IETF Logo Mail Archive

Re: [Ntp] The trick to timestamp with authentication

Doug Arnold <doug.arnold@meinberg-usa.com> Thu, 03 December 2020 20:03 UTC

Return-Path: <doug.arnold@meinberg-usa.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37AC73A09D7 for <ntp@ietfa.amsl.com>; Thu, 3 Dec 2020 12:03:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=meinbergfunkuhren.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EK_vGHfYmc7W for <ntp@ietfa.amsl.com>; Thu, 3 Dec 2020 12:03:39 -0800 (PST)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2084.outbound.protection.outlook.com [40.107.22.84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7C213A0A26 for <ntp@ietf.org>; Thu, 3 Dec 2020 12:03:38 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UIkWDelM2W7MarlHlFw7gNWBq6gl/q6hzM/Ip+bebKJ8Hpa5pnxZsR49tjqYZ1nCMOqlWhRTTY9JFTqzCkasXPqEI+R6Hsd1XRoOrDpUVNHDC2gTN/VBUhArAhu7ucheI6Xu/7jTylyEK6gI1kmW/XqpDuQKlyUAh0MBEjB5BSoBaE+hXB+09wv88hbsjZoD3d7JdmLXTz0TJ7nQ/D6MAbvIKtn1O+hlM53MnseQ6APK7QBDhyZ/YdagDPHP8yT/33MGBgmlbYPb9q7Gmu/qnHDT0SosqSJLvgpZYcxjh0FIX00vOB1F7IxCEo+0/t93yYVahXu3MrosY0m0QS2cew==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=coQBHUpagmRxdxi3l2qFoJiYkTntCAoxTkMxu3jxg3Q=; b=Q4BYBIRzJptlOBE8USArZ99D9Zt77xFaNpJFqacUYiFYgYzjNwG67W6u3cCj9s5Eurm2ohxDSfWL4DlPzPR5kF0aRQ/lpV4WL5j4a+LHXICIZepSMOOE6FhyEl3me6A4xx00jLNsKZw1vewofkoxYjy4eAb1cT3LVB0Wv+r1XghYoxq9/x23c6z1+5WY6fjjqYV0+/XiKRtyo8fLzoftGeW/Ud5UFNKenY38qnL+LkRcoygIHuh/4ZxgaYOROnckuot6fEcbh7l369ImeYNacL6CHEhjjKd08Ge9GCQqn4BipPI4dwov8Exaf3THgcYG6s5mTyskvw4D/9wl/W6FRQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meinberg-usa.com; dmarc=pass action=none header.from=meinberg-usa.com; dkim=pass header.d=meinberg-usa.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meinbergfunkuhren.onmicrosoft.com; s=selector1-meinbergfunkuhren-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=coQBHUpagmRxdxi3l2qFoJiYkTntCAoxTkMxu3jxg3Q=; b=Vdq0K+pnZ8PSZdRJrSTkEikKqfC/F2ztbYVdACme6PdbErfFIfSyyR03s6efSDdndBSQrrQMV/hE/BeAk3niIaPYzKa4XIJ9O4IuIi5W2zafq1rc9SxuQ8J4P5flefOwMN9xFe/LLvKGrYWggt+JvWDrcBbeQJUFoulO6so+WCo=
Received: from AM7PR02MB5765.eurprd02.prod.outlook.com (2603:10a6:20b:102::15) by AM5PR0201MB2418.eurprd02.prod.outlook.com (2603:10a6:203:36::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3611.25; Thu, 3 Dec 2020 20:03:36 +0000
Received: from AM7PR02MB5765.eurprd02.prod.outlook.com ([fe80::d022:fca0:630d:905f]) by AM7PR02MB5765.eurprd02.prod.outlook.com ([fe80::d022:fca0:630d:905f%6]) with mapi id 15.20.3632.018; Thu, 3 Dec 2020 20:03:36 +0000
From: Doug Arnold <doug.arnold@meinberg-usa.com>
To: Hal Murray <hmurray@megapathdsl.net>, Watson Ladd <watsonbladd@gmail.com>
CC: NTP WG <ntp@ietf.org>
Thread-Topic: [Ntp] The trick to timestamp with authentication
Thread-Index: AQHWyUuOEt68OSKm1UuUBCCwDEMQdqnleFqA
Date: Thu, 03 Dec 2020 20:03:35 +0000
Message-ID: <BEF7C4D9-81CD-42AD-BA06-433D45C0DCD1@meinberg-usa.com>
References: <watsonbladd@gmail.com> <CACsn0c=K=T4_ZTGyfGcmNR_e9+7DYOaNBipKjxiNYJYcdYma2g@mail.gmail.com> <20201203080842.7297D40605C@ip-64-139-1-69.sjc.megapath.net>
In-Reply-To: <20201203080842.7297D40605C@ip-64-139-1-69.sjc.megapath.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.43.20110804
authentication-results: megapathdsl.net; dkim=none (message not signed) header.d=none;megapathdsl.net; dmarc=none action=none header.from=meinberg-usa.com;
