patient consent, so long as the de-identification is done competently.

Resources on what's happening in the USA – where the stimulus bill has made medical privacy a very live issue &ndash include many NGOs: Patient Privacy Rights may have been the most influential, but see also EPIC, the Privacy Rights Clearinghouse, the Citizens' Council on Health Care, the Institute for Health Freedom. and CDT. Older resources include an NAS report entitled For the Record: Protecting Electronic Health Information, a report by the Office of Technology Assessment, a survey of the uses of de-identified records for the DHHS, and a GAO report on their use in Medicare. For information on what's happening in the German-speaking world, see Gerrit Bleumer's web page. As for the basic science, the American Statistical Association has a good collection of links to papers on inference control, also known as statistical security &ndash the protection of de-identified data.

I chair the Foundation for Information Policy Research, the UK's leading Internet policy think tank, which I helped set up in 1998. We are not a lobby group; our enemy is ignorance rather than the government of the day, and our mission is to understand IT policy issues and explain them to policy makers and the press. Here's an overview of the issues as we saw them in 1999, and a video of how we saw them ten years later in 2008. Some highlights of our work follow.

• Privacy has become a big theme recently thanks to our Database State report on the failings of public-sector IT in Britain, and how to fix them. There was massive press coverage: the BBC, the Guardian (also here), the Mail (also here), the Independent, the Telegraph, E-Health Insider and Liberty Central. This followed an earlier report on children's databases, and the many other activities described above. Both main opposition parties promised to kill or change at least some of these systems if they win power in the 2010 election. The coalition agreement spelled the end of the ContactPoint children's database, and of ID cards.
• Identity Cards were a clever move by Blair; they divided the Conservatives in 2004-5, setting the authoritarian leader Michael Howard against the libertarian majority in his shadow cabinet. I testified to the Home Affairs committee in 2004 that they would not work as advertised, and contributed to the LSE Report that spelled this out in detail. I'd produced numerous previous pieces in response to government identity consultations, on aspects such as smartcards and PKI. There's more in my book (ch. 6).
• Internet Censorship is a growing problem, and not just in developing countries. In 1995, I tried to forestall it by invneting the Eternity Service (a precursor of later file-sharing systems &ndash see above), and we've also written on the economics of censorship resistance. But despite the technical difficulties and collateral costs of content filtering, governments aren't giving up. From 2006 to 2008, I was a principal investgator for the OpenNet Initiative which monitors Internet filtering worldwide. Shifting Borders reviewed the state of play in late 2007, and appeared in Index on Censorship; Tools and Technology of Internet Filtering goes into more technical detail and appeared in Access Denied. The political action now is about Internet blocking.
• Consumer Protection: FIPR also brought together legal and computing experts to deconstruct the fashionable late-1990s notion that ‘digital certificates’ would solve all the problems of e-commerce and e-government. Anyone inclined to believe such nonsence should read Electronic Commerce – Who Carries the Risk of Fraud?. Other work in this thread include FIPR's responses to consultations on smartcards, the electronic signature directive and the ecommerce bill.
• More recently we have been alarmed at the erosion of consumer rights as a result of the introduction of chip and PIN cards. The technical sections above describe how frauds happen; the flip side of the story is how the banks escape liability. Our analysis of the failings of the Financial Ombudsman Service remains unanswered; see also FIPR's submission on Personal Internet Security (with which the House of Lords basically agreed) and the National Payments Plan. FIPR now takes the view that the only way to fix consumer protection is to replace public action with private action, by changing the rules on costs so that consumers can enforce their rights in court without risking horrendous costs orders if they lose.
• The RIP Act, the Crypto Wars and Key Escrow: I got engaged in technology policy thanks to attempts in the 1990s by governments (led by the USA) to control the use of cryptography. In 1995, I wrote Crypto in Europe – Markets, Law and Policy. This surveyed the uses of cryptography in Europe and discussed the shortcomings of crypto policy; I pointed out that law enforcement communications intelligence was mostly about traffic analysis and criminal communications security was mostly traffic security. This view was heretical at the time but is now orthodoxy. The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption became the most widely-cited publication on key escrow. It examines the technical risks, costs, and implications of deploying systems that would satisfy government wishes. It was originally presented as testimony to the US Senate, and then also to the Trade and Industry Committee of the UK House of Commons, together with a further piece I wrote, The Risks and Costs of UK Escrow Policy.
• The GCHQ Protocol and its Problems pointed out a number of serious defects in the protocol that the British government used to secure its electronic mail, and which it wanted everyone else to use too. This paper appeared at Eurocrypt 97 and it replies to GCHQ's response to an earlier version of our paper. Our analysis stopped the protocol being widely adopted. The Global Trust Register is a book of the fingerprints of the world's most important public keys. It thus implements a top-level certification authority, but using paper and ink rather than electronics. DTI proposals for mandatory licensing of cryptographic services would have banned this book; that fact enabled me to visit Culture Secretary Chris Smith at a critical point in the crypto wars and get crypto policy referred to Cabinet when otherwise it would have remained the province of the civil servants.
