About
For more than 15 years, I've immersed myself in the world of security research and…
Articles by Massimiliano
Contributions
Activity
-
Anne Dames, at The White House, talking about transition to the new NIST Post Quantum Cryptography Standards. She is the IBM Distinguished Engineer…
Anne Dames, at The White House, talking about transition to the new NIST Post Quantum Cryptography Standards. She is the IBM Distinguished Engineer…
Liked by Massimiliano P.
-
One of my favorite inventors and friends keeps digging deep into the cutting edge of technology.
One of my favorite inventors and friends keeps digging deep into the cutting edge of technology.
Liked by Massimiliano P.
-
The high-energy physics (HEP) community is particularly poised to benefit from quantum computing due to the intrinsic quantum nature of its most…
The high-energy physics (HEP) community is particularly poised to benefit from quantum computing due to the intrinsic quantum nature of its most…
Liked by Massimiliano P.
Experience
Education
-
Politecnico di Torino
-
My PhD thesis was focus on the Usable Security. In particular, I focused my research in providing an Internet Integrated Support System for Public-Key based security. The envisioned Public Key System (or PKS) combined different research areas like Peer-to-Peer networking with strong identities (e.g., Cryptographic Keys and/or Certificates) to provide a usable, self-organizing, and cooperative system to support and simplify the achievement of Trust throughout the Whole Internet.
-
-
Research in PKIs that lead to the development of several proposals for PKI service discovery and usability studies for browser's user interfaces for trust management
-
-
Licenses & Certifications
Volunteer Experience
-
Support Engineer
ThriveProjectKenya
- Present 14 years 9 months
Health
Providing help with setting up computing and power infrastructure in the newly built clinic in Ilmotiak, Kenya.
Publications
-
K-threshold Composite Signatures for the Internet PKI
IETF - LAMS WG
With the need to evolve the cryptography used in today applications, devices, and networks, there might be many scenarios where the use of a single-key certificate is not sufficient. For example, there might be the need for migrating between two existing algorithms (e.g., from classic to post-quantum) or there might be the need to test the capabilities of devices via test drivers and/or non-standard algorithms.
Differently from the situation where algorithms are not yet (or no more)…With the need to evolve the cryptography used in today applications, devices, and networks, there might be many scenarios where the use of a single-key certificate is not sufficient. For example, there might be the need for migrating between two existing algorithms (e.g., from classic to post-quantum) or there might be the need to test the capabilities of devices via test drivers and/or non-standard algorithms.
Differently from the situation where algorithms are not yet (or no more) trusted to be used by themselves, this document addresses the use of multiple keys and signatures that can be individually trusted to implement a generic 1-threshold and K-threshold signature validation procedures.
This document provides the definition of a new type of multi-algorithm public key and relies on the definition of CompositePrivateKey, and CompositeSignature which are sequences of the respective structure for each component algorithm as defined in [I-D.ounsworth-pq-composite-sigs] and
[I-D.ounsworth-pq-composite-sigs].Other authors -
Composite Public and Private Keys For Use In Internet PKI
IETF - LAMPS WG
The migration to post-quantum cryptography is unique in the history of modern digital cryptography in that neither the old outgoing nor the new incoming algorithms are fully trusted to protect data for the required data lifetimes. The outgoing algorithms, such as RSA and elliptic curve, may fall to quantum cryptalanysis, while the incoming post-quantum algorithms face uncertainty about both the underlying mathematics as well as hardware and software implementations that have not had sufficient…
The migration to post-quantum cryptography is unique in the history of modern digital cryptography in that neither the old outgoing nor the new incoming algorithms are fully trusted to protect data for the required data lifetimes. The outgoing algorithms, such as RSA and elliptic curve, may fall to quantum cryptalanysis, while the incoming post-quantum algorithms face uncertainty about both the underlying mathematics as well as hardware and software implementations that have not had sufficient maturing time to rule out classical cryptanalytic attacks and implementation bugs.
Cautious implementors may wish to layer cryptographic algorithms such that an attacker would need to break all of them in order to compromise the data being protected using either a Post-Quantum / Traditional Hybrid, Post-Quantum / Post-Quantum Hybrid, or combinations thereof. This document, and its companions, defines a specific instantiation of hybrid paradigm called "composite" where multiple cryptographic algorithms are combined to form a single key, signature, or key encapsulation mechanism (KEM) such that they can be treated as a single atomic object at the protocol level.
