Michael Roland

• Dr.
• PostDoc Position at Johannes Kepler University of Linz

While real-time face recognition has become increasingly popular, its use in decentralized systems and on embedded hardware presents numerous challenges. One challenge is the trade-off between accuracy and inference-time on constrained hardware resources. While achieving higher accuracy is desirable, it comes at the cost of longer inference-time. W...

Current mobile app distribution systems use (asymmetric) digital signatures to ensure integrity and authenticity for their apps. However, there are realistic threat models under which trust in such signatures is compromised. One example is an unconsciously leaked signing key that allows an attacker to distribute malicious updates to an existing app...

Zusammenfassung Anforderungen an Datenschutz und Informationssicherheit, aber auch an Datenaktualität und Vereinfachung bewirken einen kontinuierlichen Trend hin zu plattformübergreifenden ID-Systemen für die digitale Welt. Das sind typischerweise föderierte Single-Sign-On-Lösungen großer internationaler Konzerne wie Apple, Facebook und Google. Die...

Biometrics are one of the most privacy-sensitive data. Ubiquitous authentication systems with a focus on privacy favor decentralized approaches as they reduce potential attack vectors, both on a technical and organizational level. The gold standard is to let the user be in control of where their own data is stored, which consequently leads to a hig...

Biometrics are one of the most privacy-sensitive data. Ubiquitous authentication systems with a focus on privacy favor decentralized approaches as they reduce potential attack vectors, both on a technical and organizational level. The gold standard is to let the user be in control of where their own data is stored, which consequently leads to a hig...

This work proposes a modular automation toolchain to analyze current state and over-time changes of reproducibility of build artifacts derived from the Android Open Source Project (AOSP). While perfect bit-by-bit equality of binary artifacts would be a desirable goal to permit independent verification if binary build artifacts really are the result...

Digital identity documents provide several key benefits over physical ones. They can be created more easily, incur less costs, improve usability and can be updated if necessary. However, the deployment of digital identity systems does come with several challenges regarding both security and privacy of personal information. In this paper, we highlig...

Abbuchen von Geld im “Vorbeigehen”, Auslesen/Kopieren von Karten durch kurzes Auflegen eines Smartphone, Mithören von Transaktionen aus der Ferne; all das sind häufig genannte Angriffsszenarien im Zusammenhang mit Near-Field-Communication-(NFC-)Zahlungen. Doch stellen diese Szenarien ein ernsthaftes Sicherheitsrisiko dar? Gibt es weitere kritische...

In current single sign-on authentication schemes on the web, users are required to interact with identity providers securely to set up authentication data during a registration phase and receive a token (credential) for future access to services and applications. This type of interaction can make authentication schemes challenging in terms of secur...

Every distributed system needs some way to list its current participants. The Tor network’s consensus is one way of tackling this challenge. But creating a shared list of participants and their properties without a central authority is a challenging task, especially if the system is constantly targeted by state level attackers. This work carefully...

Tor onion services are a challenging research topic because they were designed to reveal as little metadata as possible which makes it difficult to collect information about them. In order to improve and extend privacy protecting technologies, it is important to understand how they are used in real world scenarios. We discuss the difficulties assoc...

Most state-of-the-art face detection algorithms are usually trained with full-face pictures, without any occlusions. The first novel contribution of this paper is an analysis of the accuracy of three off-the-shelf face detection algorithms (MTCNN, Retinaface, and DLIB) on occluded faces. In order to determine the importance of different facial part...

Tor onion services utilize the Tor network to enable incoming connections on a device without disclosing its network location. Decentralized systems with extended privacy requirements like metadata-avoiding messengers typically rely on onion services. However, a long-lived onion service address can itself be abused as identifying metadata. Replacin...

Token-based authentication is usually applied to enable single-sign-on on the web. In current authentication schemes, users are required to interact with identity providers securely to set up authentication data during a registration phase and receive a token (credential) for future accesses to various services and applications. This type of intera...

Providing methods to anonymously validate user identity is essential in many applications of electronic identity (eID) systems. A feasible approach to realize such a privacy-preserving eID is the usage of group signature protocols or pseudonym-based signatures. However, providing a revocation mechanism that preserves privacy is often the bottleneck...

Contact tracing is one of the main approaches widely proposed for dealing with the current, global SARS-CoV-2 crisis. As manual contact tracing is error-prone and doesn't scale, tools for automated contact tracing, mainly through smart phones, are being developed and tested. While their effectiveness-also in terms of potentially replacing other, mo...

How can we use digital identity for authentication in the physical world without compromising user privacy? Enabling individuals to – for example – use public transport and other payment/ticketing applications, access computing resources on public terminals, or even cross country borders without carrying any form of physical identity document or tr...

