You are here
Tutorial ITASEC 18
Title: Secure and Usable Mobile Identity Management Solutions: a Methodology for their Design and Assessment
Context. The widespread use of digital identities in our everyday life, along with the release of our sensitive data on many online transactions, calls for Identity Management (IdM) solutions that are secure, usable, privacy-aware, and compatible with new technologies, such as mobile and cloud. In general, IdM refers to different aspects of the digital identity lifecycle (e.g., the creation and the provision of identities, password management, multi-factor authentication, and so on). In this tutorial, we use IdM to indicate the aspects related to the authentication (such as 2nd factors and a Single Sign-On experience) and authorization processes in the mobile context.
Tutorial Objectives. We describe a novel methodology for the design and security assessment of mobile IdM solutions. The main goal is to enable the audience to:
- acquire the basic notions underlying IdM;
- provide an overview of national (e.g., SPID for Italy) and European (e.g., eIDAS) laws, regulations and guideline principles that are particularly relevant to digital identity and privacy;
- learn functional and usability requirements that are related to IdM solutions;
- discover the main implementation features that are related to IdM on mobile devices;
- be updated on the state-of-the-art of IdM protocols for mobile apps;
- have an overview of the semi-formal and formal techniques commonly used to analyze a security protocol.
Real Use-Case Scenarios. We will illustrate our methodology on two use-case scenarios:
- TreC (acronym for “Cartella Clinica del Cittadino”) is an ecosystem of services that supports doctors and patients in the health-care management, by enabling all citizens living in the Italian Trentino Region to access, manage and share their own health and wellbeing information through a secure access. Besides the web solution (used by more than 79.000 patients), they are currently developing mobile applications. In this context, we have designed and analyzed the security of a strong authentication mechanism with a single sign-on experience.
- IPZS (acronym for “Istituto Poligrafico e Zecca dello Stato”) is the Italian State Printing Office and Mint. We are involved in a joint lab with IPZS, among various activities, one is to design a strong authentication mechanism that uses the Italian electronic card (CIE 3.0) as second factor.
- IdM Mobile Context
- Problem Statement and Methodology Description
- TreC Scenario
- IPZS Scenario
Intended audience and assumed background of attendees
The tutorial is oriented to academic researchers, (PhD) students, security experts and industries that work on or want to approach the field of Identity Management (IdM). The attendees do not require a specific background on IdM to follow the main part of our tutorial, as our step-by-step teaching approach will enable them to grasp the information presented even if some of the concepts are new or not consolidated. Only a short part about security analysis, to be fully understood, requires a basic knowledge on formal model for security protocol verification.
Duration & Speakers
The tutorial will be presented in 1.5 hours by:
- Silvio Ranise (Security & Trust, FBK-ICT, Trento, Italy - )
- Roberto Carbone (Security & Trust, FBK-ICT, Trento, Italy - )
- Giada Sciarretta (Security & Trust, FBK-ICT, University of Trento, Italy - )
- Andrea De Maria (Istituto Poligrafico e Zecca dello Stato)
G. Sciarretta and A. Armando and R. Carbone and S. Ranise. Security of Mobile Single Sign-On: A Rational Reconstruction of Facebook Login Solution. Proceedings of the 13th International Joint Conference on e-Business and Telecommunications (ICETE 2016) - Volume 4: SECRYPT, pages 147-158.
G. Sciarretta, R. Carbone and S. Ranise. A delegated authorization solution for smart-city mobile applications. Proceedings of the 2nd International Forum on Research and Technologies for Society and Industry leveraging a better tomorrow (RTSI 2016).
G. Sciarretta, R. Carbone, S. Ranise and A. Armando. Anatomy of the Facebook solution for mobile single sign-on: Security assessment and improvements. Journal of Computers & Security (COSE 2017).
G. Sciarretta, R. Carbone, S. Ranise and L. Viganò. Design, Formal Specification and Analysis of Multi-Factor Authentication Solutions with a Single Sign-On Experience. To appear in Proceedings of the 7th International Conference on Principles of Security and Trust (POST 2018).