VVZ API is not affiliated with ETH Zurich. Data might be outdated or incorrect. Please view the official ETHZ Vorlesungsverzeichnis for binding information.

263-4600-00L 5 Credits MSC , NDS , WBZ D-INFK

Formal Methods for Information Security

Lecturers: Dr. Christoph Sprenger, Dr. Ralf Sasse, Dr. Michael Reichle
Examiners: Dr. Christoph Sprenger, Dr. Ralf Sasse, Dr. Srdan Krstic, Dr. Michael Reichle
VVZ CR 3.6

Last Updated: 2026-06-03 00:14:09

Abstract

The course focuses on formal methods for the modeling and analysis of security protocols for critical systems, ranging from key establishment protocols for secure communication to RFID protocols for identification. In addition, we discuss cryptographic modeling and analysis of security properties of protocols.

Objective

The students will learn the key ideas and theoretical foundations of formal modeling and analysis of security protocols. The students will complement their theoretical knowledge by solving practical exercises, completing a small project, and using state-of-the-art tools. The students also learn the fundamentals of cryptographic modeling and analysis of security properties.

Content

The course treats formal methods mainly for the modeling and analysis of security protocols. Cryptographic protocols (such as SSL/TLS, SSH, Kerberos, SAML single-sign on, and IPSec) form the basis for secure communication and business processes. Numerous attacks on published protocols show that the design of cryptographic protocols is extremely error-prone. A rigorous analysis of these protocols is therefore indispensable, and manual analysis is insufficient. The lectures cover the theoretical basis for the (tool-supported) formal modeling and analysis of such protocols. Specifically, we discuss their operational semantics, the formalization of security properties, and techniques and algorithms for their verification. The second part of this course will cover a selection of advanced topics in security protocols such as secure communication with humans and RFID protocols (a staple of the Internet of Things) including the relevant privacy properties. In the third part, we will give an introduction to cryptographic modeling and analysis. First, we will look at key-dependent messaging for encryption schemes and discuss how cryptographic analysis complements formal methods. Second, we will look at cryptographic modeling of interactive protocols using the example of multi-signatures.

Resources

Learning Materials (Links)

General Information

Language
English
Levels
MSC , NDS , WBZ
Frequency
Yearly recurring

Examination

Type
session examination
Mode
oral 25 minutes
The grade is determined by a project [25%] and the final oral exam [75%]. The compulsory project will be worked on by teams of two students.

Course Components

Type Title Time & Place Hours
lecture Formal Methods for Information Security
  • Tue 10:15-12:00 (CAB G 59)
2 h weekly
exercise Formal Methods for Information Security
  • Tue 12:15-13:00 (CAB G 59)
1 h weekly
independent project Formal Methods for Information Security No time listed 1 h weekly

Offered In