Description:

Standard authentication methods, frequently relying only on passwords, are extremely vulnerable to many attacks that can compromise the overall security of the infrastructure. For this reason, innovative technologies are being studied and gradually adopted to strengthen authentication processes, especially in sensitive contexts such as Public Administration, online banking and eHealth. Among these new techniques, step-up authentication and risk-based authentication are extremely important, since they manage to adjust the strength of the authentication process according to the sensitivity of the requested resources and the risks connected with behavioral or contextual aspects, respectively. The main goal of this internship is to study these advanced authentication techniques both from a theoretical and practical perspective.

Description:

Identity Management (IdM) protocols are the protocols supporting Single-Sign On (SSO) which is an authentication schema allowing the user to access different services using the same set of credentials. Two of the most known IdM protocols are SAML 2.0 SSO and OAuth 2.0/OpenID Connect. Several solutions for corporations like Google, Facebook and for Public Administration like eIDAS and SPID are based on IdM protocols. We propose to define attack patterns for assessing the security of IdM implementations. This activity can include the implementation of a plugin.

Description:

The most widespread identity management solutions are based on a centralized identity and federated ecosystem (e.g., SAML 2.0 and OpenID Connect). We are interested in exploring the viability for alternative systems that let users generate on-demand identities containing strictly necessary information, by aggregating validated identity attributes from different attribute authorities via the use of Verifiable Credentials. The main goal of this internship is to study the functionalities of different Verifiable Credential libraries to develop a prototype solution.

Description:

Software testing is a crucial step in the software engineering process. The automation of the execution of test cases enhances the effectiveness of software testing and the quality of the code. In this internship, the System Under Test is a Java program developed in the context of secure data storage in the Cloud. The program, named CryptoAC, implements a state-of-the-art Access Control enforcement that combines cryptography and access control to protect sensitive data stored in the Cloud. CryptoAC is accessible through a web interface and RESTful APIs. The goal of this internship is to design and develop a suite of test cases for CryptoAC.

Description:

TLSAssistant is an open-source testing tool designed to help administrators in securing and verifying their TLS deployment. By combining state-of-the-art analysis tools with a report system able to provide actionable security hints (e.g., guiding the mitigation process), it can drastically decrease the amount of time required to resolve a wide set of issues. Being in the process of refactoring its code, the main goal of this internship is to extend its capabilities by implementing additional modules able to increase the amount of available checks or to provide new ways to aggregate and share its results.

Description:

FinTech (contraction for financial technology) is a label that applies to all the financial services provided using digital technologies, it ranges from mobile payments to insurance, from crowd-funding to cryptocurrencies. Due to the highly sensitive nature of the FinTec transactions, it is mandatory to provide and abide by standards that can keep the entire ecosystem secure; two of them are PSD2 and PCI-DSS. The PSD2 requires Account Servicing Payment Service Providers (i.e. banks) to allow third parties to access the customer payment account. PCI-DSS is an industry standard created to ensure that all companies that process credit card information maintain a secure environment. While the currently used version (v3.2.1) has been published in 2018, PCI-DSS 4 will be completed in Q2 2021 and will bring several changes to an already existing and widely deployed standard. The main goal of this internship is to review the related documentation and to identify TLS-related checks, (eventually) leading to their implementation.

Description:

FIDO2 is a cutting-edge standard providing a strong and passwordless authentication experience, by letting users leverage both physical authenticators (such as USB, NFC or BLE security keys) and platform authenticators (such as PINs or fingerprints registered on a smartphone) to properly authenticate. The most important feature of the FIDO2 standard is its reliance on a public-key infrastructure, so that no secret information is ever sent through the network. The main goal of this internship is to develop an infrastructure (composed of both an Android application and Java servlets) that implements the FIDO2 standard, thus investigating the security aspects needed to build a strong authentication environment.

Description:

TLSAssistant is an open-source testing tool designed to help administrators in securing and verifying their TLS deployment. By combining state-of-the-art analysis tools with a report system able to provide actionable security hints (e.g., guiding the mitigation process), it can drastically decrease the amount of time required to resolve a wide set of issues when using Apache or nginx HTTP server. The main goal of this internship is to increase the set of supported webservers by replicating the vulnerable systems and writing the set of mitigations that will guide the users.

Description:

The Italian electronic identity card (CIE 3.0) can be exploited as an authentication mean, thanks to its capability to communicate via NFC (Near Field Communication) protocols and the cryptographic capabilities it is equipped with. We are interested in exploring further scenarios, such as the use of CIE 3.0 as an advanced electronic signature (FEA), pursuant to Article 64 and 65 of the Codice d’Amministrazione Digitale (CAD) legislation or the evolution of the authentication scheme by integrating innovative protocols (e.g., OpenID Connect and FIDO2).

Description:

Capture the Flag (CtF) competitions are fun competitions for cybersecurity learners and enthusiasts, regularly run for participants to test their skills. Many write-ups and samples are available in public archives (https://ctftime.org/). Much effort is expended by experts to train participants, both to work individually and as a team. We would like to offer some cryptographic challenges for our local node trainees, by setting up challenge containers (docker) and preparing training material. The implementation would also be very good practice for prospective participants.