Advanced Authentication Techniques Not available
Description: Standard authentication methods, frequently relying only on passwords, are extremely vulnerable to many attacks that can compromise the overall security of the infrastructure. For this reason, innovative technologies are being studied and gradually adopted to strengthen authentication processes, especially in sensitive contexts such as Public Administration, online banking and eHealth. Among these new techniques, step-up authentication and risk-based authentication are extremely important, since they manage to adjust the strength of the authentication process according to the sensitivity of the requested resources and the risks connected with behavioral or contextual aspects, respectively. The main goal of this internship is to study these advanced authentication techniques both from a theoretical and practical perspective.
Supervisors: Marco Pernpruner (mpernpruner@fbk.eu), Giada Sciarretta (giada.sciarretta@fbk.eu)
Prerequisites: No prerequisites needed.
Attack patterns for Identity Management protocols Available
Description: Identity Management (IdM) protocols are the protocols supporting Single-Sign On (SSO) which is an authentication schema allowing the user to access different services using the same set of credentials. Two of the most known IdM protocols are SAML 2.0 SSO and OAuth 2.0/OpenID Connect. Several solutions for corporations like Google, Facebook and for Public Administration like eIDAS and SPID are based on IdM protocols. We propose to define attack patterns for assessing the security of IdM implementations. This activity can include the implementation of a plugin.
Supervisors: Andrea Bisegna (a.bisegna@fbk.eu), Roberto Carbone (carbone@fbk.eu)
Level: The core task should be achievable by a BSc student; additional goals are available for MSc students.
Prerequisites: Preferably basic knowledge of Java.
Attribute Provisioning and Verifiable Credentials Available
Description: The most widespread identity management solutions are based on a centralized identity and federated ecosystem (e.g., SAML 2.0 and OpenID Connect). We are interested in exploring the viability for alternative systems that let users generate on-demand identities containing strictly necessary information, by aggregating validated identity attributes from different attribute authorities via the use of Verifiable Credentials. The main goal of this internship is to study the functionalities of different Verifiable Credential libraries to develop a prototype solution.
Supervisors: Giada Sciarretta (giada.sciarretta@fbk.eu), Alessandro Tomasi (altomasi@fbk.eu)
Prerequisites: Experience of Android development.
Design and Development of Automated Test Cases for Java Program Available
Description: Software testing is a crucial step in the software engineering process. The automation of the execution of test cases enhances the effectiveness of software testing and the quality of the code. In this internship, the System Under Test is a Java program developed in the context of secure data storage in the Cloud. The program, named CryptoAC, implements a state-of-the-art Access Control enforcement that combines cryptography and access control to protect sensitive data stored in the Cloud. CryptoAC is accessible through a web interface and RESTful APIs. The goal of this internship is to design and develop a suite of test cases for CryptoAC.
Supervisors: Stefano Berlato (sberlato@fbk.eu), Roberto Carbone (carbone@fbk.eu)
Prerequisites: Experience of Java development, English proficiency.
Enhancing TLSAssistant analysis capabilities Available
Description: TLSAssistant is an open-source testing tool designed to help administrators in securing and verifying their TLS deployment. By combining state-of-the-art analysis tools with a report system able to provide actionable security hints (e.g., guiding the mitigation process), it can drastically decrease the amount of time required to resolve a wide set of issues. Being in the process of refactoring its code, the main goal of this internship is to extend its capabilities by implementing additional modules able to increase the amount of available checks or to provide new ways to aggregate and share its results.
Supervisors: Salvatore Manfredi (smanfredi@fbk.eu), Giada Sciarretta (giada.sciarretta@fbk.eu)
Time frame: Starting from March 2021
Prerequisites: Experience of Python development and knowledge of the TLS protocol.
