Luca Spalazzi

Marco Baldi, Franco Chiaraluce, Migelan Kodra et al.

We consider a blockchain-based protocol for the certification of academic credentials named Blockcerts, which is currently used worldwide for validating digital certificates of competence compliant with the Open Badges standard. We study the certification steps that are performed by the Blockcerts protocol to validate a certificate, and find that they are vulnerable to a certain type of impersonation attacks. More in detail, authentication of the issuing institution is performed by retrieving an unauthenticated issuer profile online, and comparing some data reported there with those included in the issued certificate. We show that, by fabricating a fake issuer profile and generating a suitably altered certificate, an attacker is able to impersonate a legitimate issuer and can produce certificates that cannot be distinguished from originals by the Blockcerts validation procedure. We also propose some possible countermeasures against an attack of this type, which require the use of a classic public key infrastructure or a decentralized identity system integrated with the Blockcerts protocol.

Marco Baldi, Alessandro Cucchiarelli, Linda Senigagliesi et al.

Recent developments in cloud storage architectures have originated new models of online storage as cooperative storage systems and interconnected clouds. Such distributed environments involve many organizations, thus ensuring confidentiality becomes crucial: only legitimate clients should recover the information they distribute among storage nodes. In this work we present a unified framework for verifying confidentiality of dispersal algorithms against probabilistic models of intruders. Two models of intruders are given, corresponding to different types of attackers: one aiming at intercepting as many slices of information as possible, and the other aiming at attacking the storage providers in the network. Both try to recover the original information, given the intercepted slices. By using probabilistic model checking, we can measure the degree of confidentiality of the system exploring exhaustively all possible behaviors. Our experiments suggest that dispersal algorithms ensure a high degree of confidentiality against the slice intruder, no matter the number of storage providers in the system. On the contrary, they show a low level of confidentiality against the provider intruder in networks with few storage providers (e.g. interconnected cloud storage solutions).