IETF Logo Mail Archive

[ntpwg] Antwort: Re: NTS: The question of CMS vs. (D)TLS

kristof.teichel@ptb.de Fri, 03 July 2015 13:33 UTC

Return-Path: <ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org>
X-Original-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Delivered-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54FC11B2FA0 for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Fri, 3 Jul 2015 06:33:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.309
X-Spam-Level:
X-Spam-Status: No, score=-1.309 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, J_CHICKENPOX_54=0.6, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ven9XVC4tsb0 for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Fri, 3 Jul 2015 06:33:55 -0700 (PDT)
Received: from lists.ntp.org (lists.ntp.org [IPv6:2001:4f8:fff7:1::7]) by ietfa.amsl.com (Postfix) with ESMTP id 43F841B2FB2 for <ntp-archives-ahFae6za@lists.ietf.org>; Fri, 3 Jul 2015 06:33:55 -0700 (PDT)
Received: from lists.ntp.org (lists.ntp.org [149.20.68.7]) by lists.ntp.org (Postfix) with ESMTP id 3085C86DAE7 for <ntp-archives-ahFae6za@lists.ietf.org>; Fri, 3 Jul 2015 13:33:55 +0000 (UTC)
X-Original-To: ntpwg@lists.ntp.org
Delivered-To: ntpwg@lists.ntp.org
Received: from mail1.ntp.org (mail1.ntp.org [IPv6:2001:4f8:fff7:1::5]) by lists.ntp.org (Postfix) with ESMTP id 6BC5A86D643 for <ntpwg@lists.ntp.org>; Fri, 3 Jul 2015 13:07:00 +0000 (UTC)
Received: from mx1.bs.ptb.de ([192.53.103.106]) by mail1.ntp.org with esmtps (TLSv1:AES256-SHA:256) (Exim 4.77 (FreeBSD)) (envelope-from <kristof.teichel@ptb.de>) id 1ZB0g4-000EJP-OC for ntpwg@lists.ntp.org; Fri, 03 Jul 2015 13:07:00 +0000
Received: from mx1.bs.ptb.de (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id 133F6D8147C; Fri, 3 Jul 2015 15:06:46 +0200 (CEST)
Received: from rose.bs.ptb.de (rose.bs.ptb.de [141.25.85.201]) by mx1.bs.ptb.de (Postfix) with ESMTP id EED6AD81453; Fri, 3 Jul 2015 15:06:45 +0200 (CEST)
In-Reply-To: <55954272.9020902@redhat.com>
References: <OF0D8F7CB4.A1C8057D-ONC1257E76.004B19F6-C1257E76.004B2BC4@ptb.de> <55954272.9020902@redhat.com>
To: Florian Weimer <fweimer@redhat.com>
MIME-Version: 1.0
X-KeepSent: 639064B6:202088E1-C1257E77:00460FC8; type=4; name=$KeepSent
X-Mailer: IBM Notes Release 9.0.1FP3 January 13, 2015
Message-ID: <OF639064B6.202088E1-ONC1257E77.00460FC8-C1257E77.004807A0@ptb.de>
From: kristof.teichel@ptb.de
Date: Fri, 03 Jul 2015 15:06:45 +0200
X-MIMETrack: Serialize by Router on ROSE/PTB(Release 9.0.1FP4|June 07, 2015) at 07/03/2015 15:06:45, Serialize complete at 07/03/2015 15:06:45
X-SA-Exim-Connect-IP: 192.53.103.106
X-SA-Exim-Rcpt-To: ntpwg@lists.ntp.org
X-SA-Exim-Mail-From: kristof.teichel@ptb.de
X-SA-Exim-Version: 4.2
X-SA-Exim-Scanned: Yes (on mail1.ntp.org)
Subject: [ntpwg] Antwort: Re: NTS: The question of CMS vs. (D)TLS
X-BeenThere: ntpwg@lists.ntp.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: IETF Working Group for Network Time Protocol <ntpwg.lists.ntp.org>
List-Unsubscribe: <http://lists.ntp.org/options/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=unsubscribe>
List-Archive: <http://lists.ntp.org/pipermail/ntpwg/>
List-Post: <mailto:ntpwg@lists.ntp.org>
List-Help: <mailto:ntpwg-request@lists.ntp.org?subject=help>
List-Subscribe: <http://lists.ntp.org/listinfo/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=subscribe>
Cc: ntpwg@lists.ntp.org
Content-Type: multipart/mixed; boundary="===============6830888627791164020=="
Errors-To: ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org
Sender: ntpwg <ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org>