Exploring security compliance in FinTech scenarios Not available
Description: FinTech (contraction for financial technology) is a label that applies to all the financial services provided using digital technologies, it ranges from mobile payments to insurance, from crowd-funding to cryptocurrencies. Due to the highly sensitive nature of the FinTec transactions, it is mandatory to provide and abide by standards that can keep the entire ecosystem secure; two of them are PSD2 and PCI-DSS. The PSD2 requires Account Servicing Payment Service Providers (i.e. banks) to allow third parties to access the customer payment account. PCI-DSS is an industry standard created to ensure that all companies that process credit card information maintain a secure environment. While the currently used version (v3.2.1) has been published in 2018, PCI-DSS 4 will be completed in Q2 2021 and will bring several changes to an already existing and widely deployed standard. The main goal of this internship is to review the related documentation and to identify TLS-related checks, (eventually) leading to their implementation.
Supervisors: Salvatore Manfredi (smanfredi@fbk.eu), Giada Sciarretta (giada.sciarretta@fbk.eu)
Prerequisites: No prerequisites needed.
FIDO2 Authentication Infrastructure Not available
Description: FIDO2 is a cutting-edge standard providing a strong and passwordless authentication experience, by letting users leverage both physical authenticators (such as USB, NFC or BLE security keys) and platform authenticators (such as PINs or fingerprints registered on a smartphone) to properly authenticate. The most important feature of the FIDO2 standard is its reliance on a public-key infrastructure, so that no secret information is ever sent through the network. The main goal of this internship is to develop an infrastructure (composed of both an Android application and Java servlets) that implements the FIDO2 standard, thus investigating the security aspects needed to build a strong authentication environment.
Supervisors: Marco Pernpruner (mpernpruner@fbk.eu), Giada Sciarretta (giada.sciarretta@fbk.eu)
Prerequisites: Experience of Android and Java development.
Improving TLSAssistant webserver coverage Available
Description: TLSAssistant is an open-source testing tool designed to help administrators in securing and verifying their TLS deployment. By combining state-of-the-art analysis tools with a report system able to provide actionable security hints (e.g., guiding the mitigation process), it can drastically decrease the amount of time required to resolve a wide set of issues when using Apache or nginx HTTP server. The main goal of this internship is to increase the set of supported webservers by replicating the vulnerable systems and writing the set of mitigations that will guide the users.
Supervisors: Salvatore Manfredi (smanfredi@fbk.eu), Giada Sciarretta (giada.sciarretta@fbk.eu)
Level: BSc
Prerequisites: Experience of OS virtualization, experience of Unix shell usage (Bash suggested) and knowledge of the TLS protocol.
Innovative Scenarios for the Electronic Identity Card Available
Description: The Italian electronic identity card (CIE 3.0) can be exploited as an authentication mean, thanks to its capability to communicate via NFC (Near Field Communication) protocols and the cryptographic capabilities it is equipped with. We are interested in exploring further scenarios, such as the use of CIE 3.0 as an advanced electronic signature (FEA), pursuant to Article 64 and 65 of the Codice d’Amministrazione Digitale (CAD) legislation or the evolution of the authentication scheme by integrating innovative protocols (e.g., OpenID Connect and FIDO2).
Supervisors: Giada Sciarretta (giada.sciarretta@fbk.eu)
Time frame: Starting from July 2021
Prerequisites: Experience of Android development.
Training challenges for Capture-the-Flag Available
Description: Capture the Flag (CtF) competitions are fun competitions for cybersecurity learners and enthusiasts, regularly run for participants to test their skills. Many write-ups and samples are available in public archives (https://ctftime.org/). Much effort is expended by experts to train participants, both to work individually and as a team. We would like to offer some cryptographic challenges for our local node trainees, by setting up challenge containers (docker) and preparing training material. The implementation would also be very good practice for prospective participants.
Supervisors: Alessandro Tomasi (altomasi@fbk.eu)
Time frame: January - March 2021, preferably.
Level: The core task should be achievable by a BSc student; additional goals are available for MSc students.
Prerequisites: Basic notions of cybersecurity are necessary. Expertise in cryptography would be very useful, as would familiarity with web servers and docker.