Security & Trust

Secure and Usable Mobile Identity Management Solutions: a Methodology for their Design and Assessment

Tutorial at ITASEC 2018

Abstract

Context. The widespread use of digital identities in our everyday life, along with the release of our sensitive data on many online transactions, calls for Identity Management (IdM) solutions that are secure, usable, privacy-aware, and compatible with new technologies, such as mobile and cloud. In general, IdM refers to different aspects of the digital identity lifecycle (e.g., the creation and the provision of identities, password management, multi-factor authentication, and so on). In this tutorial, we use IdM to indicate the aspects related to the authentication (such as 2nd factors and a Single Sign-On experience) and authorization processes in the mobile context.

Tutorial Objectives. We describe a novel methodology for the design and security assessment of mobile IdM solutions. The main goal is to enable the audience to:

  • acquire the basic notions underlying IdM;
  • provide an overview of national (e.g., SPID for Italy) and European (e.g., eIDAS) laws, regulations and guideline principles that are particularly relevant to digital identity and privacy;
  • learn functional and usability requirements that are related to IdM solutions;
  • discover the main implementation features that are related to IdM on mobile devices;
  • be updated on the state-of-the-art of IdM protocols for mobile apps;
  • have an overview of the semi-formal and formal techniques commonly used to analyze a security protocol.

Real Use-Case Scenarios. We will illustrate our methodology on two use-case scenarios:

  • TreC (acronym for “Cartella Clinica del Cittadino”) is an ecosystem of services that supports doctors and patients in the health-care management, by enabling all citizens living in the Italian Trentino Region to access, manage and share their own health and wellbeing information through a secure access. Besides the web solution (used by more than 79.000 patients), they are currently developing mobile applications. In this context, we have designed and analyzed the security of a strong authentication mechanism with a single sign-on experience.
  • IPZS (acronym for “Istituto Poligrafico e Zecca dello Stato”) is the Italian State Printing Office and Mint. We are involved in a joint lab with IPZS, among various activities, one is to design a strong authentication mechanism that uses the Italian electronic card (CIE 3.0) as second factor.

Outline

  • IdM Mobile Context
  • Problem Statement and Methodology Description
  • TreC Scenario
  • IPZS Scenario
  • Conclusions
  • References

Intended audience and assumed background of attendees

The tutorial is oriented to academic researchers, (PhD) students, security experts and industries that work on or want to approach the field of Identity Management (IdM). The attendees do not require a specific background on IdM to follow the main part of our tutorial, as our step-by-step teaching approach will enable them to grasp the information presented even if some of the concepts are new or not consolidated. Only a short part about security analysis, to be fully understood, requires a basic knowledge on formal model for security protocol verification.

Duration & Speakers

The tutorial will be presented in 1.5 hours by:

  • Silvio Ranise (Security & Trust, FBK-ICT, Trento, Italy - ranise@fbk.eu )
  • Roberto Carbone (Security & Trust, FBK-ICT, Trento, Italy - carbone@fbk.eu )
  • Giada Sciarretta (Security & Trust, FBK-ICT, University of Trento, Italy - giada.sciarretta@fbk.eu )
  • Andrea De Maria (Istituto Poligrafico e Zecca dello Stato)

Slides

Related Publications

  • Giada Sciarretta, Roberto Carbone, Silvio Ranise, Luca Viganò
    Design, Formal Specification and Analysis of Multi-Factor Authentication Solutions with a Single Sign-On Experience
    In: Principles of Security and Trust (POST 2018) (DOI, news)
  • Giada Sciarretta, Roberto Carbone, Silvio Ranise, Alessandro Armando
    Anatomy of the Facebook solution for mobile single sign-on: Security assessment and improvements
    In: Computers & Security Journal (COSE), Volume 71, November 2017, Pages 71-86 (DOI)
  • Giada Sciarretta, Roberto Carbone, Silvio Ranise
    A delegated authorization solution for smart-city mobile applications
    In: 2nd International Forum on Research and Technologies for Society and Industry (RTSI 2016) (DOI)
  • Giada Sciarretta, Alessandro Armando, Roberto Carbone, Silvio Ranise
    Security of Mobile Single Sign-On: a Rational Reconstruction of Facebook Login Solution
    In: 13th International Conference on Security and Cryptography (SECRYPT 2016) (DOI, news)

Involved People

Giada Sciarretta

Giada Sciarretta

Roberto Carbone

Roberto Carbone

Silvio Ranise

Silvio Ranise