There is a broad range of existing electronic identity (eID) systems which provide methods to sign documents or authenticate to online services (e.g. governmental eIDs, FIDO). However, these solutions mainly focus on the validation of an identity to a web page. That is, they often miss proper techniques to use them as regular ID cards to digitally...

Providing methods to anonymously validate the user's identity is essential in many applications of electronic identity (eID) systems. A feasible approach to realize such a privacy-preserving eID is the usage of group signature protocols or pseudonym-based signatures. However, providing a revocation mechanism that preserves privacy is often the bott...

There is a broad range of existing electronic identity (eID) systems which provide methods to sign documents or authenticate to online services (e.g. governmental eIDs, FIDO). However, these solutions mainly focus on the validation of an identity to a web page. That is, they often miss proper techniques to use them as regular ID cards to digitally...

Traditional authentication methods (e.g., password, PIN) often do not scale well to the context of mobile devices in terms of security and usability. However, the adoption of Near Field Communication (NFC) on a broad range of smartphones enables the use of NFC-enabled tokens as an additional authentication factor. This additional factor can help to...

There are many systems that provide users with an electronic identity (eID) to sign documents or authenticate to online services (e.g. governmental eIDs, OpenID). However, current solutions lack in providing proper techniques to use them as regular ID cards that digitally authenticate their holders to another physical person in the real world. We e...

This report summarizes our findings regarding a severe weakness in implementations of the Open Mobile API deployed on several Android devices. The vulnerability allows arbitrary code coming from a specially crafted Android application package (APK) to be injected into and executed by the smartcard system service component (the middleware component...

This report gives an overview of secure element integration into Android devices. It focuses on the Open Mobile API as an open interface to access secure elements from Android applications. The overall architecture of the Open Mobile API is described and current Android devices are analyzed with regard to the availability of this API. Moreover, thi...

Purpose The usage of security and privacy sensitive systems on mobile devices, such as mobile banking, mobile credit cards, mobile ticketing, or mobile digital identities, has continuously risen in recent years. This development makes the protection of personal and security sensitive data on mobile devices more important than ever. Design/methodol...

This report summarizes the results of our evaluation of antennas of contactless and dual interface smartcards and our ideas for user-switchable NFC antennas. We show how to disassemble smartcards with contactless capabilities in order to obtain the bare chip module and the bare antenna wire. We examine the design of various smartcard antennas and p...

One of the major application scenarios of Near Field Communication (NFC) is tagging, where simply tapping an object with an NFC device immediately triggers an action. In the case of out-of-band pairing, for example, after scanning a connection handover tag with an NFC-enabled mobile phone, the phone immediately establishes a link based on the infor...

This chapter introduces various practical use-case scenarios of Near Field Communication (NFC). These use-cases are then transformed into more general scenarios. Based on the generalized use-cases, security aspects of NFC applications are identified.

This chapter provides an analysis of Google Wallet and shows how the software-based relay attack scenario can been applied to it.

While tagging is the most widely supported application scenario of Near Field Communication (NFC), card emulation is the mode that is expected to have the highest commercial impact. The reason is that, in card emulation mode, an NFC device can interact with existing contactless smartcard readers as if it were a contactless smartcard. Contactless sm...

This chapter summarizes basic concepts of smartcards, Near Field Communication (NFC) and payment cards. Moreover, it gives an overview of various protocols and standards that are necessary to understand the operational details of NFC applications.

There have been several research activities focused on the security and privacy of Near Field Communication (NFC) and its underlying Radio Frequency Identification (RFID) technologies during the last couple of years. As a first step towards assessing the current status of NFC security and privacy, this chapter collects preceding research results an...

This work provides an assessment of the current state of near field communication (NFC) security, it reports on new attack scenarios, and offers concepts and solutions to overcome any unresolved issues. The work describes application-specific security aspects of NFC based on exemplary use-case scenarios and uses these to focus on the interaction wi...

With the increasing popularity of security and privacy sensitive systems on mobile devices, such as mobile banking, mobile credit cards, mobile ticketing, or mobile digital identities, challenges for the protection of personal and security sensitive data of these use cases emerged. A common approach for the protection of sensitive data is to use ad...

Purpose – The purpose of this paper is to address the design, implementation, performance and limitations of an environment that emulates a secure element for rapid prototyping and debugging. Today, it is difficult for developers to get access to a near field communication (NFC)-secure element in current smartphones. Moreover, the security constrai...

Creating Java Card applications for Near Field Communication's card emulation mode requires access to a secure smartcard chip (the secure element). Today, even for development purposes, it is difficult to get access to the secure element in most current smart phones. Therefore, it would be useful to have an environment that emulates a secure elemen...

