Course description

Lecture notes








CS 395T - Design and Analysis of Security Protocols (54302)

Fall 2004

Course description

This is a project-oriented course intended to give students hands-on experience in using a variety of analysis techniques to evaluate cryptographic protocols and other security mechanisms. A network protocol such as SSL (Secure Sockets Layer) may fail in three ways: the protocol design may be flawed, the cryptography may be inadequate, or the implementation may be buggy. This course is primarily concerned with techniques for identifying design flaws, but we will also talk about cryptography and secure implementation to the extent that they affect protocol design.

The first part of the course will survey contemporary security protocols and their properties, including confidentiality, authentication, secure group communication, privacy, and anonymity. We will also cover cryptographic primitives, as well as standard formal models and tools used for mechanized verification of secure systems, including model checking, constraint solving, process algebras, protocol logics, and game theory.

The second part of the course will focus primarily on student projects, carried out individually or in small teams. A typical project may involve:

  • Coming up with a security specification for a particular system and performing a detailed analysis of its properties; or
  • Extending an existing tool or method to support analysis of a new class of security properties; or
  • Conducting a theoretical study of the relationship between several models.
A selection of candidate projects will be provided, but students may propose their own.


There are no prerequisites for this course. Some prior familiarity with cryptography or formal methods may be helpful, but all necessary background will be covered in class.

Tentative syllabus

This syllabus is only a rough draft. It may change as the course progresses. The subjects will not necessarily be covered in the order they are listed below. Some topics may be presented by students as part of the paper-reading assignment. The last part of the course will be devoted to project presentations.

Security protocols and their properties

  • Cryptographic background
  • Authentication
  • Key establishment and IP security (IKE, JFK)
  • Denial of service
  • Anonymity and MIX networks
  • Fairness and contract signing
  • Privacy and protection of individual information
  • Wireless security (mobile phones, WiFi)

Protocol analysis tools

  • Finite-state checking (Murphi)
  • Infinite-state symbolic analysis (SRI constraint solver)
  • Probabilistic model checking (PRISM)
  • Game-based verification (MOCHA)
  • Process algebras (spi-calculus and applied pi-calculus)
  • Protocol logics (BAN, DDMP, Isabelle)
  • Probabilistic polynomial-time calculus
  • Relating cryptographic and formal models