In the last decade, digital identity has become central to many security-related solutions or use-case scenarios when users need to prove their identity (along with some related data), or which specific device(s) has been used in particular contexts. Historically speaking, digital identity is not (so) new: organizations, governments, or enterprises have already utilized in the past custom solutions to perform user identification and authentication, so digital identity evolved initially in isolated environments. In the last decade, with the increasing need to render frameworks interoperable or even to build from scratch digital identity systems for entire nations, the term has started to be largely used, sometimes in various forms, like electronic identity, identity management, or (simply) eID. Nowadays, centralized or decentralized frameworks are deployed in federated environments to ease users’ access to national-level services or in cross-country scenarios. In Europe, several government-backed national eID systems are already in place to support citizens’ authentication and identification with national eID credentials, like smart cards, or mobile solutions. The eID systems are even interconnected through higher-level infrastructures and follow well-defined regulations, like the eIDAS regulation in Europe. At the same time, widely used platforms like Google, Microsoft, Amazon, or Facebook implement digital identity technologies to support access to their proposed products or to incorporate them into federated services. Lastly, the so-called self-sovereign identity or decentralized identity model leveraging blockchain and distributed ledger technology aims to provide better privacy features and put users in control of their identities via digital wallets. This identity model would allow identity holders to create and control their attributes through verifiable credentials without the intervention of an intermediate or centralized administrative authority. This course will present the main concepts and terms related to digital identities, the types of digital identity architectures in use across the globe, and the protocols exploited, such as SAML or OpenID Connect/OAuth 2.0. Next, it will discuss the security features in such architectures, including identifiers used, and the protocols exploited for data protection. In particular, the privacy aspect is one of the main concerns when deploying or exploiting a digital identity infrastructure, especially in countries where strict regulations exist for data protection, like the GDPR. Specific lectures will address thus not only the technical issues but also the rules and technologies adopted for privacy protection. Digital identity concerns not only the humans (the persons) but (increasingly) objects, embedded systems, or (generally) “things”. In critical scenarios, like military, financial, or critical infrastructures it is important to identify the systems involved in the operational flows while protecting the data. Many devices carry some form of identification as provided by the manufacturers. However, additional cryptographic devices, keys, and techniques need to be used to build a useful identity, such as the Trusted Platform Modules (TPMs), along with trusted computing and remote attestation techniques. Specific lectures will cover the basics of trusted computing, confidential computing, and specifications useful for device identity in embedded systems or network nodes equipped with crypto devices capable of protecting sensitive data (like cryptographic keys). Lectures will be supported with slides and demonstrations of real cases supporting eID technologies and regulations, related research papers, and relevant standards and specifications defined in this area.

Basic knowledge of computer networks and protocols, e.g. HTTP and DNS protocols Background on computer and network security concepts: - main cryptography definitions and their applications, e.g. digital signature - digital certificates, Public Key Infrastructures (PKIs), common security protocols (TLS protocol) - authentication and authorization

• Electronic/digital identities, identifiers, and identity models • Trust models in digital identity infrastructures • Analysis of protocols and architectures in the area of digital identities, such as OAuth, OpenID Connect, and zero trust • Decentralized identity: concepts and implementations • Privacy issues in digital identity infrastructures • Interoperability and user experience related to digital identities • Authentication methods, such as passwordless (including FIDO2 passkeys) • Mobile aspects of digital identity and smartphone identity wallets • Privacy-enhancing technologies for identity management • Case studies in secure implementation of identity management solutions • Trusted computing techniques, confidential computing • Specifications supporting secure electronic identities on small platforms, like MARS (Measurement and Attestation RootS) or DICE (Device Identifier Composition Engine)

Modalità mista

Presentazione orale - Test a risposta multipla - Presentazione report scritto - Sviluppo di project work in team

P.D.2-2 - Marzo