The course introduces the basic notions underlying the various aspects of digital identity management with a focus on a security-by-design approach complemented with the use of automated formal analysis techniques for security. First, it is explained why identity is the building block of any security strategy for current and future applications and services. Then, the various phases of the life cycle of digital identities are explained and the main security issues are highlighted. The interdependencies among the design and implementation choices performed in the various phases are also discussed. Finally, solutions for enrollment and authentication are described together with threat models and the most important mitigation techniques. During the various topics, the security goals and the security analysis problems are formalized so that automated analysis techniques based on constraint solving and model checking can be used to assist designers in the various phases of the development. Digital identity management solutions taken from the real world are considered to illustrate the various notions and techniques.
Period:
- March 20, 22, 24, 27, 29, 31 (from 10:00 to 12:00 and from 14:00 to 16:00, CEST)
- April 3 (from 10:00 to 12:00, CEST)
- June 15, 22 (from 10:00 to 12:00, CEST)
Duration: 30 hours
Location: University of Trento and remotely (the link will be communicated to the registered students)
Schools: University of Trento - Mathematics Doctoral Programme, University of Trento - IECS Doctoral School, University of Genova - PhD Program in Security, Risk and Vulnerability
Assessment Method: small project or seminar about relevant literature
Seminars and Hands-on
-
Marco Pernpruner
Hands-on on MuFASA: A Tool for High-level Specification and Analysis of Multi-factor Authentication Protocols -
Andrea Bisegna, Eleonora Marchesini
Hands-on on MicroID-Gym: A Flexible Tool for Pentesting Identity Management Protocols -
Alessandro Tomasi
Selective Disclosure and Revocation Mechanisms -
Andrea Flamini
Zero Knowledge Proof and Signature-based Selective Disclosure Signatures -
Stefano Berlato
CryptoAC: Cryptographic Access Control Scheme -
Salvatore Manfredi, Matteo Rizzi
Hands-on on TLSAssistant: TLS analyzers with a report system that suggests mitigations -
Cecilia Pasquini
Security in Artificial Intelligence
Related Publications
-
Andrea Bisegna, Roberto Carbone, Giulio Pellizzari, Silvio Ranise
Micro-Id-Gym: a Flexible Tool for Pentesting Identity Management Protocols in the Wild and in the Laboratory
In: 3rd International Workshop on Emerging Technologies for Authorization and Authentication (ETAA2020) (DOI) -
Roberto Carbone, Silvio Ranise, Giada Sciarretta, Luca ViganĂ²
Formal Analysis of Mobile Multi-Factor Authentication with Single Sign-On Login
In: ACM Transactions on Privacy and Security (TOPS) (DOI, complementary material, news) -
Marco Pernpruner, Roberto Carbone, Silvio Ranise, Giada Sciarretta
The Good, the Bad and the (Not So) Ugly of Out-Of-Band Authentication with eID Cards and Push Notifications: Design, Formal and Risk Analysis
In: Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy (CODASPY 2020) (DOI, complementary material, news) -
Federico Sinigaglia, Roberto Carbone, Gabriele Costa, Silvio Ranise
MuFASA: A Tool for High-level Specification and Analysis of Multi-factor Authentication Protocols
In: Emerging Technologies for Authorization and Authentication (ETAA 2019) (DOI, complementary material, news)