[Ntp] some comments on the current NTS draft (nts4ntp-12)
Martin Langer <mart.langer@ostfalia.de> Wed, 27 June 2018 11:49 UTC
Return-Path: <mart.langer@ostfalia.de>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E08B212F1AB for <ntp@ietfa.amsl.com>; Wed, 27 Jun 2018 04:49:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.879
X-Spam-Level:
X-Spam-Status: No, score=-1.879 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_FILL_THIS_FORM_FRAUD_PHISH=0.01, T_FILL_THIS_FORM_SHORT=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sonia.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dFdw6XeyBT05 for <ntp@ietfa.amsl.com>; Wed, 27 Jun 2018 04:49:18 -0700 (PDT)
Received: from mailgate1.sonia.de (mailgate1.sonia.de [141.41.1.242]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 045EF1277C8 for <ntp@ietf.org>; Wed, 27 Jun 2018 04:49:18 -0700 (PDT)
Received: from mailgate1.sonia.de (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id 59FDF137D8 for <ntp@ietf.org>; Wed, 27 Jun 2018 13:49:16 +0200 (CEST)
Received: from mail.sonia.de (mail.sonia.de [141.41.8.70]) by mailgate1.sonia.de (Postfix) with ESMTP id 3B490137D1 for <ntp@ietf.org>; Wed, 27 Jun 2018 13:49:16 +0200 (CEST)
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_Uqan7pgN6rhUCsDdiwiTmA)"
Received: from [141.41.39.246] (unknown [141.41.39.246]) by mail.sonia.de (Oracle Communications Messaging Server 7.0.5.37.0 64bit (built Jan 25 2016)) with ESMTPSA id <0PAZ00G62CU34P00@mail.sonia.de> for ntp@ietf.org; Wed, 27 Jun 2018 13:49:16 +0200 (CEST)
Sender: mart.langer@ostfalia.de
To: ntp@ietf.org
From: Martin Langer <mart.langer@ostfalia.de>
Message-id: <f02de52f-d5b7-6b0c-8b44-cfa3cadf0356@ostfalia.de>
Date: Wed, 27 Jun 2018 13:49:15 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0
Content-language: de-DE
X-Antivirus: Avast (VPS 180627-0, 27.06.2018), Outbound message
X-Antivirus-Status: Clean
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sonia.de; h=mime-version:content-type:sender:to:from:subject:message-id:date; s=20140129; bh=c37nYdWc09L678Xye6q9EOHRxLUi/PpMqfGAJun/O4A=; b=EQudxQSPlXVrtxFuSlFmGlYEGzWjMQol/Rvo6MwqLGnP5ttUHmOKIykUHHbpP0RiY63bJ7nDk9DdKHaH37/qQx1j5Um6IjM4C/XDXtFm+W5+FIzkIiudcDM8Jh2jY0152CL6Bxa1GJAHBr6bihoWbw07R40he/Q2ESGCowGVjFI=
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/8DAwEkoxbuINaqPtmrQ3vi7WTWc>
Subject: [Ntp] some comments on the current NTS draft (nts4ntp-12)
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jun 2018 11:49:22 -0000
Hello together, I have read the current NTS draft and some comments. A PDF version of this draft (including my comments) is temporarily available on my git repository. Link: https://gitlab.com/MLanger/nts/raw/develop/Documentation/draft-ietf-ntp-using-nts-for-ntp-12-pre%20-%20comments%20(ML).pdf 1. (Page 6; Figure 1) ------------------------------------------- I think we should move the digits one character to the right. 2. (Page 12; Section 5.1) ------------------------------------------- We should add one more information about the C2S/S2C keys: The draft does not specify the length of these keys because the lengths results from the negotiated AEAD. However, for an implementor which is not familiar with TLS it would be helpful if the draft would provide an appropriate explanation. Recommendation: Add explaining language to the draft. E.g., "The length of the extracted keying material (c2s and s2c) results from the negotiated AEAD algorithm. For AEAD_AES_SIV_256 the length of the keys are 256 bit, respectively." 3. (Page 15; Section 5.6) ------------------------------------------- New calculation of the padding bytes: I don't understand why we need this. Example: N_MAX: bigger than 16 (e.g. 64) N_len: smaller than 16 (e.g. 8, for whatever reason) Calculation of the AEAD-ExtField size (current case): AEAD_EF_size = Nonce length (2 bytes) + Nonce (>=1 bytes ) + AEAD output (>=16 bytes ) + Padding (>=1 bytes ) with N_len=8 and AEAD_out=16 (no encrypted content; only AuthTag): AEAD_EF_size = 2 bytes + 8 bytes + 16 bytes = 26 bytes . ...so we need 2 padding Bytes to achieve the four-octet boundary (additionally we reached the min size for the EF) final AEAD_EF_size = 28 bytes with the equation: PadBytes = MAX(MIN(N_MAX, 16) - N_len, 0) + 4 PadBytes = MAX(MIN(64, 16) - 8, 0) + 4 PadBytes = MAX(16 - 8, 0) + 4 PadBytes = MAX(8, 0) + 4 PadBytes = 8 + 4 PadBytes = 12 new AEAD_EF_size = 2 bytes + 8 bytes + 16 bytes + 12 bytes (PadBytes) = 38 bytes. This is bigger and we need 2 more padding bytes to achieve the four-octet boundary. 4. (Page 15; Section 5.6) ------------------------------------------- "This constraint ensures that servers can always use an adequately long nonce without causing the size of their response packet to exceed the size of the request packet." Is it possible for the server to generate a message that differs from the size of the request? ...and how? I mean... AEAD algo and nonce are the same for client and server. The AEAD EF have always the same size. I'm a bit confused 5. (Page 16; Section 6) ------------------------------------------- 2 small typos: - [...] We emphasize also that " encrypted" means [...] --> space in " encrypted" - [...] body of a NTS Cookie extension [...] --> an NTS Cookie? 6. (Page 18; Figure 3) ------------------------------------------- small gap in the picture: "Server -------- --+---------------+-----+----------------------->" --> space 7. (Page 19; Section 7) ------------------------------------------- "Servers SHOULD periodically (e.g., once daily) generate a new pair (I,K) and immediately switch to using these values for all newlygenerated cookies." Should we define a minimum limit? Rotation interval >= 21600s (6h)? 8. (Page 19; Section 7) ------------------------------------------- "A recommended concrete implementation of this approach is to use HKDF [RFC5869] to derive new keys, using the key’s predecessor as Input Keying Material and its key identifier as a salt." maybe we should add some more information: Use of HKDF makes it simpler to keep master keys in sync across load-balanced clusters. They can all update their keys on their own via a deterministic ratchet rather than have to communicate with each other. ...and: 'Salt' and 'context' are software defined 9. (Page 25; Section 9.1.4) ------------------------------------------- refreshing the dates :) 10. (Page 26; Section 10.1) ------------------------------------------- [...] Due to the [RFC7822] requirement that extensions be padded and aligned to four-octet boundaries, response size may still in some cases exceed request size by up to three octets. [...] um... ok. But in which cases is it possible? best regards, Martin Langer -- Martin Langer, M.Eng. Labor Datentechnik Labor Design Digitaler Systeme Ostfalia Hochschule für angewandte Wissenschaften - Hochschule Braunschweig/Wolfenbüttel - Fakultät Elektrotechnik Salzdahlumer Straße 46/48 38302 Wolfenbüttel Tel. : +49 5331 939 43370 Fax : +49 5331 939 43372 Mail : mart.langer@ostfalia.de Web : http://www.ostfalia.de/cms/de/e
- [Ntp] some comments on the current NTS draft (nts… Martin Langer