Fall 2001, CSE 597E: Lecture 1

Security Protocols

Aka Cryptographic Protocols


To provide various security services accross a distributed system

How they work

Hostile environment

Agents deliberately trying to undermine the protocol. In literature such hostile agents are also referred to as intruders, spies, enemies, attackers, evesdroppers, penetrators.

We will illustrate the various issues involved with secury protocols by using a concrete example

Example: The Needham-Schroeder Secret-Key (NSSK) protocol

We assume that Anne and Bob share private, long-term keys with Jeeves so each of them is able to communicate securely with Jeeves


  1. Why do we want a direct secure channel between Anne and Bob?
  2. Why don't we provide upfront a private long-term key for every pair of agents which may wish to communicate?


  1. Jeeves would become a bottleneck and a possible point of failure
  2. Several reasons:


The NSSK protocol

Message 1   a -> J  :  a.b.na
Message 2   J -> a  :  {na.b.kab.{kab.a}ServerKey(b)}ServerKey(a)
Message 3   a -> b  :  {kab.a}ServerKey(b)
Message 4   b -> a  :  {nb}kab
Message 5   a -> b  :  {nb - 1}kab

At the end a and b share the new key kab generated by J.

Security Properties

To say that it a protocol is "secure" or "correct" does not mean anything. It is always necessary to define exactly what are the properties that a security protocol is supposed to satisfy. We can speak of correctness only wrt these properties, and even then, only under precise assumptions on the possible treaths.


Secrecy properties can have various degrees of strength. E.g. Weaker properties are usually easier to implement and to analyze


What secrecy properties does the NSSK protocol satisfy?

Autentication of origin

If Bob receives a message that claims to be originated by Anne, then Anne should have sent it.

There may be various additional requirements

Entity authentication

Bob and Anne are sure of each other identities