Insufficient security and privacy on mobile devices have made it difficult to utilize sensitive systems like mobile banking, mobile credit cards, mobile ticketing or mobile passports. Solving these challenges in security and privacy, could result in better mobility and a higher level of confidence for the end-user services in such systems. Our appr...

The ecosystem behind secure elements is complex and prevents average developers from creating secure element applications. In this paper we introduce concepts to overcome these issues. We develop two scenarios for open platforms emulating a secure element for the Android platform. Such an open emulator can be used for debugging and rapid prototypin...

This paper highlights the benefits and drawbacks of NFC's different operating modes with regard to their usability and security. Based on an analysis of both traditional and new communication concepts for mobile NFC devices, their current availability and, specifically, the features to provide security are evaluated. The result of this evaluation i...

Recent roll-outs of contactless payment infrastructures-particularly in Austria and Germany - have raised concerns about the security of contactless payment cards and Near Field Communication (NFC). There are well-known attack scenarios like relay attacks and skimming of credit card numbers. However, banks and credit card schemes often mitigate the...

The recent emergence of Near Field Communication (NFC) enabled smart phones resulted in an increasing interest in NFC security. Several new attack scenarios, using NFC devices either as attack platform or as device under attack, have been discovered. One of them is the software-based relay attack. In this paper we evaluate the feasibility of the so...

The recent emergence of Near Field Communication (NFC) enabled smart phones lead to an increasing interest in NFC technology and its applications by equipment manufacturers, service providers, developers, and end-users. Nevertheless, frequent media reports about security and privacy issues of electronic passports, contactless credit cards, asset tr...

This report explains recent developments in relay attacks on contactless smartcards and secure elements. It further reveals how these relay attacks can be applied to the Google Wallet. Finally, it gives an overview of the components and results of a successful attempt to relay an EMV Mag-Stripe transaction between a Google Wallet device and an exte...

Software card emulation is a new approch to advance the interoperability of NFC with legacy contactless smartcard systems. It has been first introduced to NFC-enabled mobile phones by Research In Motion (RIM) on their BlackBerry platform. Software card emulation aims at opening and sim-plifying the complex and tightly controlled card emulation func...

Near Field Communication's card emulation mode is a way to combine smartcards with a mobile phone. Relay attack scenarios are well-known for contactless smartcards. In the past, relay attacks have only been considered for the case, where an attacker has physical proximity to an NFC-enabled mobile phone. However, a mobile phone introduces a signific...

Near Field Communication's card emulation mode is a way to put virtual smart cards into mobile phones. A recently launched application is Google Wallet. Google Wallet turns a phone into a credit card, a prepaid card and a tool to collect gift certificates and discounts. Card emulation mode uses dedicated smart card chips, which are considered to fu...

The NFC Forum has released a first candidate for their Signature Record Type Definition. This specification adds digital signatures to the NFC Data Exchange Format (NDEF), which is a standardized format for storing formatted data on NFC (Near Field Communication) tags and for transporting data across a peer-to-peer links between NFC devices. With a...

Motivation: Die Kraftfahrzeugnutzung nimmt kontinuierlich zu. Während sich dies einerseits positiv auf die Wirtschaft und die Mobilität der Bevölkerung auswirkt, kommt es durch den vermehrten Betrieb der Kraftfahrzeuge zu einem steigenden Energie- und Rohstoffverbrauch und zu einer zunehmenden Umweltbelastung. Diesen Problemen wird durch technologi...

NFC – Near Field Communication – ist eine kontaktlose Übertragungstechnologie, die zukünftig in Mobiltelefonen integriert werden soll. Die Übertragungsdistanzen betragen wenige Zentimeter. Mit einem NFC Telefon können kontaktlose Chipkarten gelesen und beschrieben werden. Gleichzeitig kann das NFC Gerät auch kontaktlose Chipkarten emulieren, um dar...

Dieses Kapitel gibt einen Überblick über die wichtigsten Anwendungen der NFC-Technologie. Die Integration der berührungslosen Technologie in mobile Geräte ermöglicht eine Vielzahl von neuartigen Anwendungen. Alle diese Anwendungen bestechen durch besonders einfache Bedienung. Der Benutzer muss für das Bezahlen, Bestellen und Abholen von Information...

In diesem Kapitel werden die Methoden und Spezifikationen für das Over-the-Air (OTA) Management der Near Field Communication Technologie erklärt. Durch das OTA-Management werden Anwendungen (Applets) im Secure Element, sowie Anwendungen im NFC-Gerät, installiert, personalisiert und gelöscht. Durch den OTA-Manager können Dienstanbieter ihre Anwendun...

