Research into cryptographic protocols has been increasing in momentum in recent years. A great deal of effort has been devoted to analysis techniques [15] while general principles for design of protocols are now much better understood [2]. Even so, the rate at which protocol faults are being reported does not appear to be slowing down [1,14,17,16].
It is obvious that any attack on a protocol is only valid if it violates some property that the protocol was intended to achieve. In other words all attacks must be considered relative to the protocol goals. Many protocols are poorly designed because their authors are unclear what are the protocol goals they are trying to achieve. This is turn leads to disputes about whether protocol attacks are valid, since designers may regard the goals differently from analysers (as discussed by Gollman [13]).
Clarity in describing protocols goals is desirable for all parties concerned.
Many authors have considered the question of what are appropriate goals, mainly in the context of protocol analysis. A panel session at the 1996 Computer Security Foundations workshop was dedicated to the question: ``What is an Attack on a Cryptographic Protocol?'' [30], and showed that there are many questions yet to be resolved. A central issue in this paper is the division between intensional goals which are generally concerned with ensuring that the protocol runs correctly as specified, and extensional goals which are concerned with what the protocol achieves for its participants.
The view taken in this paper is that while intensional properties may be important for analysis, it is extensional properties that are appropriate to be considered by the protocol designer. In other words the protocol designer should be ensuring that the extensional protocol goals are achieved, by whatever means. Furthermore, an attack on a protocol must be measured against whether it defeats the extensional goals of the protocol. In addition it is shown that a clear view of extensional goals is of great benefit to the protocol designer.
In the next section the previous literature on goals in protocols is reviewed and goals are classified as intensional or extensional goals. Then a hierarchy of extensional protocol goals is proposed which includes the major proposed goals for key establishment. Examples are then considered to contrast the different features captured by the intensional and extensional views. This leads to consideration of a new attack on the widely studied Needham-Schroeder public key protocol. Finally it is shown how these extensional goals can be exploited to motivate design of key establishment protocols.