Security & Trust

Identity Management

Digital Identity Management is a key enabler for the adoption of innovative digital and physical services. It creates identity ecosystem across organization/company boundaries and injects trust (added value for citizens and public and private sectors).

Our focus:

  • Formal specification and analysis of IdM protocols covering the entire digital identity lifecycle (enrollment, authentication and authorization)
  • Design and risk assessment of access delegation and single sign-on protocols (e.g., OAuth 2.0 and OpenID Connect), multi-factor authentication (e.g., eID cards and FIDO) and remote enrollment procedures
  • Automated synthesis of enforcement mechanisms from high-level access control policies
  • Pentesting of IdM protocols
  • Cryptographic access control
  • Security protocols (e.g., TLS)
  • Innovative scenarios: e-voting, dematerialization of documents, wallet

Related Publications

  • Amir Sharif, Zahra Ebadi Ansaroudi, Giada Sciarretta, Daniela Pöhn, Majid Mollaeefar, Wolfgang Hommel, Silvio Ranise
    Protecting Digital Identity Wallet: A Threat Model in the Age of eIDAS 2.0
    In: 19th International Conference on Risks and Security of Internet and Systems (CRiSIS 2024) (news)
  • Andrea Bisegna, Matteo Bitussi, Roberto Carbone, Silvio Ranise
    Enhancing Security Testing for Identity Management Implementations: Introducing Micro-Id-Gym Language and Micro-Id-Gym Testing Tool
    In: IEEE Security & Privacy (DOI, news)
  • Marco Pernpruner, Cecilia Pasquini, Giada Sciarretta, Silvio Ranise
    Beyond Screens: Investigating Identity Proofing for the Metaverse Through Cross-Device Flows
    In: 2nd International Conference on Intelligent Metaverse Technologies & Applications (iMETA2024) (news)
  • Andrea Bisegna, Matteo Bitussi, Roberto Carbone, Luca Compagna, Silvio Ranise, Avinash Sudhodanan
    CSRFing the SSO Waves: Security Testing of SSO-Based Account Linking Process
    In: 9th IEEE European Symposium on Security and Privacy (EUROS&P 2024) (DOI, complementary material)
  • Marco Pernpruner, Roberto Carbone, Giada Sciarretta, Silvio Ranise
    An Automated Multi-Layered Methodology to Assist the Secure and Risk-Aware Design of Multi-Factor Authentication Protocols
    In: IEEE Transactions on Dependable and Secure Computing (TDSC), Volume 21, Issue 4, July/August 2024, Pages 1935-1950 (DOI, complementary material, news)
  • Luca Verderame, Luca Caviglione, Roberto Carbone, Alessio Merlo
    SecCo: Automated Services to Secure Containers in the DevOps Paradigm
    In: 2023 International Conference on Research in Adaptive and Convergent Systems (RACS 2023) (DOI)
  • Amir Sharif, Francesco Antonio Marino, Giada Sciarretta, Giuseppe De Marco, Roberto Carbone, Silvio Ranise
    Cross-Domain Sharing of User Claims: A Design Proposal for OpenID Connect Attribute Authorities
    In: 18th International Conference on Availability, Reliability and Security (ARES 2023) (DOI, news)
  • Stefano Berlato, Roberto Carbone, Umberto Morelli, Silvio Ranise
    End-to-End Protection of IoT Communications Through Cryptographic Enforcement of Access Control Policies
    In: Proceedings of the 36th Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy (DBSec 2022) (DOI, complementary material)
  • Amir Sharif, Matteo Ranzi, Roberto Carbone, Giada Sciarretta, Francesco Antonio Marino, Silvio Ranise
    The eIDAS Regulation: A Survey of Technological Trends for European Electronic Identity Schemes
    In: MDPI Journal of Applied Science (APPLSCI) (DOI, complementary material, news)
  • Amir Sharif, Matteo Ranzi, Roberto Carbone, Giada Sciarretta, Silvio Ranise
    SoK: A Survey on Technological Trends for (pre)Notified eIDAS Electronic Identity Schemes
    In: 17th International Workshop on Frontiers in Availability, Reliability and Security (FARES2022) (DOI, complementary material, news)
  • Stefano Berlato, Marco Centenaro, Silvio Ranise
    Smart Card-Based Identity Management Protocols for V2V and V2I Communications in CCAM: a Systematic Literature Review
    In: IEEE Transactions on Intelligent Transportation Systems (T-ITS) (DOI, news)
  • Stefano Berlato, Roberto Carbone, Silvio Ranise
    Cryptographic Enforcement of Access Control Policies in the Cloud: Implementation and Experimental Assessment
    In: 18th International Conference on Security and Cryptography (SECRYPT 2021) (complementary material, news)
  • Andrea Bisegna, Roberto Carbone, Silvio Ranise
