Digital Identity Management is a key enabler for the adoption of innovative digital and physical services. It creates identity ecosystem across organization/company boundaries and injects trust (added value for citizens and public and private sectors).
Our focus:
- Formal specification and analysis of IdM protocols covering the entire digital identity lifecycle (enrollment, authentication and authorization)
- Design and risk assessment of access delegation and single sign-on protocols (e.g., OAuth 2.0 and OpenID Connect), multi-factor authentication (e.g., eID cards and FIDO) and remote enrollment procedures
- Automated synthesis of enforcement mechanisms from high-level access control policies
- Pentesting of IdM protocols
- Cryptographic access control
- Security protocols (e.g., TLS)
- Innovative scenarios: e-voting, dematerialization of documents, wallet
Related Publications
-
Amir Sharif, Zahra Ebadi Ansaroudi, Giada Sciarretta, Daniela Pöhn, Majid Mollaeefar, Wolfgang Hommel, Silvio Ranise
Protecting Digital Identity Wallet: A Threat Model in the Age of eIDAS 2.0
In: 19th International Conference on Risks and Security of Internet and Systems (CRiSIS 2024) (news) -
Andrea Bisegna, Matteo Bitussi, Roberto Carbone, Silvio Ranise
Enhancing Security Testing for Identity Management Implementations: Introducing Micro-Id-Gym Language and Micro-Id-Gym Testing Tool
In: IEEE Security & Privacy (DOI, news) -
Marco Pernpruner, Cecilia Pasquini, Giada Sciarretta, Silvio Ranise
Beyond Screens: Investigating Identity Proofing for the Metaverse Through Cross-Device Flows
In: 2nd International Conference on Intelligent Metaverse Technologies & Applications (iMETA2024) (news) -
Andrea Bisegna, Matteo Bitussi, Roberto Carbone, Luca Compagna, Silvio Ranise, Avinash Sudhodanan
CSRFing the SSO Waves: Security Testing of SSO-Based Account Linking Process
In: 9th IEEE European Symposium on Security and Privacy (EUROS&P 2024) (DOI, complementary material) -
Marco Pernpruner, Roberto Carbone, Giada Sciarretta, Silvio Ranise
An Automated Multi-Layered Methodology to Assist the Secure and Risk-Aware Design of Multi-Factor Authentication Protocols
In: IEEE Transactions on Dependable and Secure Computing (TDSC), Volume 21, Issue 4, July/August 2024, Pages 1935-1950 (DOI, complementary material, news) -
Luca Verderame, Luca Caviglione, Roberto Carbone, Alessio Merlo
SecCo: Automated Services to Secure Containers in the DevOps Paradigm
In: 2023 International Conference on Research in Adaptive and Convergent Systems (RACS 2023) (DOI) -
Amir Sharif, Francesco Antonio Marino, Giada Sciarretta, Giuseppe De Marco, Roberto Carbone, Silvio Ranise
Cross-Domain Sharing of User Claims: A Design Proposal for OpenID Connect Attribute Authorities
In: 18th International Conference on Availability, Reliability and Security (ARES 2023) (DOI, news) -
Stefano Berlato, Roberto Carbone, Umberto Morelli, Silvio Ranise
End-to-End Protection of IoT Communications Through Cryptographic Enforcement of Access Control Policies
In: Proceedings of the 36th Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy (DBSec 2022) (DOI, complementary material) -
Amir Sharif, Matteo Ranzi, Roberto Carbone, Giada Sciarretta, Francesco Antonio Marino, Silvio Ranise
The eIDAS Regulation: A Survey of Technological Trends for European Electronic Identity Schemes
In: MDPI Journal of Applied Science (APPLSCI) (DOI, complementary material, news) -
Amir Sharif, Matteo Ranzi, Roberto Carbone, Giada Sciarretta, Silvio Ranise
SoK: A Survey on Technological Trends for (pre)Notified eIDAS Electronic Identity Schemes
In: 17th International Workshop on Frontiers in Availability, Reliability and Security (FARES2022) (DOI, complementary material, news)
Awards: Best paper award -
Stefano Berlato, Marco Centenaro, Silvio Ranise
Smart Card-Based Identity Management Protocols for V2V and V2I Communications in CCAM: a Systematic Literature Review
In: IEEE Transactions on Intelligent Transportation Systems (T-ITS) (DOI, news) -
Stefano Berlato, Roberto Carbone, Silvio Ranise
Cryptographic Enforcement of Access Control Policies in the Cloud: Implementation and Experimental Assessment
In: 18th International Conference on Security and Cryptography (SECRYPT 2021) (complementary material, news) -
