Security & Trust

Legal Compliance

The security-by-design techniques developed by S&T take into account the legal constraints imposed by regulations (e.g., the use of a second factor authentication to access healthcare data) to develop identity solutions that offer the best trade-off between security, privacy, and usability.

S&T works on assessing legal compliance regulations of IT systems with emphasis on privacy restrictions. In this context, S&T has developed automated techniques for checking compliance with respect to the privacy regulations imposed by the EU. This is a first substantial step towards the development of techniques for aligning security (from a technological point of view) and privacy (from a legal point of view) to improve the governance of data and services in the system.

Our focus:

  • Automated compliance checking of legal provisions for privacy
  • Compliance of high-level designs against EU Data Protection Directive (DPD)
  • Porting it to General Data Protection Regulation (GDPR)
  • Data Protection Impact Assessment
  • eIDAS, electronic IDentification, Authentication and trust Services

Related Publications

  • Amir Sharif, Matteo Ranzi, Roberto Carbone, Giada Sciarretta, Silvio Ranise
    SoK: A Survey on Technological Trends for (pre)Notified eIDAS Electronic Identity Schemes
    In: 17th International Workshop on Frontiers in Availability, Reliability and Security (FARES2022) (DOI, complementary material, news)
    Awards: Best paper award
  • Salimeh Dashti, Amir Sharif, Roberto Carbone, Silvio Ranise
    Automated Risk Assessment and What-if Analysis of OpenID Connect and OAuth 2.0 Deployments
    In: Proceedings of the 35th Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy (DBSec 2021) (news)
  • Majid Mollaeefar, Alberto Siena, Silvio Ranise
    Multi-Stakeholder Cybersecurity Risk Assessment for Data Protection
    In: 17th International Conference on Security and Cryptography (SECRYPT 2020) (DOI)
  • Federico Sinigaglia, Roberto Carbone, Gabriele Costa, Nicola Zannone
    A Survey on Multi-Factor Authentication for Online Banking in the Wild
    In: Computers & Security Journal (COSE) (DOI, complementary material, news)
  • Salimeh Dashti, Silvio Ranise
    A Tool-assisted Methodology for the Data Protection Impact Assessment
    In: 16th International Conference on Security and Cryptography (SECRYPT 2019) (DOI, news)
  • Paolo Guarda, Silvio Ranise, Hari Siswantoro
    Security Analysis and Legal Compliance Checking for the Design of Privacy-friendly Information Systems
    In: 22nd ACM Symposium on Access Control Models And Technologies (SACMAT 2017) (DOI)
  • Silvio Ranise, Hari Siswantoro
    Automated Legal Compliance Checking by Security Policy Analysis
    In: International Conference on Computer Safety, Reliability, and Security (SAFECOMP 2017) (DOI)
  • Federico Sinigaglia, Gabriele Costa, Roberto Carbone
    Strong Authentication for e-Banking: a Survey on European Regulations and Implementations
    In: 14th International Conference on Security and Cryptography (SECRYPT 2017) (DOI, news)

Related Theses

  • Alessandro Pegoraro (Bachelor's Thesis, University of Trento, 2021)
    Payment Services Directive 2 in the Wild - A comparison between Open Banking UK and NextGenPSD2
    Supervisor: Silvio Ranise | Co-supervisors: Giada Sciarretta, Salvatore Manfredi
  • Salimeh Dashti (PhD Thesis, University of Genoa, 2021)
    An Assisted Methodology to Conduct Data Protection Impact Assessment (link)
    Supervisor: Silvio Ranise
  • Alessio Valenza (Bachelor's Thesis, University of Trento, 2020)
    Autenticazione bancaria post-PSD2: siamo al sicuro? Analisi automatica del rischio di protocolli di autenticazione
    Supervisor: Silvio Ranise | Co-supervisors: Giada Sciarretta, Marco Pernpruner
  • Nadia Metoui (PhD Thesis, University of Trento, 2018)
    Privacy-Aware Risk-Based Access Control Systems (link)
    Supervisor: Alessandro Armando | Co-supervisor: Michele Bezzi
  • Hari Siswantoro (PhD Thesis, 2018)
    Automated Analysis and Synthesis for the Compliance of Privacy and Other Legal Provisions (link)
    Supervisor: Silvio Ranise | Co-supervisor: Alessandro Armando