Dieses Kapitel gibt einen Überblick über den Übertragungsstandard Near Field Communication (NFC). Zunächst erfolgt eine Einführung in die Normierungsaktivitäten. Anschließend wird das Zusammenspiel bestehender Standards und Protokolle mit den weiterführenden Spezifikationen des NFC Forums betrachtet. Die einzelnen Kommunikationsarten, sowie die Maß...

Durch die weiterführende Spezifikation im NFC Forum ist Near Field Communication heute viel mehr als nur eine Übertragungstechnologie. Einheitliche Formate zum Datenaustausch zwischen zwei NFC-Geräten und zwischen NFC-Geräten und anderen RFID-Komponenten ermöglichen eine herstellerübergreifende Kompatibilität der verschiedenen NFC-Anwendungen.

In diesem Kapitel werden die beiden kontaktlosen Chipkartensysteme MIFARE und FeliCa vorgestellt.

In Kap. 7 (Architektur mobiler NFC-Geräte) wurde bereits ein kurzer Überblick über Java ME und die Programmierschnittstellen für NFC gegeben. Dieses Kapitel gibt einen tieferen Einblick in die Programmierung mit den APIs von Java ME für NFC-Geräte. Im speziellen werden JSR 177 (für den Zugriff auf Secure Elements), JSR 257 (für die kontaktlose Komm...

Die Smartcard-Technologie ist eine zentrale Komponente der Near Field Communication. Zum einen bilden kontaktlose Smartcard-Systeme die Grundlage der Near Field Communication. Zum anderen werden gerade in GSM-Mobiltelefonen viele sicherheitskritische Aufgaben mit Hilfe von Smartcards, z. B. der SIM-Karte (Subscriber Identity Module), bewältigt.

Near Field Communication erlangt in Kombination mit Mobiltelefonen und anderen mobilen Geräten eine immer bedeutender werdende Rolle. Dabei vereinfacht NFC verschiedene Aufgaben, wie beispielsweise den Aufbau von Bluetooth- und WLAN-Verbindungen, die Eingabe von Internet-URLs und den Kauf von Tickets. NFC-Mobiltelefone können auch für eine Vielfalt...

Dieses Kapitel gibt einen Überblick über die physikalischen und technischen Grundlagen der Near Field Communication. Es werden darin die Übertragungsmechanismen über das magnetische Feld, die unterschiedlichen Arten der Modulation und Codierung, sowie die Übertragung der Daten beschrieben.

Dieses Buch wendet sich an Studierende, Ingenieure, technisch Interessierte sowie Personen, die mehr über NFC und NFC-Anwendungen erfahren mÖchten. Es gibt einen umfassenden Überblick über Grundlagen, Technik und Anwendungen dieser neuen Technologie. Wir haben versucht, in Beispielen die Thematik mÖglichst praxisnahe darzustellen. So wollen wir die...

The NFC Data Exchange Format (NDEF) is a standardized format for storing formatted data on NFC (Near Field Communication) tags and for transporting data across a peer-to-peer NFC link. Through NDEF and its various record types, events can be triggered on an NFC device by simply touching an NFC-enabled object. The number of use cases and real applic...

The underlying paper and investigations deal with the main functionality and physical parameters of contactless smartcard and NFC (Near Field Communication) devices. The specific need of impedance matching for reader devices is pointed out in particular, as the correct matching represents a major performance indicator of the system. Therefore, in a...

RFID (Radio Frequency Identification) and NFC (Near Field Communication) are wireless data transmission technologies. They are used for the communication with smart cards and mobile devices. Smart cards, NFC devices and their applications are subject to continuous development. The improvement of these technologies and the development of new applica...

The Single Wire Protocol (SWP, ETSI TS 102 613) is intended as direct interface between a mobile phone's SIM card (UICC) and the mobile phone's contactless front-end (CLF). The SWP's final technical specification has just been released. The first devices implementing this communication protocol, mainly in its draft versions, are already in producti...

This paper deals with the concept, the implementation and the verification of an automatic impedance matching circuit for NFC antennas with a frequency of 13.56 MHz. Besides an introduction to manual tuning and its issues, the fundamental components of an automatic tuning system are outlined. A lab-scaled prototype is built and demonstrated. In the...

This essay deals with the work during my internship at NXP Semiconductors. At first this essay gives an insight into the company, Radio Frequency Identification (RFID) and Near Field Communication (NFC). After an introduction to manual impedance matching of antennas to NFC-ICs it finally shows how the hardware and the software of an Automatic-Tuni...

This bachelor's thesis deals with the structure and the usage of the USB Mass Storage Class. Moreover it introduces drafts for using the USB Mass Storage Class with Atmel's AVR AT90USB1287 microcontroller. At first this document gives a brief overview of the structure and the functionality of the Universal Serial Bus. Secondly the USB Mass Storage...