Security Goals and Protocol Transformations

Cryptographic protocol designers work incrementally. Having achieved some goals for confidentiality and authentication in a protocol Π1, they transform it to a richer Π2 to achieve new goals. But do the original goals still hold? More precisely, if a goal formula Γ holds whenever Π1 runs against an adversary, does a translation of Γ hold whenever Π2 runs against it? We prove that a transformation preserves goal formulas if a labeled transition system for analyzing Π1 simulates a portion of an lts for analyzing Π2, while preserving progress in that portion. Thus, we examine the process of analyzing a protocol Π. We use ltss that describe our activity when analyzing Π, not that of the principals executing Π. Each analysis step considers—for an observed message reception—what earlier transmissions would explain it. The lts then contains a transition from a fragmentary execution containing the reception to a richer one containing an explaining transmission. The strand space protocol analysis tool cpsa generates some of the ltss used.