x-originating-ip: [64.30.82.72]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 1c1a6042-0f6e-45d6-824c-08d897c684d4
x-ms-traffictypediagnostic: AM5PR0201MB2418:
x-microsoft-antispam-prvs: <AM5PR0201MB2418249C3D7014624CFAAA0ACFF20@AM5PR0201MB2418.eurprd02.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6430;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: MvSFR86ThtUbqBTyUvxAGqR0UEO4JK8GT8ghwmoP9pzg88Cd9eyey+edoeAH/T+5shOj91uesbLDhKIFP8kdgEFsx9dHg9gh2wRFpxOEtBTcypDZfRVtt1E+ACw61r5Q7eEDcd4o1Fvbkl3B8ILnaoDDlEjYXCq8zcl88RxEmwlGYXw5ZX86F5VIJlRh0sL3trVqhOnocBnbRT8MkIehzKmQqpz5CAT/0i54ngcmuGZ7iWK1i/CpxckF7+93SiyLz/SFWEvXN7IZEWu//IF/NhbnN6myhguEgK685SnpVYewDr+6OF5NlHcVjkXt9P1eja+NZ4NakrNmHQxY6rbwtBQ+ama3ucrBFmr+dDV5Bc/460babDPA3JXal19cSoHa5v6UpItr2JlXd3VgM+ZGuKFf9s+32rT54HmMcsvJjasMQPJ0luonKao2QexbWjI9yvYPofbCnYoMYkHVgV5d/g==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR02MB5765.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(346002)(376002)(39830400003)(396003)(136003)(6512007)(71200400001)(4326008)(2616005)(316002)(186003)(2906002)(36756003)(5660300002)(44832011)(26005)(83380400001)(6486002)(86362001)(8676002)(66446008)(76116006)(33656002)(478600001)(64756008)(66556008)(66476007)(966005)(6506007)(91956017)(110136005)(8936002)(66946007)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: nSRXPER8WaTd93Qh1IsuMvB2YmUYMkGMHiSQxpY/IP+idZXEwAI4rtTzbxvYv45XFjTRXgJm/bpKVBaf06Q6GnZg0HIkXNScBJ3a301/vxLqD0H7vcwRENMabJa/abmTQDTqKo4Pwv/TjPL4IM0v/PvquIDAHezdxynkYKQGsBDAuKRvww7PhVDUXcPpgHtynqMxbhbGO56bSuAMWD+ILqKAVxDD/a7HNCDeATc9vrsRJU+bW0GIoscB9NhIZQVPEZY1H6WauIQ397o4lsxeSi7VT0UaWUhO0RhzOrUgr41WkfPLidJDa6ZCIM0lYrjuL9/A0lOpu/LDF5j+xkmQFhzJlFTFUythl3N2v1sOdsBDSDydCZrYD3FnlBvG/4niSvdFpVu/PVcmJuz3N8Wd1hf1qfVRZN+axhtVfjpq4MerBrZA0AhY5+vgaCP/CVJnBo4GgJ28104oH09IDrqtCth0XnXU3wS7MeD4wRQk+8l2zFxUuV8rf8lTvVLjlX+kI+RQQo956GOpVCtY+fxwFoCibXOzfAm4XWVt8IuQE9B9+5LEPh5yXgcx+tcn3Q7GT+pk7p4F4tyuGe2S1VgenYvT8K9k9LqHvqfjltQqA+lQi7yGtcfSW0nxXFf4yLgG+UZ/suviKotqNcTGr5llH/rx1zdOjj1FdV/zHo6FruvlTfn/C7bCdH0ybQY2EM2jIGyAvzTInssPp3et39cF7mA5Ywv1FabpBTcNjII/ZEcWVU3jNEyFcGpnFGnScqzn7w3BgPte5Cd8ArSudCJDq99bYGl6+oQugh7L4GDPJuqfRVnaTAww7OWLOjipZY2MTZOvYXe4sMP5MuD+y08mio1FNvqHpUKTbTKKJeTd+turs3ZGmBgm1gI/9fofVSmwD0y4c63s0zSSL3z6XxsZnxxG7cDjmJ23fSRLnHdSIFQBES2LvIzSge1VO7rT1wnxAlr2Y9cCZNTUsHEVSDyYaULZMQFLXo3mnJiwCdpX9Fieu1fTZD34PlpOVlBAccNU
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <31B36251BBD6834D8C5D0511703A8B44@eurprd02.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: meinberg-usa.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM7PR02MB5765.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1c1a6042-0f6e-45d6-824c-08d897c684d4
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Dec 2020 20:03:36.0006 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d59904cd-769f-4368-8bd0-f5f435893a38
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: tEBVhlh1s/LtSWEuxM7o5n9yGdzrKuuvb7ALgDIjhIZBpF0fR3KnAYsSTytjY3ophiVMI8FddO/TGGmp8lOqqlS14mK7rpqm6L+mknZp3Mk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5PR0201MB2418
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/HcVOA64-FUjerToQngjzsEnxxow>
Subject: Re: [Ntp] The trick to timestamp with authentication
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Dec 2020 20:03:42 -0000

