Curricular Internships

Open Calls

This page lists the internship projects currently available in the Center for Cybersecurity of Fondazione Bruno Kessler (FBK). Please note that these are curricular internship projects (which does not include financial compensation) intended specifically for bachelor’s and master’s university students, and not employment contracts. Please refer to jobs.fbk.eu/ for job offers and open positions.

Procedure

  1. Application: submit your application for the internship project you are interested in using the designated online form and providing the required information. Make sure to apply before the specified deadline. You are advised not to apply to more than two projects at the same time.
  2. Selection: project supervisors will review the applications and choose the most suitable candidate. If needed, they may request an oral interview during the selection process. Each project is evaluated independently.
  3. Results: once the selection process is complete, all applicants (both selected and not selected) will be notified of the outcome for the specific project.

For general inquiries, you can email internships-cs@fbk.eu. If you have specific questions about a project, please reach out to the project supervisor directly.

Please note that applications sent via email will not be considered.

Projects are listed starting with those that have the earliest submission deadlines.

Security and Privacy Analysis of Remote HSM Architectures for European Digital Identity Wallets ST

ID: p-2026-cs-001

Published on: Wednesday, 1 July 2026

Deadline for Applications: Wednesday, 5 August 2026 at 23:59

Description:

Digital Identity Wallets rely on strong cryptographic protection to bind credentials to a legitimate wallet instance. In the European Digital Identity (EUDI) Wallet ecosystem, this protection is closely connected to what is called Wallet Secure Cryptographic Device (WSCD), where cryptographic keys used for Personal Identification Data (PID) and other sensitive credentials must be protected at an appropriate high assurance or security level. The EUDI Wallet Architecture and Reference Framework (ARF) allows different WSCD architectures, including remote architectures commonly implemented through remote Hardware Security Modules (HSMs) hosted by the wallet provider or a trusted backend service. In such cases, the provider remains responsible for ensuring that the overall architecture meets Level of Assurance High where required, and that proper user authentication, secure key management, and access control mechanisms are in place so that only legitimate wallet instances can use the protected cryptographic assets.

Compared to purely local wallet architectures, where cryptographic keys must be protected by secure hardware on the user device, remote HSM architectures can support inclusiveness and scalability by providing high-assurance key protection through certified backend infrastructure, especially when user devices cannot provide secure hardware capable of supporting that level of assurance. However, they also introduce new security and privacy questions. Moving cryptographic operations from user devices to a backend changes the trust boundaries of the wallet architecture and may create risks related to centralized key control, backend compromise, observability of user activity, metadata leakage, insider abuse, and availability. This makes it necessary to assess remote HSM architectures not only in terms of technical security, but also against ARF principles related to security, privacy such as privacy by design, data minimization, selective disclosure, user control, transparency, and security by design.

Building on this, this project aims to define a structured set of security and privacy requirements for remote HSM-based European Digital Identity Wallet architectures, starting from the ARF high-level requirements, and relevant EUDI Wallet security assumptions. It will then compare how selected national solutions for which sufficient information is available, with a focus on Germany, Italy, and the Netherlands, address these requirements in their design.

The final outcome of the project will be a comparative security and privacy analysis of remote HSM architectures for European Digital Identity Wallets, including a requirements catalogue, a country-by-country evaluation matrix, and a reusable threat model applicable to the analyzed architectures.

Type: Internship + Thesis

Level: MSc

Supervisors: Amir Sharif (asharif@fbk.eu), Zahra Ebadi Ansaroudi (zebadiansaroudi@fbk.eu)

Prerequisites:

  • Good knowledge of cybersecurity
  • Knowledge of OAuth, OpenID Connect, and digital identity wallet is a plus, but not required
  • Basic understanding of cryptographic concepts such as digital signatures, public/private keys, hardware security modules, attestations, and key binding
  • Strong analytical and problem-solving skills

Objectives:

  • Study the ARF high-level requirements, and related EUDI Wallet architectural assumptions relevant to WSCD, Wallet Secure Cryptographic Application (WSCA), Wallet Instance Attestation, Key Attestation, device binding, user authentication, and credential presentation.
  • Define a structured catalogue of security and privacy requirements for remote HSM-based EUDI Wallet architectures, including requirements for key protection, authentication, access control, logging, unlinkability, backend trust, availability, revocation, and recovery.
  • Analyze the German, Italian, and Dutch Digital Identity Wallet solutions to understand how their architecture handles remote or backend-supported cryptographic operations.
  • Evaluate how each analyzed national solution satisfies, partially satisfies, or leaves open the identified security and privacy requirements.
  • Develop a reusable threat model for remote HSM architectures in Digital Identity Wallets, covering assets, actors, trust boundaries, data flows, attacker capabilities, and architecture-specific threats.

Topics: Digital Identity, EUDI Wallet, Remote HSM, Threat Modeling

Automated Cross-Regulation Compliance for Digital Regulations via Requirements Engineering

ID: p-2026-cs-002

Published on: Friday, 17 July 2026

Deadline for Applications: Tuesday, 1 September 2026 at 23:59

Description:

Organizations operating in the digital space must simultaneously comply with multiple legal frameworks: data protection laws, AI-specific legislation, platform regulations, cybersecurity directives, and more. These regulations are developed independently, use inconsistent and not fully comparable terminology, and overlap in scope, creating a compliance landscape that is fragmented, contradictory, and costly to navigate. In practice, compliance is largely a manual, expert-driven process that does not scale.

This project investigates how Requirements Engineering (RE) methods can be leveraged to automate cross-regulation compliance in the digital domain. The central research question is: how can legal obligations drawn from heterogeneous regulatory sources be extracted, formally represented, aligned, and reasoned over in a unified framework to be comprehensible for different stakeholders?

Applicants will contribute to one or more of the following activities: 1) extraction and formalization of requirements from selected EU digital regulations into a unified goal model representation; 2) design of cross-regulation alignment and conflict detection mechanisms; 3) development and evaluation of a context-aware compliance navigation framework with users from heterogeneous backgrounds.

This project offers the opportunity to engage with research at the intersection of legal analysis, requirements engineering, and knowledge representation, contributing to tools and methods with direct applicability across industry and policy contexts.

Type: Internship + Thesis

Level: BSc

Supervisors: Livia Marini (lmarini@fbk.eu), Pietro De Matteis (pdematteis@fbk.eu), Magdalena Maria Solitro (msolitro@fbk.eu), Luca Piras (l.piras@fbk.eu)

Prerequisites:

  • Ability to read, interpret, and critically analyze legal texts in English and Italian.
  • Familiarity with EU digital regulation (e.g. GDPR, AI Act, DSA, or similar) is strongly advantageous.
  • Proficiency in digital tools for research and a good understanding of knowledge representation fundamentals and methodologies (semantic networks, ontologies, logic-based systems, graph databases) to manage complex project data.
  • Curiosity for interdisciplinary work at the boundary between law and computer science is essential.

Objectives:

  • Familiarization with the state of the art in regulatory requirements engineering and cross-regulation compliance.
  • Extraction and formalization of requirements from one or more EU digital regulations.
  • Design and evaluation of mechanisms for cross-regulation alignment, conflict detection, and context-aware compliance navigation.

Topics: EU Digital Regulations, Requirements Engineering