Hossein Rezaei

I'm a cryptography researcher and engineer with 15 years of experience in software engineering and smart (IC) cards. I worked as a developer, researcher, and architect on various chip card and enterprise projects, including identification, payment, public key infrastructure, blockchain, and mobile solutions.

My interests are blockchain, cryptocurrency, and cryptography. Currently, I'm working on crypto wallet challenges, mobile authentication, and payment.

Like all other software engineers, I have experience with several programming languages and platforms. Currently, I code in JavaScript/TypeScript, NodeJS, React, ReactNative, NoSQL, and Firebase combinations for database, server, mobile, and IC chip programming.

Hossein Rezaei

hossein [dot] rezaei [dot] ghaleh [at] gmail [dot] com

it is intentionally long and complex ;-)

GitHub

Google Scholar

Education

PhD in Computer Science

University of Central Florida (Aug 2016 – Dec 2020, Orlando, US)
Thesis: Improving Security of Crypto Wallets in Blockchain Technologies

MSc in Computer Science

University of Central Florida (Aug 2016 – Dec 2017, Orlando, US)

MSc in Software Engineering

QIAU (Sep 2005 – Mar 2008, Iran)
Thesis: PC Secure Bootstrapping

BSc in Hardware Engineering

QIAU (Sep 2001 – Sep 2005, Iran)
Thesis: Efficient Implementation of RSA Cryptography Engine and PKCS#1

Experience

Personalization Script Engineer

CPI Card Group (remote), Mar 2020 – Present, Nashville, US
- Developed personalization system for production lines
- Developed perso scripts for smart (IC) cards
- Created documents and guides for key management and HSMs

Senior Software Engineer

Nuesoft Technologies (remote), May 2017 – Oct 2018, Atlanta, US
- Designed a smart card certificate-as-a-service for authentication

Co-Founder & Chief Technology Officer

PKI Co., Nov 2010 – Aug 2016, Iran
- Designed and implemented PKI (Public Key Infrastructure) systems
- Consulted in HSM for banks and financial institutes
- Designed a desktop card issuing and encoding system
- Designed web and mobile middleware for smart card

Senior Software Engineer

Matiran Co., Feb 2010 – Sep 2012, Iran
- Designed architecture of an ID card issuing system
- Programmed card production machines
- Performed acceptance test in different phases for card production machines

Software Engineer

SG Co., Jun 2005 – Feb 2010, Iran
- Developed a smart card scripting language compatible with ISO-7816 and PC/SC with cryptography libraries
- Programmed various HSM (Hardware Security Module)
- Programmed Java Card chips

Publication

Selected peer-reviewed papers

Multilayered Defense-in-Depth Architecture for Cryptocurrency Wallet H. Rezaeighaleh, C. Zou, 2020 IEEE 6th International Conference on Computer and Communications (ICCC), IEEE, 2020, Dec 2020, Chengdu, China
Efficient Off-Chain Transaction to Avoid Inaccessible Coins in Cryptocurrencies H. Rezaeighaleh, C. Zou, 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), IEEE, 2020, Dec 2020, Guangzhou, China
New Secure Approach to Backup Cryptocurrency Wallets H. Rezaeighaleh, C. Zou, The 2019 Global Communications Conference (GLOBECOM-2019), IEEE, 2019, Dec 2019, Hawaii, US
Deterministic Sub-Wallet for Cryptocurrencies H. Rezaeighaleh, C. Zou, the 2019 IEEE International Conference on Blockchain (Blockchain-2019), IEEE, 2019 , Jul 2019, Atlanta, US
Using Disposable Domain Names to Detect Online Card Transaction Fraud R. Laurens, H. Rezaeighaleh, C. Zou, J. Jusak, IEEE International Conference on Communications (ICC 2019) - Communication and Information Systems Security Symposium (CISS), May 2019, Shanghai, China
Secure Smart Card Signing with Time-based Digital Signature H. Rezaeighaleh, Roy Laurens, Cliff Zou, The 2018 International Conference on Computing, Networking and Communications (CNC 2018), IEEE, 2018, Mar 2018, Hawaii, US
A New High-Performance Approach for Offline Replacement Attack Prevention in Trusted Clients H. Rezaei Ghaleh, S. Khorsandi, The 2009 IEEE International Symposium on Trust, Security and Privacy for Pervasive Applications (TSP-09), Oct 2009, Macau SAR, China
Improving Client Security using a Smart Card and Trusted Server H. Rezaei Ghaleh, M.A. Doustari, International Conference on Security and Management (SAM 2009), WROLDCOMP’09, Jul 2009, Las Vegas, US
A New Approach to Protect the OS from Off-line Attacks Using a Smart Card H. Rezaei Ghaleh, S. Norouzi, The Third International Conference on Emerging Security Information, Systems and Technologies (Securware 2009), Jun 2009, Athens, Greece
A New Approach for a Secure and Portable OS H. Rezaei Ghaleh, M.A. Doustari, The Second International Conference on Emerging Security Information, Systems and Technologies (Securware 2008), Aug 2008, Cap Esterel, France