I see you were paying attention. Accuracy and security are a trade-off.  If you want on path timing support and security, then you either have to have a lot of secrets or a secret that a lot of nodes are in on.  Either way it is less secure than just NTS between a client and a server.  However, in a private network where someone wants microsecond level time transfer accuracy that might be a sensible trade-off.

This could be handled using a symmetric group key that authorized nodes get periodically from a key exchange server.  See, for example GDOI.  I believe that NTS could be adapted to group key operation as well.

Doug

On 12/3/20, 3:08 AM, "ntp on behalf of Hal Murray" <ntp-bounces@ietf.org on behalf of hmurray@megapathdsl.net> wrote:


    watsonbladd@gmail.com said:
    > AES-GCM and Poly1305 are linear. In order to adjust the timestamp in one
    > step, it suffices to line everything up so that the hardware can compute the
    > correction in the same cycle as the stamp by isolating the stamp in one block
    > of the CWC hash.

    I think I'm missing a critical step.  Who/where is doing this "adjusting"?

    The whole point of authentication is to prevent MITM "adjustments".

    The only place I can see where something like that would make sense would be 
    at the transmit network chip.  Why can't it do the whole authentication?  (The 
    transmit side has the key.  The receive side can do the adjustment in 
    postprocessing software.)


    -- 
    These are my opinions.  I hate spam.



    _______________________________________________
    ntp mailing list
    ntp@ietf.org
    https://www.ietf.org/mailman/listinfo/ntp

v2.23.0 | Report a Bug | By Email