International Journal of Information Security

, Volume 15, Issue 6, pp 575–596 | Cite as

Measuring protocol strength with security goals

  • Paul D. Rowe
  • Joshua D. GuttmanEmail author
  • Moses D. Liskov
Special Issue Paper


Flaws in published standards for security protocols are found regularly, often after systems implementing those standards have been deployed. Because of deployment constraints and disagreements among stakeholders, different fixes may be proposed and debated. In this process, security improvements must be balanced with issues of functionality and compatibility. This paper provides a family of rigorous metrics for protocol security improvements. These metrics are sets of first-order formulas in a goal language \(\mathcal {GL}(\varPi )\) associated with a protocol \(\varPi \). The semantics of \(\mathcal {GL}(\varPi )\) is compatible with many ways to analyze protocols, and some metrics in this family are supported by many protocol analysis tools. Other metrics are supported by our Cryptographic Protocol Shapes Analyzer cpsa. This family of metrics refines several “hierarchies” of security goals in the literature. Our metrics are applicable even when, to mitigate a flaw, participants must enforce policies that constrain protocol execution. We recommend that protocols submitted to standards groups characterize their goals using formulas in \(\mathcal {GL}(\varPi )\), and that discussions comparing alternative protocol refinements measure their security in these terms.


Partial Order Atomic Formula Trust Third Party Cryptographic Protocol Security Goal 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. In: 28th ACM Symposium on Principles of Programming Languages (POPL ’01), pp. 104–115 (January 2001)Google Scholar
  2. 2.
    Almousa, O., Mödersheim, S.A., Modesti, P., Viganò, L.: Typing and compositionality for security protocols: a generalization to the geometric fragment. In: ESORICS, LNCS Springer, (September 2015)Google Scholar
  3. 3.
    Basin, David A., Cremers, Cas, Meier, Simon: Provably repairing the ISO/IEC 9798 standard for entity authentication. J. Comput. Secur. 21(6), 817–846 (2013)CrossRefzbMATHGoogle Scholar
  4. 4.
    Basin, D.A., Cremers, C.J.F.: Modeling and analyzing security in the presence of compromising adversaries. In: Computer Security–ESORICS, pp. 340–356. Springer, Berlin, Heidelberg (2010)Google Scholar
  5. 5.
    Basin, David A., Cremers, Cas J.F., Miyazaki, Kunihiko, Radomirovic, Sasa, Watanabe, Dai: Improving the security of cryptographic protocol standards. IEEE Secur. Priv. 13(3), 24–31 (2015)CrossRefGoogle Scholar
  6. 6.
    Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Advances in Cryptology–CRYPTO’93, pp. 232–249. Springer, Berlin, Heidelberg (1993)Google Scholar
  7. 7.
    Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Pironti, A., Strub, P.-Y.: Triple handshakes and cookie cutters: breaking and fixing authentication over TLS. In: IEEE Symposium on Security and Privacy (2014)Google Scholar
  8. 8.
    Blanchet, B.: An efficient protocol verifier based on Prolog rules. In: 14th Computer Security Foundations Workshop, pp. 82–96. IEEE CS Press (June 2001)Google Scholar
  9. 9.
    Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Eurocrypt, LNCS, pp. 453–474. Springer (2001)Google Scholar
  10. 10.
    Canetti, R., Krawczyk, H.: Universally composable notions of key exchange and secure channels. In: Eurocrypt, LNCS, pp. 337–351. Springer (2002)Google Scholar
  11. 11.
    Cervesato, Iliano, Jaggard, Aaron D., Scedrov, Andre, Tsay, Joe-Kai, Walstad, Christopher: Breaking and fixing public-key Kerberos. Inf. Comput. 206(2–4), 402–424 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  12. 12.
    Cremers, Cas, Mauw, Sjouke: Operational Semantics and Verification of Security Protocols. Springer, Berlin (2012)CrossRefzbMATHGoogle Scholar
  13. 13.
    Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard), Updated by RFCs 5746, 5878, 6176 (August 2008)Google Scholar
  14. 14.
    Dougherty, D.J., Guttman, J.D.: Decidability for lightweight Diffie–Hellman protocols. In: IEEE Symposium on Computer Security Foundations (2014)Google Scholar
  15. 15.
    Durgin, Nancy, Lincoln, Patrick, Mitchell, John, Scedrov, Andre: Multiset rewriting and the complexity of bounded security protocols. J. Comput. Secur. 12(2), 247–311 (2004). (Initial version appeared in Workshop on Formal Methods and Security Protocols, 1999)CrossRefGoogle Scholar