> This is still fine, except that I would like to replace client
> certificate hash with an opaque value of variable length.  The CMS-based
> protocol could still put the client-cert hash there, but a DTLS-based
> implementation would store a session ticket in this place.
> 
> Even for the CMS-based negotiation phase, I suggest to send back this
> field to the client.  This means that it's up to the implementation what
> to put there.  It could be the client certificate hash, but the server
> implementation could use something else (which might provide it with
> additional state).
> 
> Does this make sense?

It does, and I think it is a good idea. Do you have a proposal for the 
wording regarding this opaque value? (IMO, "key input value" does not seem 
generic enough anymore.)
 
> > I like(d) this approach for its clean distinction of negotiation and 
> > post-negotiation phase. I especially liked that different methods of 
> > handling the cryptographic aspects (i.e. CMS-based vs. (D)TLS) would 
have 
> > to be specified separately only for the negotiation phase and that the 

> > post-negotiation phase would not differentiate. 
> > This reduces complexity for both specification and implementation. 
> > Additionally, it retains the low cryptographic requirements for a 
timesync 
> > response (performing exactly two HMAC operations).
> 
> I think this is possible if the small change I outlined above is made to
> the protocol.

I think so too, we will have to see if we can include this until monday 
(submission deadline for drafts for IETF 93), so that it would be in the 
next released version of the draft.
 
> > I see your point here. I am unsure, however, how highly we should 
place 
> > the requirement for this kind of DoS protection.
> 
> I think it's reasonable to provide space to keep additional state which
> can be used to support various (implementation-defined) mechanisms.  It
> is not necessary to specify the precise mechanism.  If the server sends
> back the ticket that takes the place of the client certificate hash, and
> the client includes that instead of the hash in post-negotiation
> requests, this would be sufficient for server-side state extensions.
> The CMS-based reference implementation could simply send back the client
> certificate hash, but the protocol is open to more elaborate approaches
> (and these server-side mechanisms would not require client changes).
> 
> The exception to this rule is protection of the asymmetric cryptographic
> operation in the negotiation phase?this rather expensive operation
> should only be reachable after the client has proven control over the
> client address it supplied (so that we can assume it has not been
> spoofed).  This is what a Photuris-style cookie achieves.

I think I get what you're saying, but I'm having difficulty following you 
where you talk about the exception to "this rule". What's the rule?

Also, let me try and summarize the use of Photuris cookies:
- For the (D)TLS based approach, we would basically only specify THAT a 
photuris cookie should be used.
- For the CMS based approach, we would specify another exchange in which a 
client gets several Photuris Cookies: one for Association/Certification 
exchange, one for Cookie Exchange, and possibly already one for Broadcast 
Parameter exchange (or, more summarized: one for each message exchange 
that involves expensive cryptographic operations and/or large response 
packets and therefore a large amplification opportunity)

Does that sound about correct? Or am I missing important aspects?
If I understood this correctly, then I would agree that this method has 
small cost and potentially large reward and we should look into it.

Best regards,
Kristof Teichel (PTB)


_______________________________________________
ntpwg mailing list
ntpwg@lists.ntp.org
http://lists.ntp.org/listinfo/ntpwg

v2.23.0 | Report a Bug | By Email