• This was all part of a campaign that FIPR ran to limit the scope of the Regulation of Investigatory Powers Act. Originally this would have allowed the police to obtain, without warrant, a complete history of everyone's web browsing activity (as this would have been ‘communications data’); FIPR got the House of Lords to limit this to the identity of the machines involved in a communication, rather than the URLs of the web pages. But the RIP Act still made it into law and has had a number of the bad effects we predicted at the time. See for example an op-ed I wrote on the history of the Act following the unfortunate imprisonment of a mentally-ill man under the Act for refusing to hand over his PGP passphrase when the Met's terror squad told him to.
• These issues have come round once more with GCHQ's Interception Modernisation Programme, a plan to centralise all traffic data first in a central database and more recently in a system of federated databases maintained by communications service providers. FIPR wrote a response to a Home Office consultation on this, and another response to one on the orders and codes of practice for interception. We also commented on the Cabinet Office's (actually GCHQ's) inappropriate proposals to secure government systems.
• Terrorism: A page with Comments on Terrorism explains why many of the measures that various people have been trying to sell since the 11th September attacks are unlikely to work as promised. Much subsequent policy work has been made harder by assorted salesmen, centralisers, rent-seekers and chancers talking about terror; I testified against police attempts to increase pre-charge detention to ninety days with the implausible claim that they needed more time to decrypt seized data. We must constantly push back on the scaremongers; here for example is a video I did on the effects of 9/11.
• Export Control: In 2001-02, FIPR persuaded the Lords to amend the Export Control Bill. This bill was designed to give ministers the power to license intangible exports. It was the result of US lobbying of Tony Blair in 1997; back then, UK crypto researchers could put source code on our web pages while our US colleagues weren't allowed to. In its original form, its provisions were so broad that it would have given ministers the power of pre-publication review of scientific papers. We defeated the Government in the House of Lords by 150-108, following a hard campaign &ndash see press coverage in the BBC, the New Scientist, the Guardian and the Economist, and an article on free speech I wrote for IEEE Computing. But the best quote I have is also the earliest. The first book written on cryptology in English, by Bishop John Wilkins in 1641, remarked that ‘If all those useful Inventions that are liable to abuse, should therefore be concealed, there is not any Art or Science which might be lawfully profest’
• This issue revived in 2003, with a government attempt to wrest back using regulations much of what they conceded in parliament. FIPR fought back and extracted assurances from Lord Sainsbury about the interpretation of regulations made under the Act. This may seem technical, but is important for British science and academic freedom. Without our campaign, much scientific collaboration would have become technically illegal, leaving scientists open to arbitrary harrassment. Much credit goes to the Conservative frontbencher Doreen Miller, Liberal Democrat frontbencher Margaret Sharp, and the then President of the Royal Society Bob May, who made his maiden speech in the Lords on the issue and marshalled the crossbenchers. We are very grateful for their efforts.
• Trusted Computing was a focus in 2002-03. I wrote a Trusted Computing FAQ that was very widely read, followed by a study of the competition policy aspects of this technology. This led inter alia to a symposium organised by the German government which in turn pushed the Trusted Computing Group into incorporating, admitting small companies, and issuing implementation guidelines. Trusted Computing appears to have fizzled out because Microsoft couldn't get remote attestation to work; the only thing the TPM is used for in Windows Vista is hard disk encryption.
• IP Enforcement: Our top priority in 2003-04 was the EU IPR enforcement directive, which has been succinctly described as DMCA on steroids and criticised by distinguished lawyers. Our lobbying got it amended to remove criminal sanctions for patent infringement and legal protection for devices such as RFID tags. This law was supported by the music industry, the luxury brands, and (initially) Microsoft, while the coalition that we put together to oppose it included the phone companies, the supermarkets, the generic drugmakers, the car parts industry, smaller software firms and the free software community. The press was sceptical &ndash in Britain, France and even America. The issue was even linked to a boycott of Gillette. There is more on my blog.
• This was a watershed in copyright history: the IP lobby was never going to be stopped by fine words, only by another lobby pushing in the other direction, and the Enforcement Directive was when that first came together. It also led to the birth of EDRI, European Digital Rights, a confederation of European digital-rights NGOs, whose establishment was one of FIPR's significant achievements. EDRI's first campaign was against the IP Enforcement Directive; afterwards FIPR and EDRI established a common position on intellectual property. Since then I have given evidence to the Gowers Review of IP and a parliamentary committee on DRM; however the lead UK NGO on IP nowadays is the Open Rights Group.