    Integrating a Pentesting Tool for IdM Protocols in a Continuous Delivery Pipeline
    In: 4th International Workshop on Emerging Technologies for Authorization and Authentication (ETAA2021) (DOI)
  • Amir Sharif, Roberto Carbone, Giada Sciarretta, Silvio Ranise
    Best Current Practices for OAuth/OIDC Native Apps: A Study of their Adoption in Popular Providers and Top-Ranked Android Clients
    In: Journal of Information Security and Applications (JISA) (DOI, news)
  • Marco Pernpruner, Giada Sciarretta, Silvio Ranise
    A Framework for Security and Risk Analysis of Enrollment Procedures: Application to Fully-Remote Solutions Based on eDocuments
    In: 18th International Conference on Security and Cryptography (SECRYPT 2021) (DOI, complementary material)
  • Salimeh Dashti, Amir Sharif, Roberto Carbone, Silvio Ranise
    Automated Risk Assessment and What-if Analysis of OpenID Connect and OAuth 2.0 Deployments
    In: Proceedings of the 35th Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy (DBSec 2021) (news)
  • Stefano Berlato, Roberto Carbone, Adam J. Lee, Silvio Ranise
    Formal Modelling and Automated Trade-Off Analysis of Enforcement Architectures for Cryptographic Access Control in the Cloud
    In: ACM Transactions on Privacy and Security (TOPS) (complementary material)
  • Stefano Berlato, Roberto Carbone, Adam J. Lee, Silvio Ranise
    Exploring Architectures for Cryptographic Access Control Enforcement in the Cloud for Fun and Optimization
    In: 15th ACM ASIA Conference on Computer and Communications Security (ASIACCS 2020) (DOI, complementary material, news)
  • Andrea Bisegna, Roberto Carbone, Giulio Pellizzari, Silvio Ranise
    Micro-Id-Gym: a Flexible Tool for Pentesting Identity Management Protocols in the Wild and in the Laboratory
    In: 3rd International Workshop on Emerging Technologies for Authorization and Authentication (ETAA2020) (DOI)
  • Sergio Manuel Nóbrega Gonçalves, Alessandro Tomasi, Andrea Bisegna, Giulio Pellizzari, Silvio Ranise
    Verifiable Contracting: A Use Case for Onboarding and Contract Offering in Financial Services with eIDAS and Verifiable Credentials
    In: 25th European Symposium on Research in Computer Security (DETIPS2020) (DOI)
  • Amir Sharif, Roberto Carbone, Giada Sciarretta, Silvio Ranise
    Automated and Secure Integration of the OpenID Connect iGov Profile in Mobile Native Applications
    In: 3rd International Workshop on Emerging Technologies for Authorization and Authentication (ETAA2020) (DOI, complementary material)
  • Roberto Carbone, Silvio Ranise, Giada Sciarretta, Luca Viganò
    Formal Analysis of Mobile Multi-Factor Authentication with Single Sign-On Login
    In: ACM Transactions on Privacy and Security (TOPS) (DOI, complementary material, news)
  • Marco Pernpruner, Roberto Carbone, Silvio Ranise, Giada Sciarretta
    The Good, the Bad and the (Not So) Ugly of Out-Of-Band Authentication with eID Cards and Push Notifications: Design, Formal and Risk Analysis
    In: Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy (CODASPY 2020) (DOI, complementary material, news)
  • Umberto Morelli, Silvio Ranise, Damiano Sartori, Giada Sciarretta, Alessandro Tomasi
    Audit-Based Access Control with a Distributed Ledger: Applications to Healthcare Organizations
    In: 15th International Workshop on Security and Trust Management (STM 2019) (DOI, news)
  • Silvio Ranise, Giada Sciarretta, Alessandro Tomasi
    Enroll, and authentication will follow: eID-based enrollment for a customized, secure, and frictionless authentication experience
    In: 12th International Symposium on Foundations & Practice of Security (FPS 2019) (DOI, news)
  • Andrea Bisegna, Roberto Carbone, Ivan Martini, Valentina Odorizzi, Giulio Pellizzari, Silvio Ranise
    Micro-Id-Gym: Identity Management Workouts with Container-Based Microservices
    In: International Journal of Information Security and Cybercrime (IJISP), Volume 8, Issue 1 (DOI)
  • Amir Sharif, Roberto Carbone, Silvio Ranise, Giada Sciarretta
    A Wizard-Based Approach for Secure Code Generation of Single Sign-On and Access Delegation Solutions for Mobile Native Apps
    In: 16th International Conference on Security and Cryptography (SECRYPT 2019) (DOI, complementary material, news)
  • Giada Sciarretta, Roberto Carbone, Silvio Ranise, Luca Viganò
    Design, Formal Specification and Analysis of Multi-Factor Authentication Solutions with a Single Sign-On Experience
    In: Principles of Security and Trust (POST 2018) (DOI, news)