This document defines the structures CompositePublicKey and CompositePrivateKey, which are sequences of the respective structure for each component algorithm. The generic composite variant is defined which allows arbitrary combinations of key types to be placed in the CompositePublicKey and CompositePrivateKey structures without needing the combination to be pre-registered or pre-agreed. The explicit variant is alxso defined which allows for a set of algorithm identifier OIDs to be registered together as an explicit composite algorithm and assigned an OID.Other authors -
OCSP over DNS
IETF
One of the most strategic problems for Internet Certification Authorities (ICAs) is the provisioning of revocation information in an efficient way. Current approaches for the distribution of OCSP responses over HTTP do not provide efficient solutions for the high volume of traffic that Internet CAs face when providing services for highly utilized websites. This document describes a new transport protocol for OCSP responses to efficiently provide revocation information about digital…
One of the most strategic problems for Internet Certification Authorities (ICAs) is the provisioning of revocation information in an efficient way. Current approaches for the distribution of OCSP responses over HTTP do not provide efficient solutions for the high volume of traffic that Internet CAs face when providing services for highly utilized websites. This document describes a new transport protocol for OCSP responses to efficiently provide revocation information about digital certificates. In particular, this specification defines how to distribute OCSP responses over DNS and how to define OCSP-over-DNS URLs in certificates. The use of the DNS system to distribute such information is meant to lower the costs of providing revocation services and increase the availability of revocation information by using the distributed nature of the DNS infrastructure.
Other authors -
A Proposal for Collaborative Internet-scale trust infrastructures deployment: the Public Key System
IDTrust / NIST
Public Key technology is about multiple parties across different domains making assertions that can be chained together to make trust judgments. Today, the need for more interoperable and usable trust infrastructures is urgent in order to fulfill the security needs of computer and mobile devices. Developing, deploying, and maintaining information technology that provides effective and usable solutions has yet to be achieved. In this paper, we propose a new framework for a distributed support…
Public Key technology is about multiple parties across different domains making assertions that can be chained together to make trust judgments. Today, the need for more interoperable and usable trust infrastructures is urgent in order to fulfill the security needs of computer and mobile devices. Developing, deploying, and maintaining information technology that provides effective and usable solutions has yet to be achieved. In this paper, we propose a new framework for a distributed support system for trust infrastructure deployment: the Public Key System (PKS). We describe the general architecture based on Distributed Hash Tables (DHTs), how it simplifies the deployment and usability of federated identities, and how existing infrastructures can be integrated into our system. This paper lays down the basis for the deployment of collaborative Internet-scale trust infrastructures.
-
On the Usability of User Interfaces for Secure Website Authentication in Browsers
Proceedings of the 6th European PKI Workshop: Theory and Practice
Public Key cryptography has become, in many environments, a fundamental building block for authentication purposes. Although many applications already support the usage of Public Key Certificates (PKCs), the usability of the many security features and their understanding by users is still not fully addressed. Moreover, with the increasing number of services offered via Internet and their impact on many aspects of everyday life of millions of users, the need to address usability of security is…
Public Key cryptography has become, in many environments, a fundamental building block for authentication purposes. Although many applications already support the usage of Public Key Certificates (PKCs), the usability of the many security features and their understanding by users is still not fully addressed. Moreover, with the increasing number of services offered via Internet and their impact on many aspects of everyday life of millions of users, the need to address usability of security is compelling. In our work we provide a usability study that highlights the status of the current User Interfaces (UIs) in browsers. In particular we focus our attention on the effectiveness of the messages related to website authentication. We also provide a set of guidelines aimed at improving the user experience and the incisiveness of security-related warnings. A prototype of a user interface is provided and analyzed.
Other authors -
PKI Resource Query Protocol (PRQP)
IETF - PKIX Wg - Experimental Track
An increasing number of services and protocols are being defined to address different needs of users and administrators of PKIs. With the deployment of new applications and services, the need to access information and services provided by Certificate Service Providers (CSPs) is critical. Currently Certification Authorities (CAs) barel publish access details on their official web sites, this includes URL of provided services and repositories. Using the PRQP, resources provided by a CA can be…
An increasing number of services and protocols are being defined to address different needs of users and administrators of PKIs. With the deployment of new applications and services, the need to access information and services provided by Certificate Service Providers (CSPs) is critical. Currently Certification Authorities (CAs) barel publish access details on their official web sites, this includes URL of provided services and repositories. Using the PRQP, resources provided by a CA can be automatically and securely discovered by an application.
Patents
-
Systems and methods for network access granting (NAGS)
Filed US US20190058713A1
A server is provided for managing access of an electronic entity to a communications network. The server includes a contact point in operable communication with the electronic entity. The contact point is configured to receive a network access granting request message from the electronic entity. The server further includes a processing module, configured to process the received network access granting request message, validate trust indicators contained within the network access granting…
A server is provided for managing access of an electronic entity to a communications network. The server includes a contact point in operable communication with the electronic entity. The contact point is configured to receive a network access granting request message from the electronic entity. The server further includes a processing module, configured to process the received network access granting request message, validate trust indicators contained within the network access granting request message, authorize access of the electronic entity to the network upon validation of the trust indicators, and transmit a response message to the electronic entity indicating a level of access to the network that has been authorized.
-
Event-Driven Lightweight Cloned Devices Detection and Sharing System
Filed US US20190089739A1
-
ONLINE CERTIFICATE STATUS PROTOCOL VERSION 2
Filed US 16/254,259
-
QRCODE WIFI AUTHENTICATION FOR ENTERPRISE GRADE SECURITY
Filed US 16/202,659
-
SYSTEMS AND METHODS FOR INTEGRATING CRYPTOCURRENCY WALLET IDENTIFIERS IN CERTIFICATES
Filed US 16/359,571
-
Systems and methods for establishing scalable credential creation and access.