My pro-bono work also includes sitting on Council, our University's governing body. I stood for election in 2002 because I was concerned about the erosion of academic freedom. See, for example a truly shocking speech by Mike Clark, who tells how our administration promised a research sponsor that he would submit all his relevant papers to them for prior review - without even asking him! To prevent abuses like this, we founded the Campaign for Cambridge Freedoms, and campaigned to defeat a proposal that most of the intellectual property generated by faculty members - from patents on bright ideas to books written up from lecture notes - would belong to the university rather than to its creator. Over almost four years of campaigning we drew many of its teeth. The final vote approved a policy in which academics keep copyright but the University gets 15% of patent royalties.

I got re-elected to Council in 2006, when I topped the poll.

My CV is here.

Finally, here is my PGP key. If I revoke this key, I will always be willing to explain why I have done so provided that the giving of such an explanation is lawful. (For more, see FIPR.)

Security engineering is about building systems to remain dependable in the face of malice, error or mischance. As a discipline, it focuses on the tools, processes and methods needed to design, implement and test complete systems, and to adapt existing systems as their environment evolves. My book has become the standard textbook and reference since it was published in 2001. You can download the first edition without charge here.

Security engineering is not just concerned with infrastructure matters such as firewalls and PKI. It's also about specific applications, such as banking and medical record-keeping, and about embedded systems such as automatic teller machines and burglar alarms. It's usually done badly: it often takes several attempts to get a design right. It is also hard to learn: although there were good books on a number of the component technologies, such as cryptography and operating systems, there was little about how to use them effectively, and even less about how to make them work together. Most systems don't fail because the mechanisms are weak, but because they're used wrong.

My book was an attempt to help the working engineer to do better. As well as the basic science, it contains details of many applications - and lot of case histories of how their protection failed. It contains a fair amount of new material, as well as accounts of a number of technologies which aren't well described in the accessible literature. Writing it was also pivotal in founding the now-flourishing field of information security economics: I realised that the narrative had to do with incentives and organisation at least as often as with the technology. The second edition incoporates the economic perspectives we've developed over the past six years, and new perspectives from the psychology of security, as well as updating the technological side of things.

More ...

I don't execute programs sent by strangers without good reason. So I don't read attachments in formats such as Word, unless by prior arrangement. I also discard html-only emails, as most of them are spam; and emails asking for "summer research positions" or "internships", which we don't do.

If you're contacting me about coming up to do a PhD, please read the relevant web pages first.