Curricular Internships

Open Calls

This page lists the internship projects currently available in the Center for Cybersecurity of Fondazione Bruno Kessler (FBK). Please note that these are curricular internship projects (which does not include financial compensation) intended specifically for bachelor’s and master’s university students, and not employment contracts. Please refer to jobs.fbk.eu/ for job offers and open positions.

Procedure

  1. Application: submit your application for the internship project you are interested in using the designated online form and providing the required information. Make sure to apply before the specified deadline. You are advised not to apply to more than two projects at the same time.
  2. Selection: project supervisors will review the applications and choose the most suitable candidate. If needed, they may request an oral interview during the selection process. Each project is evaluated independently.
  3. Results: once the selection process is complete, all applicants (both selected and not selected) will be notified of the outcome for the specific project.

For general inquiries, you can email internships-cs@fbk.eu. If you have specific questions about a project, please reach out to the project supervisor directly.

Please note that applications sent via email will not be considered.

Projects are listed starting with those that have the earliest submission deadlines.

Security and Privacy Analysis of Remote HSM Architectures for European Digital Identity Wallets ST

ID: p-2026-cs-001

Published on: Wednesday, 1 July 2026

Deadline for Applications: Wednesday, 5 August 2026 at 23:59

Description:

Digital Identity Wallets rely on strong cryptographic protection to bind credentials to a legitimate wallet instance. In the European Digital Identity (EUDI) Wallet ecosystem, this protection is closely connected to what is called Wallet Secure Cryptographic Device (WSCD), where cryptographic keys used for Personal Identification Data (PID) and other sensitive credentials must be protected at an appropriate high assurance or security level. The EUDI Wallet Architecture and Reference Framework (ARF) allows different WSCD architectures, including remote architectures commonly implemented through remote Hardware Security Modules (HSMs) hosted by the wallet provider or a trusted backend service. In such cases, the provider remains responsible for ensuring that the overall architecture meets Level of Assurance High where required, and that proper user authentication, secure key management, and access control mechanisms are in place so that only legitimate wallet instances can use the protected cryptographic assets.

Compared to purely local wallet architectures, where cryptographic keys must be protected by secure hardware on the user device, remote HSM architectures can support inclusiveness and scalability by providing high-assurance key protection through certified backend infrastructure, especially when user devices cannot provide secure hardware capable of supporting that level of assurance. However, they also introduce new security and privacy questions. Moving cryptographic operations from user devices to a backend changes the trust boundaries of the wallet architecture and may create risks related to centralized key control, backend compromise, observability of user activity, metadata leakage, insider abuse, and availability. This makes it necessary to assess remote HSM architectures not only in terms of technical security, but also against ARF principles related to security, privacy such as privacy by design, data minimization, selective disclosure, user control, transparency, and security by design.

Building on this, this project aims to define a structured set of security and privacy requirements for remote HSM-based European Digital Identity Wallet architectures, starting from the ARF high-level requirements, and relevant EUDI Wallet security assumptions. It will then compare how selected national solutions for which sufficient information is available, with a focus on Germany, Italy, and the Netherlands, address these requirements in their design.

The final outcome of the project will be a comparative security and privacy analysis of remote HSM architectures for European Digital Identity Wallets, including a requirements catalogue, a country-by-country evaluation matrix, and a reusable threat model applicable to the analyzed architectures.

Type: Internship + Thesis

Level: MSc

Supervisors: Amir Sharif (asharif@fbk.eu), Zahra Ebadi Ansaroudi (zebadiansaroudi@fbk.eu)

Prerequisites:

  • Good knowledge of cybersecurity
  • Knowledge of OAuth, OpenID Connect, and digital identity wallet is a plus, but not required
  • Basic understanding of cryptographic concepts such as digital signatures, public/private keys, hardware security modules, attestations, and key binding
  • Strong analytical and problem-solving skills

Objectives:

  • Study the ARF high-level requirements, and related EUDI Wallet architectural assumptions relevant to WSCD, Wallet Secure Cryptographic Application (WSCA), Wallet Instance Attestation, Key Attestation, device binding, user authentication, and credential presentation.
  • Define a structured catalogue of security and privacy requirements for remote HSM-based EUDI Wallet architectures, including requirements for key protection, authentication, access control, logging, unlinkability, backend trust, availability, revocation, and recovery.
  • Analyze the German, Italian, and Dutch Digital Identity Wallet solutions to understand how their architecture handles remote or backend-supported cryptographic operations.
  • Evaluate how each analyzed national solution satisfies, partially satisfies, or leaves open the identified security and privacy requirements.
  • Develop a reusable threat model for remote HSM architectures in Digital Identity Wallets, covering assets, actors, trust boundaries, data flows, attacker capabilities, and architecture-specific threats.

Topics: Digital Identity, EUDI Wallet, Remote HSM, Threat Modeling