Re: [ntpwg] Unlinkability formulations in merged draft "NTS-4-NTP"
Sharon Goldberg <goldbe@cs.bu.edu> Wed, 08 March 2017 16:43 UTC
Return-Path: <ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org>
X-Original-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Delivered-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03C8012963E for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Wed, 8 Mar 2017 08:43:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.311
X-Spam-Level:
X-Spam-Status: No, score=-1.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (2048-bit key) reason="fail (message has been altered)" header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lrnl0_wSm6PX for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Wed, 8 Mar 2017 08:43:42 -0800 (PST)
Received: from lists.ntp.org (psp3.ntp.org [185.140.48.241]) by ietfa.amsl.com (Postfix) with ESMTP id 49E2A129621 for <ntp-archives-ahFae6za@lists.ietf.org>; Wed, 8 Mar 2017 08:43:42 -0800 (PST)
Received: from lists.ntp.org (lists.ntp.org [10.224.90.243]) by lists.ntp.org (Postfix) with ESMTP id 0A54486DB58 for <ntp-archives-ahFae6za@lists.ietf.org>; Wed, 8 Mar 2017 16:43:42 +0000 (UTC)
X-Original-To: ntpwg@lists.ntp.org
Delivered-To: ntpwg@lists.ntp.org
Received: from mail1.ntp.org (fortinet.ntp.org [10.224.90.254]) by lists.ntp.org (Postfix) with ESMTP id 75E8686DAED for <ntpwg@lists.ntp.org>; Wed, 8 Mar 2017 16:42:42 +0000 (UTC)
Received: from mail-it0-f54.google.com ([209.85.214.54]) by mail1.ntp.org with esmtps (TLSv1:AES128-SHA:128) (Exim 4.77 (FreeBSD)) (envelope-from <sharon.goldbe@gmail.com>) id 1clefb-000Gch-Df for ntpwg@lists.ntp.org; Wed, 08 Mar 2017 16:42:42 +0000
Received: by mail-it0-f54.google.com with SMTP id m27so41604986iti.1 for <ntpwg@lists.ntp.org>; Wed, 08 Mar 2017 08:42:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=xLNHIOvVpI7IVgmqiP2G9x1baP925kHlJOwgcfP0XxY=; b=p4//Hx2er2eW/dqFrsZ48shT/GTBjFYS6Gnxl2QnNKK8d6Wq+4Z9o5WVPViNPe0sYy FAnO8KqtlzGfzdHjwn9BYmj3CZDFQuCjNTR5WZ/T1O0M8rhNRYgXyYVtU4+sFjcKq/+J GZAibedkKQBkBRzzLB+nNgW9cZZY3g8+SbYLzjuLcqYEg6xyQkNunCOBGgsBHiSmJYGN Qr6XP2YCKscWd3PqTXcgySY4M1U6XJR16wJK2wwXDU6oXYtarkfhCecZBXEnj6pQdicW P2MOayLK5KPSxcJwjvE/d72N9r408fWLMxDQibNks90p0bIesoXyXuf1K0Nq3E90LUUE i1Pg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=xLNHIOvVpI7IVgmqiP2G9x1baP925kHlJOwgcfP0XxY=; b=onldglukXYKud0+sLB4HqZrYDAn0IX0YsS2U+aK5HebcJlTZWcco/HEro9ZcAMFuc6 /03UOTJacNp/NWifOIr/2Oj3ZswFrhdjZvTtvTJDgihTv3wje0FQJlr08iyyXic0cBS+ bXFLO6GfB181M439tCK7490yYazOwx+CfLOWp0QNjuvHnpU65oYXGUhjbcKihGdLIMAT 4VDsHciGrVEqpsf7Z3PQgRhvBDYJZxjHPGdB/rhz0uPlf8264i6VDJo7J4xNX4uuQGSA dp5av0VaBX4+stqDtpvVCZB+4wALKoERolbkk4okjNx/1zjoNS2lPmO56w2WVxoBtbQL fiRQ==
X-Gm-Message-State: AMke39nPdIX3RV++w2egkO5cOWHq/ILquhH2MQMYRwV64yTgLhOweEsLV8uypKXQ4KCR27T4KP1ITNuPs39jFQ==
X-Received: by 10.36.209.198 with SMTP id w189mr27096138itg.83.1488991354548; Wed, 08 Mar 2017 08:42:34 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.141.197 with HTTP; Wed, 8 Mar 2017 08:41:53 -0800 (PST)
In-Reply-To: <CAJHGrrRLHR=BvWso5hqFdW7uO5ycp1KwwhYz2j881+p75x5mDQ@mail.gmail.com>
References: <OFDFA8201C.9FF6AA26-ONC12580DD.004A82AE-C12580DD.004BEDC7@ptb.de> <CAJHGrrRLHR=BvWso5hqFdW7uO5ycp1KwwhYz2j881+p75x5mDQ@mail.gmail.com>
From: Sharon Goldberg <goldbe@cs.bu.edu>
Date: Wed, 08 Mar 2017 11:41:53 -0500
X-Google-Sender-Auth: a6DpInv6ZOg3jDi5d_2x904J_1A
Message-ID: <CAJHGrrQ1P5cQrVs-rFY0wPqjqe0jxzK2m3CQ3qzsOM0E1-rZSA@mail.gmail.com>
To: kristof.teichel@ptb.de
X-SA-Exim-Connect-IP: 209.85.214.54
X-SA-Exim-Rcpt-To: ntpwg@lists.ntp.org
X-SA-Exim-Mail-From: sharon.goldbe@gmail.com
X-SA-Exim-Version: 4.2
X-SA-Exim-Scanned: Yes (on mail1.ntp.org)
Subject: Re: [ntpwg] Unlinkability formulations in merged draft "NTS-4-NTP"
X-BeenThere: ntpwg@lists.ntp.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: IETF Working Group for Network Time Protocol <ntpwg.lists.ntp.org>
List-Unsubscribe: <http://lists.ntp.org/options/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=unsubscribe>
List-Archive: <http://lists.ntp.org/pipermail/ntpwg/>
List-Post: <mailto:ntpwg@lists.ntp.org>
List-Help: <mailto:ntpwg-request@lists.ntp.org?subject=help>
List-Subscribe: <http://lists.ntp.org/listinfo/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=subscribe>
Cc: NTP Working Group <ntpwg@lists.ntp.org>
Content-Type: multipart/mixed; boundary="===============4393369776293734084=="
Errors-To: ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org
Sender: ntpwg <ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org>