Related Theses

  • Marco Pernpruner (PhD Thesis, University of Genoa, 2024)
    Integrating Security by Design and Automated Security Analysis for Digital Identity Management (link)
    Supervisor: Silvio Ranise | Co-supervisor: Giada Sciarretta
  • Matteo Bitussi (Bachelor's Thesis, University of Trento, 2022)
    Declarative Specification of Pentesting Strategies for Browser-based Security Protocols: the Case Studies of SAML and OAuth/OIDC
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Nicola Casagrande (Bachelor's Thesis, University of Trento, 2022)
    Dematerialized Documents: The Italian Driving License Use Case
    Supervisor: Silvio Ranise | Co-supervisors: Giada Sciarretta, Tahir Ahmad
  • Alessandro Colombo (Bachelor's Thesis, University of Trento, 2022)
    Attribute Based Encryption for Advanced Data Protection in IoT with MQTT
    Supervisor: Silvio Ranise | Co-supervisors: Stefano Berlato, Roberto Carbone
  • Rupert Gobber (Master's Thesis, University of Trento, 2022)
    Design and implementation of a verifiable credentials service for a data marketplace
    Supervisor: Silvio Ranise | Co-supervisors: Giada Sciarretta, Alessandro Tomasi
  • Martina Vecellio Reane (Bachelor's Thesis, University of Trento, 2022)
    Automated Security and Risk Analysis of Remote Identity Proofing Procedures
    Supervisor: Silvio Ranise | Co-supervisors: Marco Pernpruner, Giada Sciarretta
  • Wendy Barreto (Bachelor's Thesis, University of Trento, 2021)
    Design and implementation of an attack pattern language for the automated pentesting of OAuth/OIDC deployments
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Francesco Defilippo (Bachelor's Thesis, University of Trento, 2021)
    Attack Patterns for Pentesting SAML 2.0 Web Browser Single Sign-On deployments
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Veronica Cristiano (Master's Thesis, University of Trento, 2021)
    Key Management for Cryptographic Enforcement of Access Control Policies in the Cloud: The CryptoAC use case
    Supervisor: Silvio Ranise | Co-supervisors: Roberto Carbone, Stefano Berlato
  • Giuseppe Lamorgese (Bachelor's Thesis, University of Trento, 2021)
    Autenticazione password-less con FIDO2: Descrizione del flusso e considerazioni sulla sicurezza
    Supervisor: Silvio Ranise | Co-supervisor: Giada Sciarretta
  • Amir Sharif (PhD Thesis, University of Genoa, 2021)
    Analysis of Best Current Practices to Assist Native App Developers with Secure OAuth/OIDC Implementations (link)
    Supervisor: Roberto Carbone | Co-supervisors: Silvio Ranise, Giada Sciarretta
  • Giuseppe Lamorgese (Bachelor's Thesis, University of Trento, 2021)
    Autenticazione password-less con FIDO2: Descrizione del flusso e considerazioni sulla sicurezza
    Supervisor: Silvio Ranise | Co-supervisor: Giada Sciarretta
  • Leonardo Xompero (Bachelor's Thesis, University of Trento, 2021)
    A Survey of Risk-Based Authentication: How features and security actions can be used to mitigate attackers
    Supervisor: Silvio Ranise | Co-supervisors: Giada Sciarretta, Marco Pernpruner
  • Giacomo Zanolli (Bachelor's Thesis, University of Trento, 2021)
    FIDO2 Passwordless Authentication: From the basics to an implementation in the context of an authorization system
    Supervisor: Silvio Ranise | Co-supervisors: Giada Sciarretta, Marco Pernpruner
  • Adrien Beaugendre (Master's Thesis, University of Rennes 1 and University of Trento, 2021)
    A Flexible Risk Analysis on MuFASA Tool
    Supervisor: Silvio Ranise | Co-supervisors: Giada Sciarretta, Marco Pernpruner
  • Matteo Leonelli (Bachelor's Thesis, University of Trento, 2021)
    Open and Cross-platform Ecosystem for Enterprise Services: Secure and Authenticated Access with the use of Italian Identity Cards and FIDO
    Supervisor: Silvio Ranise | Co-supervisor: Umberto Morelli
  • Lorenzo Bellesso (Postgraduate Thesis, University of Genoa, 2021)
    Implementazione di una soluzione di generazione e rilascio credenziali in ambito IoT fondata sull'uso della Carta d'Identità Elettronica (CIE)
    Supervisor: Silvio Ranise | Co-supervisor: Umberto Morelli
  • Stefano Facchini (Bachelor's Thesis, University of Trento, 2020)
    Design and implementation of an automated tool for checking SAML SSO vulnerabilities and SPID compliance