Projects

Gozar

Gozar is a multi-factor authentication solution on mobile phones. It can be used as the second-factor or the second and third factor or password-less biometric authentication. There are other solutions in the market, but Gozar is different. Gozar does not use one-time passwords (OTP) like others. It uses asynchronous cryptography known as public key/private key and digital signature and employs the smartphone's secure element, a cryptography chip, to store keys and perform cryptographic operations. Gozar combines the secure element with biometric verification to authenticate users. In addition, Gozar provides a feature called "blind authentication," which does not send the usernames outside of the customer system. So, Gozar authenticates a user while does not know the username at all. I developed the Android and iOS of this product using ReactNative. I love serverless architecture, so Gozar is developed in NodeJS and served by Google Firebase and NoSQL database. The dashboard is a React project.

Slap.n.Pay

Slap.n.Pay is a new way to shop online and pay securely and easily. Slap.n.Pay transforms your smartphone to a personal mobile PoS (Point-of-Sale) in your hand. You do not need to enter your credit card number, CVV, and billing address on online websites anymore. Just press the Slap.n.Pay button on the supported online website and pay on your smartphone by tapping your card to your phone. Slap.n.Pay uses NFC technology on your smartphone and credit card to create a convenient way for hassle-free payment. I developed this project with serverless architecture. We created a startup company to raise funds or establish a partnership with a well-known payment company. We also filed a family of patents for this product.

XebaWallet

It is a new secure hardware crypto wallet that supports cryptographic backup and super-wallet/sub-wallet. It was initially my Ph.D. project for 4 years, and you can find its published papers in the publication section. Then, I made it a product and started to create a startup company. I developed the cryptography code for smart (IC) chips using JavaCard technologies. Actually, I wrote micro-controller codes in a Java-like language and compiled them to run on Java Card Runtime Environment (JCRE). I did it on simulation and several real chips from various manufactures. In this project, I also used ePaper technology as a secure, trusted display on the card. I used ReactNative to create the Android and iOS apps and my crafted native codes for the cryptography part. XebaWallet uses the smartphone NFC antenna to communicate with a smart (IC) chip on a credit card for cryptography. The backup procedure of this project is new and unique. You clone a hardware wallet to another hardware wallet with a crafted cryptography protocol, and no hacker can intercept it. It is very secure and user-friendly since the user does not need a complex paper backup with many words and potential risks to expose.

HyperReader

HyperReader is a new way to use smart cards anytime and anywhere. It transforms the smartphone into an NFC card reader to use ISO/IEC 7816 and 14443 compatible chips. So, a company can use HyperReader to read smart cards like credit cards, ID cards, or travel documents remotely. I developed this product using ReactNative and my native modules to communicate with the NFC antenna and perform cryptographic operations. It provides APIs that a customer uses to run smart (IC) card commands remotely. It gets a JavaScript-like code and runs it as a smart card script on the user's mobile phone! If you know the smart card industry, you know there are a lot of applications for it. ;-)

SmartcardPage

This is a tool to connect web pages to smart cards via javascript. This tool works with all ISO7816/14443 and NFC smart cards. smartcardPage is a demo page to demonstrate how to use smartcardBridge. With this utility, you can send APDU commands and receive APDU responses to/from all ISO7816/14443 and NFC smart cards. It also supports jCardSim as a java card simulator with a simple REST server. You may use smartcardBridge to share smart cards between different virtual machines (VM) and share a smart card on a network. Since developing a smart (IC) card program is challenging and gets a lot of time and knowledge, many Ph.D. students do not try it. It is very cool and valuable for cryptography researchers studying cryptography, blockchain, payment systems, security dongles, security elements, etc. So, I developed SmartcardPage to make smart card testing easy for Ph.D. students and academic research labs. A student just needs to have a card reader and open this page to communicate with a smart card: https://hosseinpro.github.io/smartcardPage/

