You are here

Tutorial ITASEC 18

Secure and Usable Mobile Identity Management Solutions: a Methodology for their Design and Assessment

Abstract

Context. The widespread use of digital identities in our everyday life, along with the release of our sensitive data on many online transactions, calls for Identity Management (IdM) solutions that are secure, usable, privacy-aware, and compatible with new technologies, such as mobile and cloud. In general, IdM refers to different aspects of the digital identity lifecycle (e.g., the creation and the provision of identities, password management, multi-factor authentication, and so on). In this tutorial, we use IdM to indicate the aspects related to the authentication (such as 2nd factors and a Single Sign-On experience) and authorization processes in the mobile context.

Tutorial Objectives. We describe a novel methodology for the design and security assessment of mobile IdM solutions. The main goal is to enable the audience to:

  • acquire the basic notions underlying IdM;
  • provide an overview of national (e.g., SPID for Italy) and European (e.g., eIDAS) laws, regulations and guideline principles that are particularly relevant to digital identity and privacy;
  • learn functional and usability requirements that are related to IdM solutions;
  • discover the main implementation features that are related to IdM on mobile devices;
  • be updated on the state-of-the-art of IdM protocols for mobile apps;
  • have an overview of the semi-formal and formal techniques commonly used to analyze a security protocol.

Real Use-Case Scenarios. We will illustrate our methodology on two use-case scenarios:

  • TreC (acronym for “Cartella Clinica del Cittadino”) is an ecosystem of services that supports doctors and patients in the health-care management, by enabling all citizens living in the Italian Trentino Region to access, manage and share their own health and wellbeing information through a secure access. Besides the web solution (used by more than 79.000 patients), they are currently developing mobile applications. In this context, we have designed and analyzed the security of a strong authentication mechanism with a single sign-on experience.
  • IPZS (acronym for “Istituto Poligrafico Zecca dello Stato”) is the Italian State Printing Office and Mint. We are involved in a joint lab with IPSZ, among various activities, one is to design a strong authentication mechanism that uses the Italian electronic card (CIE 3.0) as second factor.

Outline

  • IdM Mobile Context and Problem statement
  • TreC Scenario
  • Methodology Description
  • Design of TreC Solution: requirements, protocol flow, implementation, security assessment
  • TreC Demo
  • IPZS: scenario and demo

Intended audience and assumed background of attendees

The tutorial is oriented to academic researchers, (PhD) students, security experts and industries that work on or want to approach the field of Identity Management (IdM). The attendees do not require a specific background on IdM to follow the main part of our tutorial, as our step-by-step teaching approach will enable them to grasp the information presented even if some of the concepts are new or not consolidated. Only a short part about security analysis, to be fully understood, requires a basic knowledge on formal model for security protocol verification.

 


Duration & Speakers

The tutorial will be presented in 1.5 hours by:

  • Silvio Ranise (Security & Trust, FBK-ICT, Trento, Italy -
  • Roberto Carbone (Security & Trust, FBK-ICT, Trento, Italy -
  • Giada Sciarretta (Security & Trust, FBK-ICT, University of Trento, Italy -
  • A member of IPZS