Filed US US20190042302A1
A client access network includes a cluster of servers. The cluster of servers includes a boot node, an administrator node, a computing node, and a storage node. The client access network further includes a plurality of segregated subnetworks. The plurality of segregated subnetworks includes a boot subnetwork, an administration subnetwork, a public subnetwork, and a private subnetwork. The client access network further includes at least one hardware security module, a dedicated subnet in…
A client access network includes a cluster of servers. The cluster of servers includes a boot node, an administrator node, a computing node, and a storage node. The client access network further includes a plurality of segregated subnetworks. The plurality of segregated subnetworks includes a boot subnetwork, an administration subnetwork, a public subnetwork, and a private subnetwork. The client access network further includes at least one hardware security module, a dedicated subnet in operable communication with the at least one hardware security module and each of the plurality of segregated subnetworks, and a router in operable communication with the at least one hardware security module and each of the cluster of servers. The router is further configured to route traffic among the plurality of segregated subnetworks and the dedicated subnet.
-
Systems and methods for secure element registration and provisioning
Filed US US20190042708A1
A method for registering and provisioning an electronic device is provided. The method includes a step of inserting a first keypair into a secure element of the electronic device. The first keypair includes a public key and a private key. The method further includes a step of requesting, from a remote server configured to register and provision connected devices, a provisioning of credentials of the electronic device. The method further includes a step of verifying, by the remote server, the…
A method for registering and provisioning an electronic device is provided. The method includes a step of inserting a first keypair into a secure element of the electronic device. The first keypair includes a public key and a private key. The method further includes a step of requesting, from a remote server configured to register and provision connected devices, a provisioning of credentials of the electronic device. The method further includes a step of verifying, by the remote server, the electronic device credentials. The method further includes a step of registering, by the remote server, the electronic device. The method further includes a step of transmitting, from the remote server to the electronic device, a device certificate. The method further includes steps of installing the transmitted device certificate within the secure element of the electronic device, and provisioning the electronic device according to the installed device certificate.
-
Touchless IoT Provisioning System
Filed US 16/145,172
Projects
-
LibPKI
The libPKI project is aimed to provide an easy-to-use PKI library for PKI enabled application development. The library provides the developer with all the needed functionalities to manage certificates, from generation to validation.The current version provides support for quantum-safe crypto and hybrid certificates.
-
OpenCA-OCSPD
The OpenCA OCSPD project is aimed to develop a robust and easy-to-install OCSP daemon. The server is developed as a stand-alone application and can be integrated into many different PKI solutions as it does not depend on specific database scheme. Furthermore it can be configured to serve as a server for different CAs.
-
OpenCA
OpenCA comprises a large set of different tools and packages to create and manage your own Certification Authority: free, open-source, and easy!
-
Post-Quantum and Hybrid Certificates
-
Prototyping and Investigating deployment of Post-Quantum and Composite Crypto certificates and identities in collaboration with large companies such as Entrust, DigiCert, and CISCO, together with #opensource projects like OpenCA’s LibPKI, PyCrypto, Rust, and OpenPGP.
The project investigates different options for PQC deployments and addresses usability issues such as how to handle has-n-sign paradigm for post-quantum and hybrid (Composite Crypto) algorithms.
Come and Join us!
Languages
-
Italian
Native or bilingual proficiency
-
English
Native or bilingual proficiency
-
Spanish
Limited working proficiency
Organizations
-
ACM
Member
- Present -
Association for Computing Machinery
Member
- PresentDr. Massimiliano Pala, having fulfilled the requirements for Professional Membership has been admitted as a member of the Association for Computing Machinery. Member Since September 2009. ACM: Advancing Computing as a Science & Profession.
Recommendations received
3 people have recommended Massimiliano
Join now to viewMore activity by Massimiliano
-
I have to say that working with David "Dan" Smith has been very rewarding. After a challenging start to the year, I just found out that 2024 also…
I have to say that working with David "Dan" Smith has been very rewarding. After a challenging start to the year, I just found out that 2024 also…
Shared by Massimiliano P.
-
Qiskit v1.2 is here! Take a look at the latest IBM Quantum Blog for release notes: https://lnkd.in/eThBkc_N This minor version release includes a…
Qiskit v1.2 is here! Take a look at the latest IBM Quantum Blog for release notes: https://lnkd.in/eThBkc_N This minor version release includes a…
Liked by Massimiliano P.
Other similar profiles
Explore collaborative articles
We’re unlocking community knowledge in a new way. Experts add insights directly into each article, started with the help of AI.
Explore MoreOthers named Massimiliano P.
-
Massimiliano P
--
-
Massimiliano P.
--
-
massimiliano p
--
-
Massimiliano P
EDILE
-
Massimiliano P
nessuna presso Nessuna azienda
4 others named Massimiliano P. are on LinkedIn
See others named Massimiliano P.