Formal Methods for Information Security
Spring Semester 2024 (263-4600-00L)
Overview
Lecturers and Tutors:
Dr. Ralf Sasse, Dr. Christoph Sprenger and Dr. Srdan Krstic
Lectures:
Tuesday 10-12 CAB G 59
Exercises:
Tuesday 12-13 CAB G 59
Credits: 5 ECTS (2V + 1U + 1A)
Project:
25% of the grade
Homework:
optional, but strongly recommended
Exams:
Oral exam (session examination - mid-to-late August), date individually communicated by examination planning office (Prüfungsplanstelle), usually in late June.
Language: English
Announcements
- Welcome the the course. First lecture starts on Tue, 20 Feb at 10h.
Description
The course treats formal methods mainly for the modeling and analysis of security protocols. Cryptographic protocols (such as SSL/TLS, SSH, Kerberos, SAML single-sign on, and IPSec) form the basis for secure communication and business processes. Numerous attacks on published protocols show that the design of cryptographic protocols is extremely error-prone. A rigorous analysis of these protocols is therefore indispensable, and manual analysis is insufficient. The lectures cover the theoretical basis for the (tool-supported) formal modeling and analysis of such protocols. Specifically, we discuss their operational semantics, the formalization of security properties, and techniques and algorithms for their verification.
The second part of this course will cover a selection of advanced topics in security protocols such as abstraction techniques for efficient verification, secure communication with humans, the link between symbolic protocol models and cryptographic models as well as RFID protocols (a staple of the Internet of Things) and electronic voting protocols, including the relevant privacy properties. Moreover, we will give an introduction to two additional topics: non-interference as a general notion of secure systems, both from a semantic and a programming language perspective (type system), and runtime verification/monitoring to detect violations of security policies expressed as trace properties.
Resources
Literature
The lecture is based mainly on various journal/conference papers, but see also (all available at the library):
- Benedikt Schmidt, "external pageFormal analysis of key exchange protocols and physical protocolscall_made", 2012
- Baader and Nipkow, external pageTerm Rewriting and All Thatcall_made, 1998.
- Cremers and Mauw, "external pageOperational semantics and verification of security protocolscall_made", 2013
- Boyd and Mathuria, "external pageProtocols for authentication and key establishmentcall_made", 2003
- Bella, "external pageFormal correctness of security protocolscall_made", 2007
- Ryan and Schneider, "external pageThe modeling and analysis of security protocolscall_made", 2001
- Menezes, van Oorschot, and Vanstone, "external pageHandbook of applied cryptographycall_made", 1997
- Basin et al., "external pageAlmost event-rate independent monitoringcall_made", 2019
- Basin et al., "external pageMonitoring Metric First-order Temporal Propertiescall_made", 2015
- John Rushby, "external pageNoninterference, transitivity, and channel-control security policiescall_made", 1992.
Course Material
The important links, lecture notes, exercises, slides, and other resources are available on Moodle.