Measuring protocol strength with security goals

Flaws in published standards for security protocols are found regularly, often after systems implementing those standards have been deployed. Because of deployment constraints and disagreements among stakeholders, different fixes may be proposed and debated. In this process, security improvements must be balanced with issues of functionality and compatibility. This paper provides a family of rigorous metrics for protocol security improvements. These metrics are sets of first-order formulas in a goal language associated with a protocol . The semantics of is compatible with many ways to analyze protocols, and some metrics in this family are supported by many protocol analysis tools. Other metrics are supported by our Cryptographic Protocol Shapes Analyzer cpsa. This family of metrics refines several "hierarchies" of security goals in the literature. Our metrics are applicable even when, to mitigate a flaw, participants must enforce policies that constrain protocol execution. We recommend that protocols submitted to standards groups characterize their goals using formulas in , and that discussions comparing alternative protocol refinements measure their security in these terms.