Security Analysis of the CIE Middleware: Fuzz Testing and Simulated Card Attacks

The Italian Electronic Identity Card (CIE) plays a pivotal role in national digital identity frame- works and secure electronic signature systems. This thesis provides an in-depth examination of the security aspects of the CIE middleware through advanced fuzz testing methodologies, static analysis techniques, and dynamic simulations of APDU card communications. A major flaw was discovered in the Dynamic Active Authentication Protocol (DAPP) im- plementation framework through the course of the investigation. The flaw allows potential attackers to simulate the CIE card without having access to the original authentic chip’s private key. Exhaustive analysis uncovered large memory management gaps, poor APDU command checking, and other issues that would lead to the unauthorized release of confidential informa- tion. This work explains how flaws in the handling of cryptographic protocols and trust chain verification procedures can strongly undermine the security of single digital identities using extensive empirical experiments and thorough theoretical analyses. Finally, the dissertation provides detailed and realistic recommendations for reducing and minimizing the identified vulnerabilities. It highlights the imperative need for the adoption of proactive testing approaches in protecting essential middleware elements, especially in govern- ment and digital public service infrastructure application environments.