IETF Logo Mail Archive

Re: [Ntp] NTP Security (was NTPv5: big picture)

Miroslav Lichvar <mlichvar@redhat.com> Tue, 19 January 2021 13:51 UTC

Return-Path: <mlichvar@redhat.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B48903A14FC for <ntp@ietfa.amsl.com>; Tue, 19 Jan 2021 05:51:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.37
X-Spam-Level:
X-Spam-Status: No, score=-2.37 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.25, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1tTx7Dd3dJFb for <ntp@ietfa.amsl.com>; Tue, 19 Jan 2021 05:51:22 -0800 (PST)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0BD53A14D7 for <ntp@ietf.org>; Tue, 19 Jan 2021 05:51:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1611064280; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=yBjO1yN4Db2V6E4kFFZ2V3HzY7m6IN7n/s67upR/kEk=; b=J5IG/kXerhELQv8hnQZuNm2k/xcp/LTt+uOu6X/5BWjp4wfLV279hLbD2OVdfIeuklomGV RAKiOsNGhKZuQV3UJU6nIUBHBsUv1Q5dapa9vnenTrvmnuTMqHyC1PQRmhQJq4YJI/OAET tYGPJAVGlkpUBaEGQc72aHguFlp9vKI=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-347-ya9dM_dpPmCrbC2dtm_kWA-1; Tue, 19 Jan 2021 08:51:19 -0500
X-MC-Unique: ya9dM_dpPmCrbC2dtm_kWA-1
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 1A1E4DBBF; Tue, 19 Jan 2021 13:51:18 +0000 (UTC)
Received: from localhost (holly.tpb.lab.eng.brq.redhat.com [10.43.134.11]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 6EE2B2BFE3; Tue, 19 Jan 2021 13:51:17 +0000 (UTC)
Date: Tue, 19 Jan 2021 14:51:15 +0100
From: Miroslav Lichvar <mlichvar@redhat.com>
To: FUSTE Emmanuel <emmanuel.fuste@thalesgroup.com>
Cc: "ntp@ietf.org" <ntp@ietf.org>
Message-ID: <20210119135115.GF2430794@localhost>
References: <20210118113806.33BBE40605C@ip-64-139-1-69.sjc.megapath.net> <c6fda979-0b3e-99fc-2dc5-25b7cde4c42b@rubidium.se> <20210118162517.GA2410317@localhost> <acdd42d0-9b58-4b26-0798-55a42bc0b6de@rubidium.se> <YAX6gJiREb2RE6Gs@roeckx.be> <c5378682-e03f-9e46-24d5-025eb4a57c05@rubidium.se> <20210119094217.GB2430794@localhost> <68c0d807-2290-3c44-d760-35306af20434@rubidium.se> <20210119130408.GD2430794@localhost> <ed1de364-ab7c-86f4-2390-8d96ca708321@thalesgroup.com>
MIME-Version: 1.0
In-Reply-To: <ed1de364-ab7c-86f4-2390-8d96ca708321@thalesgroup.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mlichvar@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/BTVpY5nNeiyKtleJ8dUyWLqlvVA>
Subject: Re: [Ntp] NTP Security (was NTPv5: big picture)
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jan 2021 13:51:24 -0000

On Tue, Jan 19, 2021 at 01:15:57PM +0000, FUSTE Emmanuel wrote:
> Le 19/01/2021 à 14:04, Miroslav Lichvar a écrit :
> >
> > In this process you have only verified consistency of the time and
> > other data you have received. It was valid some time ago, but it may
> > not be valid now. If the attacker captured all that data, it can be
> > reused later in a MITM attack.
> How ???
> - If it replay my DNS data fine, it will do the work of my DNS servers 
> for me as he could not resign.
> - For the NTS part you are saying that TLS and NTS are subject to MITM 
> attacks ?

Yes, the attacker has the old private key.

The assumption is that both your DNSSEC and NTS was compromised at
some point. You found out and rebuilt your infrastructure from
scratch, but the attacker can still perform a MITM attack on your
device if it doesn't know the current date in order to validate the
certificate/records.

-- 
Miroslav Lichvar

v2.23.0 | Report a Bug | By Email