Roberto Carbone - Academia.edu (original) (raw)
Papers by Roberto Carbone
ACM transactions on privacy and security, Jun 6, 2020
Lecture Notes in Computer Science, 2020
In recent years, the usage of online services (e.g., banking) has considerably increased. To prot... more In recent years, the usage of online services (e.g., banking) has considerably increased. To protect the sensitive resources managed by these services against attackers, Multi-Factor Authentication (MFA) has been widely adopted. To date, a variety of MFA protocols have been implemented, leveraging different designs and features and providing a non-homogeneous level of security and user experience. Public and private authorities have defined laws and guidelines to guide the design of more secure and usable MFA protocols, but their influence on existing MFA implementations remains unclear.
Applied Sciences
The eIDAS regulation aims to provide an interoperable European framework to enable EU citizens to... more The eIDAS regulation aims to provide an interoperable European framework to enable EU citizens to authenticate and communicate with services of other Member States by using their national electronic identity. While a number of high-level requirements (e.g., related to privacy and security) are established to make interoperability among Member States possible, the eIDAS regulation does not explicitly specify the technologies that can be adopted during the development phase to meet the requirements as mentioned earlier. To the best of our knowledge, there is no work available in the literature investigating the technological trends within the notified eIDAS electronic identity schemes used by Member States. To fill this gap, this paper analyzes how the different technological trends of notified schemes satisfy the requirements of the eIDAS regulation. To do this, we define a set of research questions that allow us to investigate the correlations between different design dimensions suc...
ACM Transactions on Privacy and Security, 2020
Over the last few years, there has been an almost exponential increase in the number of mobile ap... more Over the last few years, there has been an almost exponential increase in the number of mobile applications that deal with sensitive data, such as applications for e-commerce or health. When dealing with sensitive data, classical authentication solutions based on username-password pairs are not enough, and multi-factor authentication solutions that combine two or more authentication factors of different categories are required instead. Even if several solutions are currently used, their security analyses have been performed informally or semiformally at best, and without a reference model and a precise definition of the multi-factor authentication property. This makes a comparison among the different solutions both complex and potentially misleading. In this article, we first present the design of two reference models for native applications based on the requirements of two real-world use-case scenarios. Common features between them are the use of one-time password approaches and th...
ACM Transactions on Privacy and Security, 2020
Over the last few years, there has been an almost exponential increase in the number of mobile ap... more Over the last few years, there has been an almost exponential increase in the number of mobile applications that deal with sensitive data, such as applications for e-commerce or health. When dealing with sensitive data, classical authentication solutions based on username-password pairs are not enough, and multi-factor authentication solutions that combine two or more authentication factors of different categories are required instead. Even if several solutions are currently used, their security analyses have been performed informally or semiformally at best, and without a reference model and a precise definition of the multi-factor authentication property. This makes a comparison among the different solutions both complex and potentially misleading. In this article, we first present the design of two reference models for native applications based on the requirements of two real-world use-case scenarios. Common features between them are the use of one-time password approaches and th...
Proceedings of the 17th International Conference on Availability, Reliability and Security
Journal of Information Security and Applications
Cyber-Physical Threat Intelligence for Critical Infrastructures Security: A Guide to Integrated Cyber-Physical Protection of Modern Critical Infrastructures, 2020
Over the last few years, there has been an almost exponential increase of the number of mobile ap... more Over the last few years, there has been an almost exponential increase of the number of mobile applications that deal with sensitive data, such as applications for e-commerce or health. When dealing with sensitive data, classical authentication solutions based on username-password pairs are not enough, and multi-factor authentication solutions that combine two or more authentication elements of different categories are required. Many different such solutions are available, but they usually cover the scenario of a user accessing web applications on their laptops, whereas in this paper we focus on native mobile applications. This changes the exploitable attack surface and thus requires a specific analysis. In this paper, we present the design, the formal specification and the security analysis of a solution that allows users to access different mobile applications through a multi-factor authentication solution providing a Single Sign-On experience. The formal and automated analysis th...
