Security & Trust

Digital identity: enrollment, authentication, and all that

The course introduces the basic notions underlying the various aspects of digital identity management with a focus on a security-by-design approach complemented with the use of automated formal analysis techniques for security. First, it is explained why identity is the building block of any security strategy for current and future applications and services. Then, the various phases of the life cycle of digital identities are explained and the main security issues are highlighted. The interdependencies among the design and implementation choices performed in the various phases are also discussed. Finally, solutions for enrollment and authentication are described together with threat models and the most important mitigation techniques. During the various topics, the security goals and the security analysis problems are formalized so that automated analysis techniques based on constraint solving and model checking can be used to assist designers in the various phases of the development. Digital identity management solutions taken from the real world are considered to illustrate the various notions and techniques.

Period: July 12th – July 16th, 2021

Duration: 20 hours (5 half-days)

Location: online course (the link will be communicated to the registered students)

Schools: University of Trento - Mathematics Doctoral Programme, University of Genova - PhD Program in Security, Risk and Vulnerability

Assessment Method: small project or oral presentation of relevant literature

Syllabus

The course is divided into two parts. Part 1 introduces the basic notions underlying the various aspects of digital identity management; while Part 2 describes the methodology developed in our unit for the automated security analysis of identity management solutions.

Part 1: Introduction to Identity Management

  • Overview of the course

  • Basics on Identity Management
    • Digital identity lifecycle (enrollment, authentication, authorization)
    • Assurance levels
    • Passwordless authentication
    • Multi-factor authentication
    • Single-Sign On (SAML, OIDC)
  • Focus on two Identity Management standards
    • A standard for SSO and Access Delegation: OAuth 2.0/OIDC
    • A standard for passwordless authentication: FIDO2
  • Security issues of SSO protocols at design and implementation level (security-by-design examples, wrong implementation choices)
  • Digital identity solutions for legal provisioning (eIDAS, SPID, CIE 3.0, PSD2)
  • Digital identity solutions for (legal) contract signing (electronic signatures, attribute provisioning)
  • Distributed identity (self-sovereign identity - DID)
Part 2: Our methodology and tools

  • Our methodology for the design, development, and maintenance of IdM solutions

  • Use case scenarios level (MuFASA - a tool for high-level specification and analysis of multi-factor authentication)

  • Cryptographic protocol level - part 1

  • Cryptographic protocol level - part 2 (SATMC - a SAT-based Model-Checker for security protocols)

  • Implementations level - part 1 (MicroID Gym - an identity management workout with container-based microservices)

  • Implementations level - part 2 (TLSAssistant - a tool for the analysis of TLS configuration with a report system that suggests appropriate mitigations)

Related Publications

  • Andrea Bisegna, Roberto Carbone, Giulio Pellizzari, Silvio Ranise
    Micro-Id-Gym: a Flexible Tool for Pentesting Identity Management Protocols in the Wild and in the Laboratory
    In: 3rd International Workshop on Emerging Technologies for Authorization and Authentication (ETAA2020) (DOI)
  • Roberto Carbone, Silvio Ranise, Giada Sciarretta, Luca ViganĂ²
    Formal Analysis of Mobile Multi-Factor Authentication with Single Sign-On Login
    In: ACM Transactions on Privacy and Security (TOPS) (DOI, complementary material, news)
  • Marco Pernpruner, Roberto Carbone, Silvio Ranise, Giada Sciarretta
    The Good, the Bad and the (Not So) Ugly of Out-Of-Band Authentication with eID Cards and Push Notifications: Design, Formal and Risk Analysis
    In: Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy (CODASPY 2020) (DOI, complementary material, news)
  • Federico Sinigaglia, Roberto Carbone, Gabriele Costa, Silvio Ranise
    MuFASA: A Tool for High-level Specification and Analysis of Multi-factor Authentication Protocols
    In: Emerging Technologies for Authorization and Authentication (ETAA 2019) (DOI, complementary material, news)

Involved People

Roberto Carbone

Roberto Carbone

Silvio Ranise

Silvio Ranise

Giada Sciarretta

Giada Sciarretta