  16. 16.
    Escobar, S., Meadows, C., Meseguer, J.: Maude-NPA: cryptographic protocol analysis modulo equational properties. Found. Secur. Anal. Des. V, 1–50 (2009)Google Scholar
  17. 17.
    Guttman, J.D.: Shapes: surveying crypto protocol runs. In Veronique Cortier and Steve Kremer, editors, Formal Models and Techniques for Analyzing Security Protocols, Cryptology and Information Security Series. IOS Press, Amsterdam (2011)Google Scholar
  18. 18.
    Guttman, Joshua D.: State and progress in strand spaces: proving fair exchange. J. Autom. Reason. 48(2), 159–195 (2012)MathSciNetCrossRefzbMATHGoogle Scholar
  19. 19.
    Guttman, Joshua D.: Establishing and preserving protocol security goals. J. Comput. Secur. 22(2), 201–267 (2014)CrossRefGoogle Scholar
  20. 20.
    Guttman, J.D., Liskov, M.D., Rowe, P.D.: Security goals and evolving standards. In: Security Standardisation Research, pp. 93–110. Springer (2014)Google Scholar
  21. 21.
    ISO/IEC IS 9798–2: Entity authentication mechanisms—part 2: entity authentication using symmetric encipherment algorithms (1993)Google Scholar
  22. 22.
    International Organization for Standardization: ISO/IEC 29128: Information technology—security techniques—verification of cryptographic protocols (2011)Google Scholar
  23. 23.
    Liu, C., Singhal, A., Wijesekera, D.: A model towards using evidence from security events for network attack analysis. In: WOSIS 2014—Proceedings of the 11th International Workshop on Security in Information Systems, Lisbon, Portugal, 27 April, 2014 pp. 83–95 (2014)Google Scholar
  24. 24.
    Lowe, G.: A hierarchy of authentication specification. In: 10th Computer Security Foundations Workshop Proceedings, pp. 31–43. IEEE CS Press (1997)Google Scholar
  25. 25.
    Luce, R.D., Suppes, P.: Measurement, theory of Encyclopedia Britannica. 15th edn (11), pp. 739–745 (1974)Google Scholar
  26. 26.
    Martin, R.A.: Making security measurable and manageable. In: MILCOM 2008 (November 2008)Google Scholar
  27. 27.
    Meadows, C.: The NRL protocol analyzer: an overview. J. Log. Program. 26(2), 113–131 (1996)CrossRefzbMATHGoogle Scholar
  28. 28.
    Neuman, C., Yu, T., Hartman, S., Raeburn, K.: The Kerberos Network Authentication Service (V5). RFC 4120 (Proposed Standard), (July 2005). Updated by RFCs 4537, 5021, 5896, 6111, 6112, 6113, 6649, 6806Google Scholar
  29. 29.
    Ramsdell, J.D., Dougherty, D.J., Guttman, J.D., Rowe, P.D.: A hybrid analysis for security protocols with state In: Integrated Formal Methods, pp. 272–287. Springer International Publishing (2014).
  30. 30.
    Ramsdell, J.D., Guttman, J.D.: CPSA: a cryptographic protocol shapes analyzer (2009).
  31. 31.
    Rescorla, E., Ray, M., Dispensa, S., Oskov, N.: Transport Layer Security (TLS) Renegotiation Indication Extension. RFC 5746 (Proposed Standard) (February 2010)Google Scholar
  32. 32.
    Roscoe, A.W.: Intensional specifications of security protocols, pp. 28–38. In: IEEE Computer Security Foundations, Workshop (1996)Google Scholar
  33. 33.
    Song, Dawn Xiaodong,: Athena: A new efficient automated checker for security protocol analysis. In: Proceedings of the 12th IEEE Computer Security Foundations Workshop. IEEE CS Press (June 1999)Google Scholar
  34. 34.
    Sun, K., Jajodia, S., Li, J., Cheng, Y., Tang, W., Singhal, A.: Automatic security analysis using security metrics. In: MILCOM (November 2011)Google Scholar
  35. 35.
    Thayer, F.Javier, Herzog, Jonathan C., Guttman, Joshua D.: Strand spaces: proving security protocols correct. J. Comput. Secur. 7(2/3), 191–230 (1999)CrossRefGoogle Scholar
  36. 36.
    The MITRE Corporation. The common vulnerabilities and exposures (CVE) initiative.
  37. 37.
    The MITRE Corporation. The common weakness enumeration (CWE).
  38. 38.
    Woo, T.Y.C., Lam, S.S.: Verifying authentication protocols: Methodology and example. In: Proceedings of International Conference on Network Protocols (October 1993)Google Scholar
  39. 39.
    Zhu, L., Tung, B.: Public Key Cryptography for Initial Authentication in Kerberos (PKINIT). RFC 4556 (Proposed Standard) (June 2006). Updated by RFC 6112Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2016

Authors and Affiliations

  • Paul D. Rowe
    • 1
  • Joshua D. Guttman
    • 1
    Email author
  • Moses D. Liskov
    • 1
  1. 1.The MITRE CorporationBedfordUSA

Personalised recommendations