2017 IEEE European Symposium on Security and Privacy (EuroS&P), 2017
International Journal of Information Security and Cybercrime, 2019
Identity Management (IdM) solutions are increasingly important for building trust in current and ... more Identity Management (IdM) solutions are increasingly important for building trust in current and future digital ecosystems. Unfortunately, not only their secure deployment but even their usage are non-trivial activities that require a good level of security awareness. For this, we introduce Micro-Id-Gym, an easy to configure training environment in which users can develop hands-on experiences on how IdM solutions work and better understand the underlying security issues.
Lecture Notes in Computer Science, 2017
In this paper we present PolEnA, an extension of the Android Security Framework (ASF). PolEnA ena... more In this paper we present PolEnA, an extension of the Android Security Framework (ASF). PolEnA enables a number of features that are not currently provided by the ASF. Among them, PolEnA allows for the definition of fine-grained security policies and their dynamic verification. The runtime enforcement of the policies is supported by a state-of-the-art SAT solver. One of the main features of our approach is the low invasiveness as it does not require modifications to the operating system.
Data and Applications Security and Privacy XXXV, 2021
Together with the electrification of vehicles, the provision of cooperative, connected, and autom... more Together with the electrification of vehicles, the provision of cooperative, connected, and automated mobility (CCAM) services is a prominent recent trend in the automotive sector. Upcoming car models will be able to exchange messages between themselves and with road traffic authorities by means of vehicle-to-everything (V2X) communication – in particular, leveraging mobile network technologies for the so-called cellular V2X (C-V2X) paradigm [1]. Moreover, (part of) such exchanged messages will be processed as a whole in, e.g., edge computing servers, in order to generate a global vision of the state of a given road stretch. CCAM services will exploit vehicular information transport and processing to implement complex maneuvers in a (semi)automatic manner by interacting with the in-car network. The undeniable benefits of CCAM services should be coupled with their security, though. Proper protection mechanisms of V2X communication as well as of edge processing must be put in place wi...
Lecture Notes in Computer Science, 2021
Proceedings of the 14th International Joint Conference on e-Business and Telecommunications, 2017
IEEE Vehicular Technology Magazine, 2021
2020 IEEE 3rd 5G World Forum (5GWF), 2020
The increasing demand for cooperative, connected, and automated mobility (CCAM) services should p... more The increasing demand for cooperative, connected, and automated mobility (CCAM) services should proceed at the same pace with the enforcement of security mechanisms that would make CCAM services secure. The first contribution of this paper resides in a review of the ongoing regulatory and standardization activities related to cybersecurity of autonomous vehicles. Then, referring to the ongoing piloting activities funded by the European Union, we focus on the security threats for back-situation awareness (BSA), i.e., a safety-related CCAM service dealing with emergency scenarios. We propose a practical strong authentication method for BSA, and extensively discuss how existing standards can mitigate the security threats of this prominent CCAM service.
2021 IEEE International Conference on Smart Data Services (SMDS), 2021
Providing seamless connectivity and services across national borders are intricate challenges wit... more Providing seamless connectivity and services across national borders are intricate challenges with multifarious underlying aspects, ranging from the network management to business and political considerations. Since the cross-border inter-Public Land Mobile Network (PLMN) network handover is currently not available in European cellular networks, we present a complementary approach, diminishing the connectivity gap to a minimum. By leveraging Distributed Ledger Technology (DLT), we establish a dynamic, secure data exchange and management solution between several Mobile Network Operators (MNOs) of different countries. Systematically integrating foreign cell and base station parameter (i.e., Radio Access Network (RAN) data) of border regions into the internal network management systems permits their usage in standardized Mobility Management procedures. We demonstrate that this type of collaboration on the inter-MNO network governance considerably improves the network quality and customer experience when crossing national borders. Since foreign RAN data is also required for the inter-PLMN network handover (and can serve many additional purposes) and provided that our solution is not relying on any specific mobile network technology generation (e.g., 4G or 5G), we conclude that it is a fundamental step towards an inter-MNO ecosystem beyond 5G.
