IETF Logo Mail Archive

[Ntp] Re: Wrong NTS key exporter context in use for AES-128-GCM-SIV

Daniel Franke <dfoxfranke@gmail.com> Mon, 16 September 2024 13:01 UTC

Return-Path: <dfoxfranke@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73685C151996 for <ntp@ietfa.amsl.com>; Mon, 16 Sep 2024 06:01:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8y5rf27mgByP for <ntp@ietfa.amsl.com>; Mon, 16 Sep 2024 06:01:49 -0700 (PDT)
Received: from mail-oo1-xc2e.google.com (mail-oo1-xc2e.google.com [IPv6:2607:f8b0:4864:20::c2e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D047C180B6E for <ntp@ietf.org>; Mon, 16 Sep 2024 06:01:41 -0700 (PDT)
Received: by mail-oo1-xc2e.google.com with SMTP id 006d021491bc7-5e1cdfe241eso1147803eaf.1 for <ntp@ietf.org>; Mon, 16 Sep 2024 06:01:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1726491701; x=1727096501; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=pRTKS6uYVDv1XhR7PzDbh9NsVfe88UiMUmSh7PiC0Fw=; b=fqeZ2cXDoSyaVtiAz3bGTGEv2egL52aOzW3Agud/WA40c/lRY3Zjo15rXjqEJtWClN JRm0py5BhzKRL8UT78dVRekewUtD6YbahW+YR3Sw7FxCotSg4+7Jd0ZJ79VtUiQd6Uw2 v1ANLVLpZzw3q9nb1iqZbJlqz4F9jeWhP+Owy9jFX0cdb3rkiaqnnZZ+bU+eR3ahXV4d Q+8W82pxVRKCDLIkr2ZIO4G7foehPQBm4/pq1KaNAtyUulspemA6qF+U8mKQi0lSeIaY ohnRXf0wweywbeAfs9wbeyXYDMt9UDVxu7v4f88xi4MqvXydwpZIgD5eSec/mBXU7hC0 0zBQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726491701; x=1727096501; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=pRTKS6uYVDv1XhR7PzDbh9NsVfe88UiMUmSh7PiC0Fw=; b=ijnmorBaZk1xASqGA91SaIefNvM1nrz8/Bn9ZGZPwUN9PJUm4EnVrXaW2GGvhAZSEv jaZ+uqo6ePcmA1O9exF7jU3sZAY4vjYRMkoGY0oD16rOAel2xFOcPX+tYFmEKTg+vhr6 xHiw3dCzCcmBSs/mM/j2a2zUYsftp6uLTE5Nn27F68zNUJQ8+6nspEbr5KeLM2eBp8vM bSKoVRftvREQPPJSv2bKj0YyIvn8iMW7n8f7F1XNG/xQt1e3ITypCcMSEZqmRaUgzMVo 1MjwcqNE5OyGO+7fqnBYymZHvPeIzQkHD7hSAi5SoHsezMBV1hTaYN95P4/SBjXO6txq PJxQ==
X-Gm-Message-State: AOJu0Ywv5lN8lYlf/kdAv6kxcFEeoXYzeqKmGVlYR0ioNRtD8NIHY8ZV Xh0Dj1310ROhImepYzfo8URkNjxZDMqdxlUxjz87/FHbHx78vEFKeKdHH/wgzpzkrVVVdU1qMLM x7FjhFMa/jO7H/wMY0QdAd2Axg3GkSVgY
X-Google-Smtp-Source: AGHT+IF/BvaJrW2Pn7tePKI7fFETcidWWftGSoEzRPU4VM+g4j3P97dGeoS2UyBrMxHJWtWtvBqMeqtWyzhhUuaChYY=
X-Received: by 2002:a05:6820:160a:b0:5e1:cabe:a3 with SMTP id 006d021491bc7-5e20bfc6df9mr4036001eaf.0.1726491700358; Mon, 16 Sep 2024 06:01:40 -0700 (PDT)
MIME-Version: 1.0
References: <Zuft30p5rxdjn50i@localhost>
In-Reply-To: <Zuft30p5rxdjn50i@localhost>
From: Daniel Franke <dfoxfranke@gmail.com>
Date: Mon, 16 Sep 2024 08:59:48 -0400
Message-ID: <CAJm83bD4_KbQ2=ygwUHtmNVggawViDN5toR+2MY8v+OgNQXX1w@mail.gmail.com>
To: Miroslav Lichvar <mlichvar@redhat.com>
Content-Type: multipart/alternative; boundary="00000000000081fb6c06223c2cf6"
Message-ID-Hash: A2VUNLMXS47VBFTLDPX6LO7QUXERG6SI
X-Message-ID-Hash: A2VUNLMXS47VBFTLDPX6LO7QUXERG6SI
X-MailFrom: dfoxfranke@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-ntp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: ntp@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Ntp] Re: Wrong NTS key exporter context in use for AES-128-GCM-SIV
List-Id: Network Time Protocol <ntp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/2bKBmQxzEqiebkqFwfOwQKXT_bk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Owner: <mailto:ntp-owner@ietf.org>
List-Post: <mailto:ntp@ietf.org>
List-Subscribe: <mailto:ntp-join@ietf.org>
List-Unsubscribe: <mailto:ntp-leave@ietf.org>

