1. NS.

Take the ns.scm file and the Makefile from http://web.cs.wpi.edu/~guttman/cs564/exercise/ns.scm and http://web.cs.wpi.edu/~guttman/cs564/exercise/Makefile. It has a protocol definition and a single defskeleton to make just one query.

• Run make ns_shapes.xhtml and inspect the result using a browser.
• Write a two line comment in your file describing what you found out.
• Add a new defskeleton form with a deflistener in it to find out whether the initiator’s nonce can be disclosed to the adversary. Write a two line comment in your file describing what you found out.
• Add another defskeleton form with the same deflistener, but also with stronger origination assumptions. Find a version that guarantees the initiator’s nonce remains secret. Write a two line comment in your file describing what you found out.
• Make a new defskeleton form to check whether the responder gets any authentication guarantee about the initiator. Write a two line comment in your file describing what you found out.

2. NSL.

Create a new file nsl.scm, editing the NS protocol definition to define NSL and fix the authentication problem.

• Run make ns_shapes.xhtml and inspect the result using a browser.
• Write a two line comment in your file for each defskeleton so far, describing what you found out.
• Add a new defskeleton form with a deflistener in it to find out whether the responder’s nonce can be disclosed to the adversary. Write a two line comment in your file describing what you found out.

3. PS.

Retrieve the file http://web.cs.wpi.edu/~guttman/cs564/exercise/ps.scm, with the Perrig-Song example.

• Run make ps_shapes.xhtml and inspect the result using a browser. Write a two line comment in your file describing what you found out.
• Create a modified protocol ps_sym that allows initiator to run their role using the key (ltk my_init_id yr_resp_id) or the key
  (ltk yr_resp_id my_init_id). Make a symmetrical version of the responder role too.
• Now test for authentication for initiator and responder. Write a two line comment in your file describing what you found out.
• Write a third protocol definition that adds information to the protocol so that it correctly achieves authentication for initiator and responder. Write a two line comment in your file describing what you found out for each party to the protocol.

4. Otway-Rees.

Work with the file http://web.cs.wpi.edu/~guttman/cs564/exercise/or.scm.

• Run cpsa on the file and write a brief comment in each defskeleton form stating what it tells you.
• Modify the file so that each encrypted message portion has a tag, "tag_name". Give the initiator’s request, the responder’s request, and the two replies containing the keys different tags.
• Run cpsa on the tagged version. For each defskeleton, write a brief summary of what you find out.

5. Abadi-Needham’s Otway-Rees.

Look at p. 13 of the Abadi-Needham paper. It describes an alternate form of Otway-Rees with much less encryption. (More or less the same protocol was also proposed by Ulf Carlsen.)

• Create a file with a defprotocol form defining the AN version.
• Use cpsa to discover what authentication and confidentiality properties it proves. Record your results in two-line comments.
• Is the AN OR protocol just as good as the original?
• Create a new protocol with a tagged version of AN OR. Determine and record its authentication properties.

6. Woo-Lam.

Work with the file http://web.cs.wpi.edu/~guttman/cs564/exercise/woo_lam.scm.

• What does this protocol try to achieve? What goes wrong?
• on pp. 6–7, Abadi and Needham discuss this protocol. Implement their modified protocol in cpsa. Determine whether it achieves the goal it is intended to. Record your answer.

This document was translated from L^AT_EX by H^EV^EA.