Andrea Bisegna, Roberto Carbone, Silvio Ranise
Integrating a Pentesting Tool for IdM Protocols in a Continuous Delivery Pipeline
In: 4th International Workshop on Emerging Technologies for Authorization and Authentication (ETAA2021) (DOI) -
Amir Sharif, Roberto Carbone, Giada Sciarretta, Silvio Ranise
Best Current Practices for OAuth/OIDC Native Apps: A Study of their Adoption in Popular Providers and Top-Ranked Android Clients
In: Journal of Information Security and Applications (JISA) (DOI, news) -
Marco Pernpruner, Giada Sciarretta, Silvio Ranise
A Framework for Security and Risk Analysis of Enrollment Procedures: Application to Fully-Remote Solutions Based on eDocuments
In: 18th International Conference on Security and Cryptography (SECRYPT 2021) (DOI, complementary material) -
Salimeh Dashti, Amir Sharif, Roberto Carbone, Silvio Ranise
Automated Risk Assessment and What-if Analysis of OpenID Connect and OAuth 2.0 Deployments
In: Proceedings of the 35th Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy (DBSec 2021) (news) -
Stefano Berlato, Roberto Carbone, Adam J. Lee, Silvio Ranise
Formal Modelling and Automated Trade-Off Analysis of Enforcement Architectures for Cryptographic Access Control in the Cloud
In: ACM Transactions on Privacy and Security (TOPS) (complementary material) -
Stefano Berlato, Roberto Carbone, Adam J. Lee, Silvio Ranise
Exploring Architectures for Cryptographic Access Control Enforcement in the Cloud for Fun and Optimization
In: 15th ACM ASIA Conference on Computer and Communications Security (ASIACCS 2020) (DOI, complementary material, news) -
Andrea Bisegna, Roberto Carbone, Giulio Pellizzari, Silvio Ranise
Micro-Id-Gym: a Flexible Tool for Pentesting Identity Management Protocols in the Wild and in the Laboratory
In: 3rd International Workshop on Emerging Technologies for Authorization and Authentication (ETAA2020) (DOI) -
Sergio Manuel Nóbrega Gonçalves, Alessandro Tomasi, Andrea Bisegna, Giulio Pellizzari, Silvio Ranise
Verifiable Contracting: A Use Case for Onboarding and Contract Offering in Financial Services with eIDAS and Verifiable Credentials
In: 25th European Symposium on Research in Computer Security (DETIPS2020) (DOI) -
Amir Sharif, Roberto Carbone, Giada Sciarretta, Silvio Ranise
Automated and Secure Integration of the OpenID Connect iGov Profile in Mobile Native Applications
In: 3rd International Workshop on Emerging Technologies for Authorization and Authentication (ETAA2020) (DOI, complementary material) -
Roberto Carbone, Silvio Ranise, Giada Sciarretta, Luca Viganò
Formal Analysis of Mobile Multi-Factor Authentication with Single Sign-On Login
In: ACM Transactions on Privacy and Security (TOPS) (DOI, complementary material, news) -
Marco Pernpruner, Roberto Carbone, Silvio Ranise, Giada Sciarretta
The Good, the Bad and the (Not So) Ugly of Out-Of-Band Authentication with eID Cards and Push Notifications: Design, Formal and Risk Analysis
In: Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy (CODASPY 2020) (DOI, complementary material, news) -
Umberto Morelli, Silvio Ranise, Damiano Sartori, Giada Sciarretta, Alessandro Tomasi
Audit-Based Access Control with a Distributed Ledger: Applications to Healthcare Organizations
In: 15th International Workshop on Security and Trust Management (STM 2019) (DOI, news) -
Silvio Ranise, Giada Sciarretta, Alessandro Tomasi
Enroll, and authentication will follow: eID-based enrollment for a customized, secure, and frictionless authentication experience
In: 12th International Symposium on Foundations & Practice of Security (FPS 2019) (DOI, news) -
Andrea Bisegna, Roberto Carbone, Ivan Martini, Valentina Odorizzi, Giulio Pellizzari, Silvio Ranise
Micro-Id-Gym: Identity Management Workouts with Container-Based Microservices
In: International Journal of Information Security and Cybercrime (IJISP), Volume 8, Issue 1 (DOI) -
Amir Sharif, Roberto Carbone, Silvio Ranise, Giada Sciarretta
A Wizard-Based Approach for Secure Code Generation of Single Sign-On and Access Delegation Solutions for Mobile Native Apps
In: 16th International Conference on Security and Cryptography (SECRYPT 2019) (DOI, complementary material, news) -
Giada Sciarretta, Roberto Carbone, Silvio Ranise, Luca Viganò