That sucks. I think fixing this will necessarily involve some long-term
scar tissue on the protocol, but I don't think the scar has to be too big.

What I would suggest you do is publish a specification which explains the
issue and defines a "Chrony AES-128-GCM-SIV workaround" NTS-KE record type,
with an empty body and its critical bit cleared. A server which has the
fix, upon receiving an NTS-KE request with the record present, will respond
with it present in turn, and will record somewhere in the cookie that the
fix was negotiated. Initially, fixed servers will continue to perform the
noncompliant context calculation with any client which doesn't negotiate
the fix, but eventually (probably not for a very long time, unfortunately)
can drop support for broken clients and always perform the compliant
calculation. From the client's perspective, a server which negotiates the
fix definitely has it, and the client should go directly to using the
compliant calculation. If the server fails to negotiate the fix, then it's
either a broken Chrony server, or a non-broken non-Chrony server which
refuses to implement the workaround. The client should try one possibility
and then the other, in whatever order represents the greater likelihood as
of when that version of the client was released.

On Mon, Sep 16, 2024 at 4:35 AM Miroslav Lichvar <mlichvar@redhat.com>
wrote:

> A year ago the chrony NTP implementation added support for the
> AES-128-GCM-SIV AEAD in order to make NTS cookies shorter and improve
> reliability over Internet, where some major operators are known to
> block or limit rate of longer NTP packets as a mitigation against
> mode-6/7 amplification attacks, as was discussed on this list many
> times before.
>
> This seems to work great, except I have now received a report from a
> wireshark developer that chrony uses a wrong exporter context for this
> AEAD. Per RFC8915 the AEAD number is included in the per-association
> context passed to the RFC5705 function, but chrony has this context
> hardcoded for AES-SIV-CMAC-128. I already forgot this fact when I was
> adding the AES-128-GCM-SIV support and there was nothing else to test
> interoperability. It doesn't support any other AEADs, so this impacts
> only AES-128-GCM-SIV.
>
> It seems there is no other NTS implementation that added support for
> AES-128-GCM-SIV yet. When that happens, it will not inteoperate with
> the current clients and servers. I think the developers will quickly
> realize that.
>
> I don't see a good way to fix this without a flag day, requiring both
> clients and servers to be updated at the same time. A fixed client
> could try both exporter contexts and see which works, but the servers
> would have to include both sets of keys (or the TLS context needed
> to generate both) in their cookies to be able to support the broken
> clients, which would make the cookies longer and cause the packets to
> be blocked or rate-limited again.
>
> Does the WG have any suggestions?
>
> --
> Miroslav Lichvar
>
> _______________________________________________
> ntp mailing list -- ntp@ietf.org
> To unsubscribe send an email to ntp-leave@ietf.org
>

v2.35.0 | Report a Bug | By Email | System Status