Re: [Ntp] Switching NTS to AES-GCM-SIV?
Daniel Franke <dfoxfranke@gmail.com> Tue, 23 April 2019 16:02 UTC
Return-Path: <dfoxfranke@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DD4212010F for <ntp@ietfa.amsl.com>; Tue, 23 Apr 2019 09:02:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LHvl-y-22sIH for <ntp@ietfa.amsl.com>; Tue, 23 Apr 2019 09:01:59 -0700 (PDT)
Received: from mail-qt1-x836.google.com (mail-qt1-x836.google.com [IPv6:2607:f8b0:4864:20::836]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3DFB112017D for <ntp@ietf.org>; Tue, 23 Apr 2019 09:01:50 -0700 (PDT)
Received: by mail-qt1-x836.google.com with SMTP id v7so3547256qti.7 for <ntp@ietf.org>; Tue, 23 Apr 2019 09:01:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=IPxCkEI44WVVpypJ0QztMp1Xr+oUjaz6NLxiU9H9nSA=; b=gzUgBI8haYE9iRQqEYN6YLfpH2qn9xsynL8QmvP2+QsI+2MHVpK1NXhkAmo94eYNZH hEW7vEb1WISOI3SlP/NLV1TwODaKcnDj931VX7SPHii4+rAjcf/YwSHgWWAsAYepG08c NmJpC9mbRdawRWzWUwOXRyJz+LJtLswklrddvchnQQtgn/mLPIYmmJzq1ugUG2P2Dsek bDVFMPnsadm1kfJlZ9PaIC//RMzLmtarDrxbyyifPtw0EjzVG+L25H+8Kv+XOhhr9JmS AfEseP//dDSsEBrKUfr+kfQQnMWpDPvRlCAsGmQUktZCIlgbOtTOmpPUOJRwbttIHGir fh+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=IPxCkEI44WVVpypJ0QztMp1Xr+oUjaz6NLxiU9H9nSA=; b=R8+4aWn/znVyPvBm9doWtPhfoOLnDegAzd96N/pvIuhiCbkhpovkCchggZ/4EGuT6+ uuoqKrbeEY2NFIHo9qWWMr79gKPaaQrvSyIL/vw8T9iKVxxDqPj5dzmZfptiU9JZjtyi 5QH4ncdjcUs9tg64VTZw0GvU8FPIu5t3TpI7gaR1ZikJslwQy2OcErKabryeFznlhO70 86JMxs1nbMRVHWWPDsBGYdEQuQcYzSTMYAAa1TMoeQfMVXRSoL4HbmmYlYaXGJoTKh5o NGlUJ7jkoAUU9xGNLR8MuhZAKR8Ifc/0+TJhgm6KbmoXuACGnIT8D83FpB3ORSf64WkN dqIw==
X-Gm-Message-State: APjAAAUH7Ix9CuZk12ifwxBq2CXCOBKjowyR3IwSYETYXS2jw9kroFkA WXo/BqJ4ekevcKmaBhX9xdlAr6/kx5fdKUEOf94=
X-Google-Smtp-Source: APXvYqyRz8sLq4yt+/pIW7DJTxX/q7XPDK6VykHwH0ojNa9BG2F63nnZm9+W6/TpCju3gJoOkHR5NlbaCFmEtxX0C4s=
X-Received: by 2002:ac8:2dae:: with SMTP id p43mr11710498qta.14.1556035309242; Tue, 23 Apr 2019 09:01:49 -0700 (PDT)
MIME-Version: 1.0
References: <20190423154616.GB11966@localhost>
In-Reply-To: <20190423154616.GB11966@localhost>
From: Daniel Franke <dfoxfranke@gmail.com>
Date: Tue, 23 Apr 2019 12:01:38 -0400
Message-ID: <CAJm83bA+UZEGBM0WtN1S0AnUrjvpgud2BQJLQ7NF0bTNG2uP9A@mail.gmail.com>
To: Miroslav Lichvar <mlichvar@redhat.com>
Cc: NTP WG <ntp@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/0Pb6UVzxgQ9xHcGz2ujGAVRP1eY>
Subject: Re: [Ntp] Switching NTS to AES-GCM-SIV?
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Apr 2019 16:02:01 -0000
On Tue, Apr 23, 2019 at 11:46 AM Miroslav Lichvar <mlichvar@redhat.com> wrote: > there is a new standard for AES-GCM-SIV > [...] > Is it too late for NTS to switch? Whether it's too late is debatable, but I don't think we should. AES-GCM-SIV's misuse-resistance properties are weaker than AES-SIV's: its security bounds gradually degrade if you reuse the same nonce too many times. In mainstream use cases this isn't any cause for concern because nonce reuse should be rare, but I don't want to encumber our choice of MTI algorithm with the assumption that it will *never* be a concern. With that said, in all but weird exceptional cases that may or may not exist, I definitely encourage implementers to support AES-GCM-SIV in addition to AES-SIV, and to put AES-GCM-SIV ahead of AES-SIV in their preference ordering when negotiating what to use.
- [Ntp] Switching NTS to AES-GCM-SIV? Miroslav Lichvar
- Re: [Ntp] Switching NTS to AES-GCM-SIV? Daniel Franke
- Re: [Ntp] Switching NTS to AES-GCM-SIV? Miroslav Lichvar