ACM transactions on privacy and security, Jun 6, 2020
Lecture Notes in Computer Science, 2020
In recent years, the usage of online services (e.g., banking) has considerably increased. To prot... more In recent years, the usage of online services (e.g., banking) has considerably increased. To protect the sensitive resources managed by these services against attackers, Multi-Factor Authentication (MFA) has been widely adopted. To date, a variety of MFA protocols have been implemented, leveraging different designs and features and providing a non-homogeneous level of security and user experience. Public and private authorities have defined laws and guidelines to guide the design of more secure and usable MFA protocols, but their influence on existing MFA implementations remains unclear.
Applied Sciences
The eIDAS regulation aims to provide an interoperable European framework to enable EU citizens to... more The eIDAS regulation aims to provide an interoperable European framework to enable EU citizens to authenticate and communicate with services of other Member States by using their national electronic identity. While a number of high-level requirements (e.g., related to privacy and security) are established to make interoperability among Member States possible, the eIDAS regulation does not explicitly specify the technologies that can be adopted during the development phase to meet the requirements as mentioned earlier. To the best of our knowledge, there is no work available in the literature investigating the technological trends within the notified eIDAS electronic identity schemes used by Member States. To fill this gap, this paper analyzes how the different technological trends of notified schemes satisfy the requirements of the eIDAS regulation. To do this, we define a set of research questions that allow us to investigate the correlations between different design dimensions suc...
ACM Transactions on Privacy and Security, 2020
Over the last few years, there has been an almost exponential increase in the number of mobile ap... more Over the last few years, there has been an almost exponential increase in the number of mobile applications that deal with sensitive data, such as applications for e-commerce or health. When dealing with sensitive data, classical authentication solutions based on username-password pairs are not enough, and multi-factor authentication solutions that combine two or more authentication factors of different categories are required instead. Even if several solutions are currently used, their security analyses have been performed informally or semiformally at best, and without a reference model and a precise definition of the multi-factor authentication property. This makes a comparison among the different solutions both complex and potentially misleading. In this article, we first present the design of two reference models for native applications based on the requirements of two real-world use-case scenarios. Common features between them are the use of one-time password approaches and th...
ACM Transactions on Privacy and Security, 2020
Over the last few years, there has been an almost exponential increase in the number of mobile ap... more Over the last few years, there has been an almost exponential increase in the number of mobile applications that deal with sensitive data, such as applications for e-commerce or health. When dealing with sensitive data, classical authentication solutions based on username-password pairs are not enough, and multi-factor authentication solutions that combine two or more authentication factors of different categories are required instead. Even if several solutions are currently used, their security analyses have been performed informally or semiformally at best, and without a reference model and a precise definition of the multi-factor authentication property. This makes a comparison among the different solutions both complex and potentially misleading. In this article, we first present the design of two reference models for native applications based on the requirements of two real-world use-case scenarios. Common features between them are the use of one-time password approaches and th...
Proceedings of the 17th International Conference on Availability, Reliability and Security
Journal of Information Security and Applications
Cyber-Physical Threat Intelligence for Critical Infrastructures Security: A Guide to Integrated Cyber-Physical Protection of Modern Critical Infrastructures, 2020
Over the last few years, there has been an almost exponential increase of the number of mobile ap... more Over the last few years, there has been an almost exponential increase of the number of mobile applications that deal with sensitive data, such as applications for e-commerce or health. When dealing with sensitive data, classical authentication solutions based on username-password pairs are not enough, and multi-factor authentication solutions that combine two or more authentication elements of different categories are required. Many different such solutions are available, but they usually cover the scenario of a user accessing web applications on their laptops, whereas in this paper we focus on native mobile applications. This changes the exploitable attack surface and thus requires a specific analysis. In this paper, we present the design, the formal specification and the security analysis of a solution that allows users to access different mobile applications through a multi-factor authentication solution providing a Single Sign-On experience. The formal and automated analysis th...
