IETF Logo Mail Archive

[Ntp] Wrong NTS key exporter context in use for AES-128-GCM-SIV

Miroslav Lichvar <mlichvar@redhat.com> Mon, 16 September 2024 08:35 UTC

Return-Path: <mlichvar@redhat.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C2BBC14F695 for <ntp@ietfa.amsl.com>; Mon, 16 Sep 2024 01:35:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.253
X-Spam-Level:
X-Spam-Status: No, score=-7.253 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BeKBAkBBJ-n2 for <ntp@ietfa.amsl.com>; Mon, 16 Sep 2024 01:35:51 -0700 (PDT)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5F6AC14F5F6 for <ntp@ietf.org>; Mon, 16 Sep 2024 01:35:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1726475749; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=EA8QHFTslzUJFkLKlMisJn6xZGarQ5ydQ83+h+payzk=; b=TIEVWdUYrzU3On/S1dJ1pP5UtvnwJNwXYUcU3u+XcmYIj9+s/EI4wkLaOY8w4PxJAHuxcj KJFx6qMchBel13z+R4tT3d/mjSSMt+peUMUVjBWSeLg/gXdZPMB8V+7thT98MN3gulJQMv 6bayl9F2MX5AFBa+z8H3KNcWONA2uAk=
Received: from mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-333-z6KcR-62ObiZ9MzmkJr9yQ-1; Mon, 16 Sep 2024 04:35:46 -0400
X-MC-Unique: z6KcR-62ObiZ9MzmkJr9yQ-1
Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 3D0C019560B7 for <ntp@ietf.org>; Mon, 16 Sep 2024 08:35:46 +0000 (UTC)
Received: from localhost (unknown [10.43.135.229]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 8A42F30001AB for <ntp@ietf.org>; Mon, 16 Sep 2024 08:35:45 +0000 (UTC)
Date: Mon, 16 Sep 2024 10:35:43 +0200
From: Miroslav Lichvar <mlichvar@redhat.com>
To: ntp@ietf.org
Message-ID: <Zuft30p5rxdjn50i@localhost>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
Message-ID-Hash: QYSQTWN6MVNEOCPRH3TBCX77VJB2Y2T2
X-Message-ID-Hash: QYSQTWN6MVNEOCPRH3TBCX77VJB2Y2T2
X-MailFrom: mlichvar@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-ntp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Ntp] Wrong NTS key exporter context in use for AES-128-GCM-SIV
List-Id: Network Time Protocol <ntp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/BPpfAdaTmcNxTZMsbo2piRzqiFo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Owner: <mailto:ntp-owner@ietf.org>
List-Post: <mailto:ntp@ietf.org>
List-Subscribe: <mailto:ntp-join@ietf.org>
List-Unsubscribe: <mailto:ntp-leave@ietf.org>

A year ago the chrony NTP implementation added support for the
AES-128-GCM-SIV AEAD in order to make NTS cookies shorter and improve
reliability over Internet, where some major operators are known to
block or limit rate of longer NTP packets as a mitigation against
mode-6/7 amplification attacks, as was discussed on this list many
times before.

This seems to work great, except I have now received a report from a
wireshark developer that chrony uses a wrong exporter context for this
AEAD. Per RFC8915 the AEAD number is included in the per-association
context passed to the RFC5705 function, but chrony has this context
hardcoded for AES-SIV-CMAC-128. I already forgot this fact when I was
adding the AES-128-GCM-SIV support and there was nothing else to test
interoperability. It doesn't support any other AEADs, so this impacts
only AES-128-GCM-SIV.

It seems there is no other NTS implementation that added support for
AES-128-GCM-SIV yet. When that happens, it will not inteoperate with
the current clients and servers. I think the developers will quickly
realize that.

I don't see a good way to fix this without a flag day, requiring both
clients and servers to be updated at the same time. A fixed client
could try both exporter contexts and see which works, but the servers
would have to include both sets of keys (or the TLS context needed
to generate both) in their cookies to be able to support the broken
clients, which would make the cookies longer and cause the packets to
be blocked or rate-limited again.

Does the WG have any suggestions?

-- 
Miroslav Lichvar

v2.40.3 | Report a Bug | By Email | System Status