TspSign

This is a Java Card Applet implementation as a proof-of-concept of my proposed technique to secure the digital sign process in a smart card. You can find project details in the attached paper in PDF format. I used a proposed method called "one-time scanning" to decode DER and TLV format inside the smart card with limited resources and performance. My test results demonstrate that this new technique works well for a smart card. In this project, you can find a decoder for digital certificate, timestamp token, certificate revocation list (CLR). Actually, you can use the TLV engine to decode every DER-encoded content inside the smart card. You must define a template for your content, and then you can decode it in the card. There are two different versions of the TLV decoder in the source code: TLV and TLV2. The file "TLV.java" is the classic version of the TLV decoder, which is fully dynamic and can decode all DER-encoded content but is slow in the smart card. The file "TLV2.java" is the faster version that uses a one-time scanning technique. I used hard-coded 1024 and 2048 RSA keys to test the proposed protocol, and if you like real-world keys, you must change hard-coded keys with new commands to generate RSA keys on the card.

LedgerNanoS Hack

It is a try to reverse engineer the Ledger Nano S that is the best existing Bitcoin (and other cryptocurrencies) Hardware Wallet in the market. Ledger Live.exe is the desktop application to manage Ledger Nano S. It is an Electron application based on NodeJs. It uses the "node-hid" library to access HID devices. On the other hand, Ledger Nano S has a Secure Element to store the master seed and private keys. This secure element is a smart card chip that communicates using APDU messages. For reverse engineering, Wireshark is enough to monitor USB messages and extract transferred APDUs. Still, if I want to modify them and make a Man-In-The-Middle attack, I need to develop some hacking code, and this project is that! This code uses EasyHook to inject two fake functions into LedgerLive.exe address space, including CreateFileA and WriteFile. CreateFileA opens the HID device, and WriteFile sends USB messages that include APDU to the device. In this hack, I get the HID device handle by injecting my code into the CreateFileA function and modify transferred APDUs by injecting my code into the WriteFile function. As a result, I could intercept APDUs between LedgerLive.exe and Ledger Nano S device and alter them as a Man-In-The-Middle attack. Because LedgeLive.exe is a NodeJs app, it runs inside that and creates four processes. So, "injectorApp" finds all and injects hack code to them. Still, only the correct one is hacked by checking the FilePath in the CreateFileA call. You can use this project to experiment with Ledger Nano S and maybe other USB Hardware Wallets.

MinidriverSpy

It is a spyware tool for sniffing a user's PIN and altering its digital signature in PIV smart card on Microsoft Windows. After compiling the project, you must replace Windows original 'msclmd.dll' with the compiled DLL of this project with the same name. To test the DLL, you must have a PIV smart card like PIV Key or YubiKey. Use your smart card or token to log in to your Windows or run a program that uses your YubiKey or PIV smart card. When you enter your token's password (PIN), a popup window displays your PIN, which is sniffed from DLL. A hacker can use the same technique to steal your YubiKey or PIV smart card password. Obviously, I used C++ and low-level Windows operating system functions to develop this project.

Public Key Appliance (PKA)

I developed Public Key Appliance (PKA) in 2010. At that time, running a public key infrastructure was so hard to do. A customer needs multiple servers, Hardware Security Modules (HSM), backup solutions, database servers, special enterprise applications for Certificate Authority, Registration Authority, OCSP Responders, CRL Publishers, etc. So, I created an "appliance" that integrates all required software and hardware parts in one module. Since I used a custom-built Linux operating system with an internal HSM from SafeNet, it was secure and fast. We established a startup company (PKI Co.) based on this product and sold many of them. I also patented PKA in Iran (our target market), winning prizes and startup festivals. My co-founders and I created a talented engineering team, and I left them in 2016 to immigrate to the US. :-|

Thanks to Vasilios Mavroudis for website template