Design, Formal Specification and Analysis of Multi-Factor Authentication Solutions with a Single Sign-On Experience
In: Principles of Security and Trust (POST 2018) (DOI, news)
Related Theses
-
Marco Pernpruner (PhD Thesis, University of Genoa, 2024)
Integrating Security by Design and Automated Security Analysis for Digital Identity Management (link)
Supervisor: Silvio Ranise | Co-supervisor: Giada Sciarretta -
Matteo Bitussi (Bachelor's Thesis, University of Trento, 2022)
Declarative Specification of Pentesting Strategies for Browser-based Security Protocols: the Case Studies of SAML and OAuth/OIDC
Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone -
Nicola Casagrande (Bachelor's Thesis, University of Trento, 2022)
Dematerialized Documents: The Italian Driving License Use Case
Supervisor: Silvio Ranise | Co-supervisors: Giada Sciarretta, Tahir Ahmad -
Alessandro Colombo (Bachelor's Thesis, University of Trento, 2022)
Attribute Based Encryption for Advanced Data Protection in IoT with MQTT
Supervisor: Silvio Ranise | Co-supervisors: Stefano Berlato, Roberto Carbone -
Rupert Gobber (Master's Thesis, University of Trento, 2022)
Design and implementation of a verifiable credentials service for a data marketplace
Supervisor: Silvio Ranise | Co-supervisors: Giada Sciarretta, Alessandro Tomasi -
Martina Vecellio Reane (Bachelor's Thesis, University of Trento, 2022)
Automated Security and Risk Analysis of Remote Identity Proofing Procedures
Supervisor: Silvio Ranise | Co-supervisors: Marco Pernpruner, Giada Sciarretta -
Wendy Barreto (Bachelor's Thesis, University of Trento, 2021)
Design and implementation of an attack pattern language for the automated pentesting of OAuth/OIDC deployments
Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone -
Francesco Defilippo (Bachelor's Thesis, University of Trento, 2021)
Attack Patterns for Pentesting SAML 2.0 Web Browser Single Sign-On deployments
Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone -
Veronica Cristiano (Master's Thesis, University of Trento, 2021)
Key Management for Cryptographic Enforcement of Access Control Policies in the Cloud: The CryptoAC use case
Supervisor: Silvio Ranise | Co-supervisors: Roberto Carbone, Stefano Berlato -
Giuseppe Lamorgese (Bachelor's Thesis, University of Trento, 2021)
Autenticazione password-less con FIDO2: Descrizione del flusso e considerazioni sulla sicurezza
Supervisor: Silvio Ranise | Co-supervisor: Giada Sciarretta -
Amir Sharif (PhD Thesis, University of Genoa, 2021)
Analysis of Best Current Practices to Assist Native App Developers with Secure OAuth/OIDC Implementations (link)
Supervisor: Roberto Carbone | Co-supervisors: Silvio Ranise, Giada Sciarretta -
Giuseppe Lamorgese (Bachelor's Thesis, University of Trento, 2021)
Autenticazione password-less con FIDO2: Descrizione del flusso e considerazioni sulla sicurezza
Supervisor: Silvio Ranise | Co-supervisor: Giada Sciarretta -
Leonardo Xompero (Bachelor's Thesis, University of Trento, 2021)
A Survey of Risk-Based Authentication: How features and security actions can be used to mitigate attackers
Supervisor: Silvio Ranise | Co-supervisors: Giada Sciarretta, Marco Pernpruner -
Giacomo Zanolli (Bachelor's Thesis, University of Trento, 2021)
FIDO2 Passwordless Authentication: From the basics to an implementation in the context of an authorization system
Supervisor: Silvio Ranise | Co-supervisors: Giada Sciarretta, Marco Pernpruner -
Adrien Beaugendre (Master's Thesis, University of Rennes 1 and University of Trento, 2021)
A Flexible Risk Analysis on MuFASA Tool
Supervisor: Silvio Ranise | Co-supervisors: Giada Sciarretta, Marco Pernpruner -
Matteo Leonelli (Bachelor's Thesis, University of Trento, 2021)
Open and Cross-platform Ecosystem for Enterprise Services: Secure and Authenticated Access with the use of Italian Identity Cards and FIDO
Supervisor: Silvio Ranise | Co-supervisor: Umberto Morelli -
Lorenzo Bellesso (Postgraduate Thesis, University of Genoa, 2021)
Implementazione di una soluzione di generazione e rilascio credenziali in ambito IoT fondata sull'uso della Carta d'Identità Elettronica (CIE)
Supervisor: Silvio Ranise | Co-supervisor: Umberto Morelli -
Stefano Facchini (Bachelor's Thesis, University of Trento, 2020)