This is looking good. I've taken a pass over what was sent and propose the below candidate text. Note my use of the IETF "MUST". The relevant text in Section "Objectives": - Privacy: Once an NTS session has been established, NTS supports unlinkability for devices that (1) use NTS as clients and (2) minimize the information they expose in client query (mode 3) packets per "draft-dfranke-ntp-data-minimization" . Unlinkability ensures that NTS does not leak data that allows an attacker to track mobile NTP clients when they move between networks. See [link to Section "Privacy Considerations"] for details. The relevant text in Section "Privacy Considerations": Unlinkability prevents a device from being tracked when it changes network addresses (e.g. because said device moved between different networks). In other word, unlinkability thwarts an attacker that seeks to link a new network address used by a device with a network address that it was formerly using, because of recognizable data that device is persistently sent as part of an NTS-secured NTP association. This is the justification for continually supplying the client with fresh cookies, so that a cookie never represents recognizable data in the sense outlined above. NTS's unlinkability object is merely to not leak any additional data that could be used to link a device's network address. NTS does not rectify legacy linkability issues that are already present in NTP. Thus, a client that requires unlinkability MUST also minimize information transmitted in a client query (mode 3) packet as described in the draft "draft-dfranke-ntp-data-minimization" The unlinkability objective only holds for time synchronization traffic, as opposed to key exchange traffic. This implies that it cannot be guaranteed for devices that function not only as time clients, but also as time servers (because the latter can be externally triggered to send authentication data). It should also be noted that it could be possible to link devices that operate as time servers from their time synchronization traffic, using information exposed in (mode 4) server response packets (e.g. reference ID, reference time, stratum, poll). Also, devices that respond to NTP control queries could be linked using the information revealed by control queries. On Wed, Mar 8, 2017 at 10:12 AM, Sharon Goldberg <goldbe@cs.bu.edu> wrote: > Kristof, thanks for this. There are 3 documents in there, I assume you > are talking about > > https://github.com/dfoxfranke/nts/blob/master/draft-ietf-ntp > -using-nts-for-ntp.xml > > right? Also, there are some missing refs so the draft doesn't compile on > xml2rfc ... > > On Wed, Mar 8, 2017 at 8:48 AM, <kristof.teichel@ptb.de> wrote: > >> Hello all, >> >> we have made a few changes to the merged draft (have been pushed to the >> repository at https://github.com/dfoxfranke/nts) after some discussion >> with Aanchal. >> These changes are about the formulation of the text regarding >> unlikability. >> We would welcome any comments or suggestions. >> >> >> The relevant text in Section "Objectives": >> >> - Privacy: NTS preserves unlinkability, i. e. it does not leak data that >> would allow an attacker to track mobile NTP clients when they move between >> networks. Note that unlinkability is not guaranteed for devices that >> function as servers as well as clients, see [link to Section "Privacy >> Considerations"]. >> >> The relevant text in Section "Privacy Considerations": >> >> Unlinkability shall prevent that a device can be tracked when it changes >> networ adresses (e.g. because said device moved between different >> networks). This is to say that an attacker shall be unable to link a new >> address with one that was formerly used by the device, because of >> recognizable data that the device persistently sends as part of an >> NTS-secured NTP association. This is the justification for continually >> supplying the client with fresh cookies, so that a cookie never represents >> recognizable data in the sense outlined above. >> >> Note that the objective of NTS regarding unlinkability is merely to not >> leak any additional data that would cause linkability. NTS does not rectify >> legacy linkability issues that are already present in NTP. To minimize the >> risk of being tracked by a passive adversary the NTP client has to minimize >> the information it transmits within a client request (mode 3 packet) as >> described in the draft "draft-dfranke-ntp-data-minimization" >> >> Also, the objective only holds for actual time synchronization traffic, >> as opposed to key exchange traffic. This implies that it cannot be >> guaranteed for devices that function not only as time clients, but also as >> time servers (because the latter can be externally triggered to send >> authentication data). >> >> >> What do people here think? >> >> Best regards, >> Kristof >> _______________________________________________ >> ntpwg mailing list >> ntpwg@lists.ntp.org >> http://lists.ntp.org/listinfo/ntpwg >> > > > > -- > Sharon Goldberg > Computer Science, Boston University > http://www.cs.bu.edu/~goldbe > -- Sharon Goldberg Computer Science, Boston University http://www.cs.bu.edu/~goldbe
_______________________________________________ ntpwg mailing list ntpwg@lists.ntp.org http://lists.ntp.org/listinfo/ntpwg
- [ntpwg] Unlinkability formulations in merged draf… kristof.teichel
- Re: [ntpwg] Unlinkability formulations in merged … Sharon Goldberg
- Re: [ntpwg] Unlinkability formulations in merged … Sharon Goldberg
- Re: [ntpwg] Unlinkability formulations in merged … Sharon Goldberg