2017 IEEE European Symposium on Security and Privacy (EuroS&P), 2017
International Journal of Information Security and Cybercrime, 2019
Identity Management (IdM) solutions are increasingly important for building trust in current and ... more Identity Management (IdM) solutions are increasingly important for building trust in current and future digital ecosystems. Unfortunately, not only their secure deployment but even their usage are non-trivial activities that require a good level of security awareness. For this, we introduce Micro-Id-Gym, an easy to configure training environment in which users can develop hands-on experiences on how IdM solutions work and better understand the underlying security issues.
Lecture Notes in Computer Science, 2017
In this paper we present PolEnA, an extension of the Android Security Framework (ASF). PolEnA ena... more In this paper we present PolEnA, an extension of the Android Security Framework (ASF). PolEnA enables a number of features that are not currently provided by the ASF. Among them, PolEnA allows for the definition of fine-grained security policies and their dynamic verification. The runtime enforcement of the policies is supported by a state-of-the-art SAT solver. One of the main features of our approach is the low invasiveness as it does not require modifications to the operating system.
Data and Applications Security and Privacy XXXV, 2021
Together with the electrification of vehicles, the provision of cooperative, connected, and autom... more Together with the electrification of vehicles, the provision of cooperative, connected, and automated mobility (CCAM) services is a prominent recent trend in the automotive sector. Upcoming car models will be able to exchange messages between themselves and with road traffic authorities by means of vehicle-to-everything (V2X) communication – in particular, leveraging mobile network technologies for the so-called cellular V2X (C-V2X) paradigm [1]. Moreover, (part of) such exchanged messages will be processed as a whole in, e.g., edge computing servers, in order to generate a global vision of the state of a given road stretch. CCAM services will exploit vehicular information transport and processing to implement complex maneuvers in a (semi)automatic manner by interacting with the in-car network. The undeniable benefits of CCAM services should be coupled with their security, though. Proper protection mechanisms of V2X communication as well as of edge processing must be put in place wi...
Lecture Notes in Computer Science, 2021
Proceedings of the 14th International Joint Conference on e-Business and Telecommunications, 2017
IEEE Vehicular Technology Magazine, 2021
2020 IEEE 3rd 5G World Forum (5GWF), 2020
The increasing demand for cooperative, connected, and automated mobility (CCAM) services should p... more The increasing demand for cooperative, connected, and automated mobility (CCAM) services should proceed at the same pace with the enforcement of security mechanisms that would make CCAM services secure. The first contribution of this paper resides in a review of the ongoing regulatory and standardization activities related to cybersecurity of autonomous vehicles. Then, referring to the ongoing piloting activities funded by the European Union, we focus on the security threats for back-situation awareness (BSA), i.e., a safety-related CCAM service dealing with emergency scenarios. We propose a practical strong authentication method for BSA, and extensively discuss how existing standards can mitigate the security threats of this prominent CCAM service.
2021 IEEE International Conference on Smart Data Services (SMDS), 2021
Providing seamless connectivity and services across national borders are intricate challenges wit... more Providing seamless connectivity and services across national borders are intricate challenges with multifarious underlying aspects, ranging from the network management to business and political considerations. Since the cross-border inter-Public Land Mobile Network (PLMN) network handover is currently not available in European cellular networks, we present a complementary approach, diminishing the connectivity gap to a minimum. By leveraging Distributed Ledger Technology (DLT), we establish a dynamic, secure data exchange and management solution between several Mobile Network Operators (MNOs) of different countries. Systematically integrating foreign cell and base station parameter (i.e., Radio Access Network (RAN) data) of border regions into the internal network management systems permits their usage in standardized Mobility Management procedures. We demonstrate that this type of collaboration on the inter-MNO network governance considerably improves the network quality and customer experience when crossing national borders. Since foreign RAN data is also required for the inter-PLMN network handover (and can serve many additional purposes) and provided that our solution is not relying on any specific mobile network technology generation (e.g., 4G or 5G), we conclude that it is a fundamental step towards an inter-MNO ecosystem beyond 5G.