Research & Development – Security

The Research & Development unit, in the Security sector, is working on “Spidasec – SPID Advanced Security”, which won a “POR CALABRIA FESR-FSE 2014-2020” loan.

Spidasec is a system which aims to improve the security of SPID. SPID allows users and companies to login to the online services of public administration and companies undertakings with a unique digital identity using different devices. Besides, Spidasec aims to improve the “trust” between the parties involved.

In this adventure Consulthink is not alone, its partners are the University of Calabria, the companies Catenate and Coremuniti, the “Istituto di Calcolo e Reti ad Alte Prestazioni del Consiglio Nazionale delle Ricerche (ICAR-CNR)” and also Poste Italiane.

Then, the objective of Spidasec is to improve the security side of SPID, the public Italian system of digital identity. SPID wishes to simplify the relationship between citizens and services offered by the public administration. Thanks to SPID, every user has his own digital identity and he can login to the online services of public administration and companies that have joined SPID. The advantage of digital identity is that people will not remember and use many passwords and usernames to access the various services, they will just remember those of their digital identity.

To obtain the digital identity, the user must demand it to one of the 8 currently accredited providers, between them there is also Poste Italiane S.p.A. The provider verifies user’s identity and releases him his credentials.

SPID system has many advantages both for the user and for the service provider. In fact, the user can access numerous online services with unique identification credentials; the service provider, instead, will not have to conduct a census of the users, it will only get the user data which is strictly necessary to complete that specific transaction, it will not have any burden related to the conservation of personal data and will not have to worry about possible cyberattacks for the theft of credentials. In addition, Service Providers will have profiles with a sure identity, eliminating the so-called “false profiles”, and univocal, eliminating duplicates.

Which are Spidasec goals? SPID has some limits, especially on the security side and Spidasec desires overcome them. In SPID identity theft is simple due to the mechanism used to identify the user. In fact, by exhibiting a false document, a citizen can get all the information and services of other citizen. For this reason, Spidasec introduces “Social Trust” algorithms to deal with this vulnerability. These systems can use open sources, such as social channels. The collected data may contain information concerning the user to identify, such as images and position. By correlating this information, a level of trust can be obtained on the identity of the user. Using concepts of Trust and Reputation it is possible to define appropriate security policies based on increasing levels of risk.

Two other security problems concern the use of SAML (Security Assertion Markup Language) and the certificates of SSL protocol. Regarding the use of SAML, the protocol makes assertions and once these are verified, it does not repeat the control for some time. The problem is that if a browser is infected, improper requests could start from the browser and these requests would be equally satisfied. Regarding the use of certificates in the SSL protocol, instead, these may be outdated or badly configured, in this way the security of data transmission is not guarantee.

Another objective of Spidasec is promote the diffusion of the service: few public administrations use SPID and few private companies offer their services online. Currently the online services that public administrations offer are: payments of Tasi and car tax, health services, INPS file, redemption of the degree, application for family allowances, payment via web of regional taxes and of school canteen. However, this integration and communication in a single environment is not simple and can lead to a mediocre usability of the platform. Therefore, Spidasec is the solution to the limits of SPID!

For more information about the project, you can visit the Italian Spidasec website.

 

In the picture, Spidasec logo.

Logo di Spidasec, il progetto di Consulthink per migliorare la sicurezza del sistema SPID