Design and implementation of an automated tool for checking SAML SSO vulnerabilities and SPID compliance
Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone -
Giulio Pellizzari (Master's Thesis, University of Trento, 2020)
Micro-Id-Gym: A Tool to Support Sandboxing and Automated Pentesting of Identity Management Protocols
Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone -
Claudio Grisenti (Bachelor's Thesis, University of Trento, 2020)
A pentesting tool for OAuth and OIDC deployments
Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone -
Alessio Valenza (Bachelor's Thesis, University of Trento, 2020)
Autenticazione bancaria post-PSD2: siamo al sicuro? Analisi automatica del rischio di protocolli di autenticazione
Supervisor: Silvio Ranise | Co-supervisors: Giada Sciarretta, Marco Pernpruner -
Lorenzo Tait (Bachelor's Thesis, University of Trento, 2019)
A Customized Threat Modeling for Secure Deployment And Pentesting of SAML SSO Solutions
Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone -
Stefano Berlato (Master's Thesis, University of Trento, 2019)
A Pragmatic Approach to Handle "Honest But Curious" Cloud Service Providers: Cryptographic Enforcement of Dynamic Access Control Policies
Supervisor: Silvio Ranise | Co-supervisor: Roberto Carbone
Awards: 3rd place at thesis award "Innovare la sicurezza delle informazioni 2020", sponsored by CLUSIT -
Marta Toniolli (Bachelor's Thesis, University of Trento, 2019)
Developing an Android client for user enrollment with CIE 3.0 and distributed ledger interaction: An application to electronic health record access control
Supervisor: Silvio Ranise | Co-supervisor: Alessandro Tomasi -
Luca Morgese (Bachelor's Thesis, University of Trento, 2019)
Designing and Implementing a DLT Based Access Control Mechanism for Healthcare Data - A Proof of Concept
Supervisor: Silvio Ranise | Co-supervisor: Alessandro Tomasi -
Davide Piva (Bachelor's Thesis, University of Trento, 2019)
Assisting Developers in Securing OAuth 2.0 Deployment: Demystifying Threats and Protection Techniques for Bearer Credentials
Supervisor: Silvio Ranise | Co-supervisor: Giada Sciarretta -
Marco Pernpruner (Master's Thesis, University of Verona, 2019)
A passwordless out-of-band authentication protocol based on eID cards and push notifications: Design and formal security analysis
Supervisor: Massimo Merro | Co-supervisors: Giada Sciarretta, Roberto Carbone -
Nadia Metoui (PhD Thesis, University of Trento, 2018)
Privacy-Aware Risk-Based Access Control Systems (link)
Supervisor: Alessandro Armando | Co-supervisor: Michele Bezzi -
Valentina Odorizzi (Bachelor's Thesis, University of Trento, 2018)
Progettazione e sviluppo di uno strumento per l'analisi automatica di vulnerabilità "Missing XML Validation" in SAML SSO
Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone -
Ivan Martini (Bachelor's Thesis, University of Trento, 2018)
An automated security testing framework for SAML SSO deployments
Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone -
Giulio Pellizzari (Bachelor's Thesis, University of Trento, 2018)
Design and implementation of a tool to detect Login Cross-Site Request Forgery in SAML SSO: G Suite case study
Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone -
Giada Sciarretta (PhD Thesis, University of Trento, 2018)
A Methodology for the Design and Security Assessment of Mobile Identity Management: Applications to real-world scenarios (link)
Supervisor: Silvio Ranise | Co-supervisors: Alessandro Armando, Roberto Carbone -
Daniele Del Sale (Bachelor's Thesis, University of Trento, 2018)
Procedure di autenticazione multi-fattore basate su push notification: Analisi dello stato dell'arte e specifica delle best-practice per un'implementazione sicura
Supervisor: Silvio Ranise | Co-supervisor: Giada Sciarretta -
Damiano Sartori (Bachelor's Thesis, University of Trento, 2018)
Attribute Based Access Control over a Hyperledger Fabric Network: An application for Electronic Health Records
Supervisor: Silvio Ranise | Co-supervisors: Umberto Morelli, Alessandro Tomasi -
Avinash Sudhodanan (PhD Thesis, University of Trento, 2017)
Black-Box Security Testing of Browser-Based Security Protocols (link)
Supervisor: Alessandro Armando | Co-supervisors: Roberto Carbone, Luca Compagna