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Giulio Pellizzari (Master's Thesis, University of Trento, 2020)
    Micro-Id-Gym: A Tool to Support Sandboxing and Automated Pentesting of Identity Management Protocols
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Claudio Grisenti (Bachelor's Thesis, University of Trento, 2020)
    A pentesting tool for OAuth and OIDC deployments
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Alessio Valenza (Bachelor's Thesis, University of Trento, 2020)
    Autenticazione bancaria post-PSD2: siamo al sicuro? Analisi automatica del rischio di protocolli di autenticazione
    Supervisor: Silvio Ranise | Co-supervisors: Giada Sciarretta, Marco Pernpruner
  • Lorenzo Tait (Bachelor's Thesis, University of Trento, 2019)
    A Customized Threat Modeling for Secure Deployment And Pentesting of SAML SSO Solutions
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Stefano Berlato (Master's Thesis, University of Trento, 2019)
    A Pragmatic Approach to Handle "Honest But Curious" Cloud Service Providers: Cryptographic Enforcement of Dynamic Access Control Policies
    Supervisor: Silvio Ranise | Co-supervisor: Roberto Carbone
    Awards: 3rd place at thesis award "Innovare la sicurezza delle informazioni 2020", sponsored by CLUSIT
  • Marta Toniolli (Bachelor's Thesis, University of Trento, 2019)
    Developing an Android client for user enrollment with CIE 3.0 and distributed ledger interaction: An application to electronic health record access control
    Supervisor: Silvio Ranise | Co-supervisor: Alessandro Tomasi
  • Luca Morgese (Bachelor's Thesis, University of Trento, 2019)
    Designing and Implementing a DLT Based Access Control Mechanism for Healthcare Data - A Proof of Concept
    Supervisor: Silvio Ranise | Co-supervisor: Alessandro Tomasi
  • Davide Piva (Bachelor's Thesis, University of Trento, 2019)
    Assisting Developers in Securing OAuth 2.0 Deployment: Demystifying Threats and Protection Techniques for Bearer Credentials
    Supervisor: Silvio Ranise | Co-supervisor: Giada Sciarretta
  • Marco Pernpruner (Master's Thesis, University of Verona, 2019)
    A passwordless out-of-band authentication protocol based on eID cards and push notifications: Design and formal security analysis
    Supervisor: Massimo Merro | Co-supervisors: Giada Sciarretta, Roberto Carbone
  • Nadia Metoui (PhD Thesis, University of Trento, 2018)
    Privacy-Aware Risk-Based Access Control Systems (link)
    Supervisor: Alessandro Armando | Co-supervisor: Michele Bezzi
  • Valentina Odorizzi (Bachelor's Thesis, University of Trento, 2018)
    Progettazione e sviluppo di uno strumento per l'analisi automatica di vulnerabilità "Missing XML Validation" in SAML SSO
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Ivan Martini (Bachelor's Thesis, University of Trento, 2018)
    An automated security testing framework for SAML SSO deployments
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Giulio Pellizzari (Bachelor's Thesis, University of Trento, 2018)
    Design and implementation of a tool to detect Login Cross-Site Request Forgery in SAML SSO: G Suite case study
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Giada Sciarretta (PhD Thesis, University of Trento, 2018)
    A Methodology for the Design and Security Assessment of Mobile Identity Management: Applications to real-world scenarios (link)
    Supervisor: Silvio Ranise | Co-supervisors: Alessandro Armando, Roberto Carbone
  • Daniele Del Sale (Bachelor's Thesis, University of Trento, 2018)
    Procedure di autenticazione multi-fattore basate su push notification: Analisi dello stato dell'arte e specifica delle best-practice per un'implementazione sicura
    Supervisor: Silvio Ranise | Co-supervisor: Giada Sciarretta
  • Damiano Sartori (Bachelor's Thesis, University of Trento, 2018)
    Attribute Based Access Control over a Hyperledger Fabric Network: An application for Electronic Health Records
    Supervisor: Silvio Ranise | Co-supervisors: Umberto Morelli, Alessandro Tomasi
  • Avinash Sudhodanan (PhD Thesis, University of Trento, 2017)
    Black-Box Security Testing of Browser-Based Security Protocols (link)
    Supervisor: Alessandro Armando | Co-supervisors: Roberto Carbone, Luca Compagna