Security Goals and Protocol Transformations

  • Joshua D. Guttman
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6993)


Cryptographic protocol designers work incrementally. Having achieved some goals for confidentiality and authentication in a protocol Π1, they transform it to a richer Π2 to achieve new goals.

But do the original goals still hold? More precisely, if a goal formula Γ holds whenever Π1 runs against an adversary, does a translation of Γ hold whenever Π2 runs against it?

We prove that a transformation preserves goal formulas if a labeled transition system for analyzing Π1 simulates a portion of an lts for analyzing Π2, while preserving progress in that portion.

Thus, we examine the process of analyzing a protocol Π. We use ltss that describe our activity when analyzing Π, not that of the principals executing Π. Each analysis step considers—for an observed message reception—what earlier transmissions would explain it. The lts then contains a transition from a fragmentary execution containing the reception to a richer one containing an explaining transmission. The strand space protocol analysis tool cpsa generates some of the ltss used.


Security Protocol Protocol Transformation Label Transition System Cryptographic Protocol Security Goal 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Andova, S., Cremers, C.J.F., Gjøsteen, K., Mauw, S., Mjølsnes, S.F., Radomirović, S.: Sufficient conditions for composing security protocols. Information and Computation (2007)Google Scholar
  2. 2.
    Backes, M., Cortesi, A., Focardi, R., Maffei, M.: A calculus of challenges and responses. In: FMSE 2007: ACM Workshop on Formal Methods in Security Engineering, pp. 51–60. ACM, New York (2007)CrossRefGoogle Scholar
  3. 3.
    Backes, M., Pfitzmann, B., Waidner, M.: A universally composable cryptographic library (2003),
  4. 4.
    Bhargavan, K., Corin, R., Deniélou, P.-M., Fournet, C., Leifer, J.J.: Cryptographic protocol synthesis and verification for multiparty sessions. In: IEEE Computer Security Foundations Symposium (2009)Google Scholar
  5. 5.
    Bird, R., Gopal, I., Herzberg, A., Janson, P.A., Kutten, S., Mulva, R., Yung, M.: Systematic design of a family of attack-resistant authentication protocols. IEEE Journal on Selected Areas in Communications 11(5), 679–693 (1993)CrossRefGoogle Scholar
  6. 6.
    Caleiro, C., Vigano, L., Basin, D.: Relating strand spaces and distributed temporal logic for security protocol analysis. Logic Journal of IGPL 13(6), 637 (2005)MathSciNetCrossRefzbMATHGoogle Scholar
  7. 7.
    Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. Report 2000/067, International Association for Cryptographic Research, October 2001. Extended Abstract appeared in Proceedings of the 42nd Symposium on Foundations of Computer Science (FOCS) (2001)Google Scholar
  8. 8.
    Cortier, V., Delaitre, J., Delaune, S.: Safely composing security protocols. In: Arvind, V., Prasad, S. (eds.) FSTTCS 2007. LNCS, vol. 4855, pp. 352–363. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  9. 9.
    Cortier, V., Warinschi, B., Zălinescu, E.: Synthesizing secure protocols. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 406–421. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  10. 10.
    Datta, A., Derek, A., Mitchell, J.C., Pavlovic, D.: Abstraction and refinement in protocol derivation. In: IEEE Computer Security Foundations Workshop. IEEE CS Press, Los Alamitos (2004)Google Scholar
  11. 11.
    Datta, A., Derek, A., Mitchell, J.C., Pavlovic, D.: A derivation system and compositional logic for security protocols. Journal of Computer Security 13(3), 423–482 (2005)CrossRefGoogle Scholar
  12. 12.
    Datta, A., Derek, A., Mitchell, J.C., Warinschi, B.: Computationally sound compositional logic for key exchange protocols. In: Computer Security Foundations Workshop, pp. 321–334 (2006)Google Scholar
  13. 13.
    Doghmi, S.F., Guttman, J.D., Javier Thayer, F.: Searching for shapes in cryptographic protocols. In: Grumberg, O., Huth, M. (eds.) TACAS 2007. LNCS, vol. 4424, pp. 523–537. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  14. 14.
    Guttman, J.D.: Authentication tests and disjoint encryption: a design method for security protocols. Journal of Computer Security 12(3/4), 409–433 (2004)CrossRefGoogle Scholar
  15. 15.
    Guttman, J.D.: Cryptographic protocol composition via the authentication tests. In: de Alfaro, L. (ed.) FOSSACS 2009. LNCS, vol. 5504, pp. 303–317. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  16. 16.
    Guttman, J.D.: Security theorems via model theory. EXPRESS: Expressiveness in Concurrency (EPTCS) 8, 51 (2009), doi:10.4204/EPTCS.8.5Google Scholar
  17. 17.
    Guttman, J.D.: Transformations between cryptographic protocols. In: Degano, P., Viganò, L. (eds.) ARSPA-WITS 2009. LNCS, vol. 5511, pp. 107–123. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  18. 18.
    Guttman, J.D.: Shapes: Surveying crypto protocol runs. In: Cortier, V., Kremer, S. (eds.) Formal Models and Techniques for Analyzing Security Protocols. Cryptology and Information Security Series. IOS Press, Amsterdam (2011)Google Scholar
  19. 19.
    Guttman, J.D., Javier Thayer, F.: Protocol independence through disjoint encryption. In: Computer Security Foundations Workshop. IEEE CS Press, Los Alamitos (2000)Google Scholar
  20. 20.
    Katz, J., Yung, M.: Scalable protocols for authenticated group key exchange. J. Cryptology 20(1), 85–113 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
  21. 21.
    Kelsey, J., Schneier, B., Wagner, D.: Protocol interactions and the chosen protocol attack. In: Security Protocols Workshop. Springer, Heidelberg (1998)Google Scholar
  22. 22.
    Lamport, L.: Time, clocks and the ordering of events in a distributed system. CACM 21(7), 558–565 (1978)CrossRefzbMATHGoogle Scholar
  23. 23.
    Lowe, G., Auty, M.: A calculus for security protocol development. Technical report, Oxford University Computing Laboratory (March 2007)Google Scholar
  24. 24.
    Needham, R., Schroeder, M.: Using encryption for authentication in large networks of computers. CACM 21(12) (December 1978)Google Scholar
  25. 25.
    Pfitzmann, B., Waidner, M.: Composition and integrity preservation of secure reactive systems. In: Proceedings, Seventh ACM Conference of Communication and Computer Security. ACM Press, New York (November 2000)Google Scholar
  26. 26.
    Ramsdell, J.D., Guttman, J.D.: CPSA: A cryptographic protocol shapes analyzer. In: Hackage. The MITRE Corporation (2009),; see esp. doc subdirectory

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Joshua D. Guttman
    • 1
  1. 1.Worcester Polytechnic InstituteUSA

Personalised recommendations