[ntpwg] Forward of NTS discussion #2
dieter.sibold@ptb.de Mon, 10 March 2014 15:29 UTC
Return-Path: <ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org>
X-Original-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Delivered-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 394921A043E for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Mon, 10 Mar 2014 08:29:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.747
X-Spam-Level:
X-Spam-Status: No, score=-4.747 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.547] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D_9NPInOosp6 for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Mon, 10 Mar 2014 08:29:19 -0700 (PDT)
Received: from lists.ntp.org (lists.ntp.org [149.20.68.7]) by ietfa.amsl.com (Postfix) with ESMTP id EB2401A0438 for <ntp-archives-ahFae6za@lists.ietf.org>; Mon, 10 Mar 2014 08:29:18 -0700 (PDT)
Received: from lists.ntp.org (lists.ntp.org [149.20.68.7]) by lists.ntp.org (Postfix) with ESMTP id E5BA386DAED for <ntp-archives-ahFae6za@lists.ietf.org>; Mon, 10 Mar 2014 15:29:13 +0000 (UTC)
X-Original-To: ntpwg@lists.ntp.org
Delivered-To: ntpwg@lists.ntp.org
Received: from mail1.ntp.org (mail1.ntp.org [IPv6:2001:4f8:fff7:1::5]) by lists.ntp.org (Postfix) with ESMTP id 5C76C86D33C for <ntpwg@lists.ntp.org>; Mon, 10 Mar 2014 15:29:09 +0000 (UTC)
Received: from mx1.bs.ptb.de ([192.53.103.106]) by mail1.ntp.org with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <dieter.sibold@ptb.de>) id 1WN28S-0005fq-J5 for ntpwg@lists.ntp.org; Mon, 10 Mar 2014 15:29:09 +0000
Received: from mx1.bs.ptb.de (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id E2961D11550 for <ntpwg@lists.ntp.org>; Mon, 10 Mar 2014 16:28:54 +0100 (CET)
Received: from rose.bs.ptb.de (rose.bs.ptb.de [141.25.85.201]) by mx1.bs.ptb.de (Postfix) with ESMTP id C0B89D08AE9 for <ntpwg@lists.ntp.org>; Mon, 10 Mar 2014 16:28:54 +0100 (CET)
X-KeepSent: 0F835F36:14D79FDC-C1257C97:0054E722; type=4; name=$KeepSent
To: NTP Working Group <ntpwg@lists.ntp.org>
X-Mailer: IBM Notes Release 9.0.1 October 14, 2013
Message-ID: <OF0F835F36.14D79FDC-ONC1257C97.0054E722-C1257C97.00550AC3@ptb.de>
From: dieter.sibold@ptb.de
Date: Mon, 10 Mar 2014 16:28:53 +0100
X-MIMETrack: Serialize by Router on ROSE/PTB(Release 9.0.1HF198 | January 23, 2014) at 03/10/2014 16:28:54
MIME-Version: 1.0
X-SA-Exim-Connect-IP: 192.53.103.106
X-SA-Exim-Rcpt-To: ntpwg@lists.ntp.org
X-SA-Exim-Mail-From: dieter.sibold@ptb.de
X-SA-Exim-Version: 4.2
X-SA-Exim-Scanned: Yes (on mail1.ntp.org)
Subject: [ntpwg] Forward of NTS discussion #2
X-BeenThere: ntpwg@lists.ntp.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: IETF Working Group for Network Time Protocol <ntpwg.lists.ntp.org>
List-Unsubscribe: <http://lists.ntp.org/options/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=unsubscribe>
List-Archive: <http://lists.ntp.org/pipermail/ntpwg>
List-Post: <mailto:ntpwg@lists.ntp.org>
List-Help: <mailto:ntpwg-request@lists.ntp.org?subject=help>
List-Subscribe: <http://lists.ntp.org/listinfo/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=subscribe>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org
Sender: ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org
Hi all, enclosed you will find further follow-ups on the NTS discussion. ---------------------------------- Physikalisch-Technische Bundesanstalt Dr. Dieter Sibold Q.42 - Serversysteme und Datenhaltung QM-Verantwortlicher der Stelle IT-Infrastruktur Bundesallee 100 D-38116 Braunschweig Tel: +49-531-592-84 20 E-Mail: dieter.sibold@ptb.de ----- Weitergeleitet von Dieter Sibold/PTB am 10.03.2014 16:27 ----- Von: Stephen Röttger <stephen.roettger@gmail.com> An: "Steven M. Bellovin" <smb@cs.columbia.edu> Kopie: Dieter Sibold <dieter.sibold@ptb.de>, Harlan Stenn <stenn@nwtime.org>, "kristof.teichel" <kristof.teichel@ptb.de> Datum: 05.03.2014 21:51 Betreff: Re: IETF draft The key is used in the interval before its disclosure. In time interval t, the clients will receive a packet with a MAC calculated with a still unknown key k. The clients will buffer this packet in order to verify it later. In t+1, the key for t will be made public and the clients can verify the MAC for the buffered packet. Also, since the keys are calculated as a one-way function chain, e.g. k_i = H(k_{i+1}), the client can verify to which time interval the disclosed key belongs and that it wasn't disclosed yet when the packet was received. On Wed, Mar 5, 2014 at 9:44 PM, Steven M. Bellovin <smb@cs.columbia.edu> wrote: Then what is the point of the key? On Mar 5, 2014, at 3:42 PM, Stephen Röttger < stephen.roettger@gmail.com> wrote: > But the client will know that the key was already disclosed without receiving any packets from the server. > This is due to the loose time synchronization and the fixed disclosing intervals. > > > On Wed, Mar 5, 2014 at 9:38 PM, Steven M. Bellovin < smb@cs.columbia.edu> wrote: > > > > > There is a slightly-convoluted attack scenario against the broadcast > > mode. Assume a tree of switches, where the attacker is attached > > to some switch that is on-path to the victim. The attacker DOSes > > the link towards the victim, waits for the next broadcast time > > message (with the accompanying key disclosure), then lifts the DOS > > and sends a bogus time message authenticated with that key to the > > victim. > > > > I don't see how this attack scenario will work. The client will not accept any broadcast messages he receives, if the corresponding key has already been disclosed. He can verify that since he is loosely time synchronized to the server, i.e. the maximum time difference is bounded. > > That’s the point of the DoS attack — it keeps the client from receiving the broadcast with that key. > ----- Weitergeleitet von Dieter Sibold/PTB am 10.03.2014 16:27 ----- Von: "Steven M. Bellovin" <smb@cs.columbia.edu> An: Stephen Röttger <stephen.roettger@gmail.com> Kopie: Dieter Sibold <dieter.sibold@ptb.de>, Harlan Stenn <stenn@nwtime.org>, "kristof.teichel" <kristof.teichel@ptb.de> Datum: 05.03.2014 21:55 Betreff: Re: IETF draft OK, let me think about that. I was reading quickly so I could get the message out before boarding my flight.... You can think about other scenarios along those lines. On Mar 5, 2014, at 3:51 PM, Stephen Röttger <stephen.roettger@gmail.com> wrote: > The key is used in the interval before its disclosure. > In time interval t, the clients will receive a packet with a MAC calculated with a still unknown key k. > The clients will buffer this packet in order to verify it later. > In t+1, the key for t will be made public and the clients can verify the MAC for the buffered packet. > > Also, since the keys are calculated as a one-way function chain, e.g. k_i = H(k_{i+1}), the client can verify to which time interval the disclosed key belongs and that it wasn't disclosed yet when the packet was received. > > > On Wed, Mar 5, 2014 at 9:44 PM, Steven M. Bellovin <smb@cs.columbia.edu> wrote: > Then what is the point of the key? > > On Mar 5, 2014, at 3:42 PM, Stephen Röttger <stephen.roettger@gmail.com> wrote: > > > But the client will know that the key was already disclosed without receiving any packets from the server. > > This is due to the loose time synchronization and the fixed disclosing intervals. > > > > > > On Wed, Mar 5, 2014 at 9:38 PM, Steven M. Bellovin <smb@cs.columbia.edu> wrote: > > > > > > > > There is a slightly-convoluted attack scenario against the broadcast > > > mode. Assume a tree of switches, where the attacker is attached > > > to some switch that is on-path to the victim. The attacker DOSes > > > the link towards the victim, waits for the next broadcast time > > > message (with the accompanying key disclosure), then lifts the DOS > > > and sends a bogus time message authenticated with that key to the > > > victim. > > > > > > I don't see how this attack scenario will work. The client will not accept any broadcast messages he receives, if the corresponding key has already been disclosed. He can verify that since he is loosely time synchronized to the server, i.e. the maximum time difference is bounded. > > > > That’s the point of the DoS attack — it keeps the client from receiving the broadcast with that key. > > > > --Steve Bellovin, https://www.cs.columbia.edu/~smb ----- Weitergeleitet von Dieter Sibold/PTB am 10.03.2014 16:27 ----- Von: Harlan Stenn <stenn@ntp.org> An: dieter.sibold@ptb.de Kopie: "Steven M. Bellovin" <smb@cs.columbia.edu>, Stephen <stephen.roettger@gmail.com>, kristof.teichel@ptb.de, "Harlan Stenn" <stenn@nwtime.org>, "Harlan Stenn" <stenn@ntp.org> Datum: 06.03.2014 12:15 Betreff: Re: IETF draft I'd love to see the discussion on the ntpwg@ mailing list, and if we move the discussion there I'm fine posting an announcement on hackers@ to let folks know where the discussion is being held. I'm about to fall asleep, so if there is more for me to do I can do it in about 8 hours' time. H ----- Weitergeleitet von Dieter Sibold/PTB am 10.03.2014 16:27 ----- Von: Kristof Teichel/PTB An: Dieter Sibold/PTB@PTB Kopie: "Steven M. Bellovin" <smb@cs.columbia.edu>, "Harlan Stenn" <stenn@ntp.org>, "Harlan Stenn" <stenn@nwtime.org>, Stephen <stephen.roettger@gmail.com> Datum: 06.03.2014 12:26 Betreff: Re: IETF draft Hi all, including the mailing list would be okay with me. Greetings -----Dieter Sibold/PTB schrieb: ----- An: "Steven M. Bellovin" <smb@cs.columbia.edu>, Stephen <stephen.roettger@gmail.com>, Kristof Teichel/PTB@PTB, "Harlan Stenn" <stenn@nwtime.org>, "Harlan Stenn" <stenn@ntp.org> Von: Dieter Sibold/PTB Datum: 06.03.2014 10:40 Betreff: Re: IETF draft Hello all, thanks for the current discussion. Steven, also note that in the broadcast mode we use the mode "Not Re-using Keys" (sec. 3.7.2 of RFC 4082) of TESLA which explicitly is designed to provide some protection against DoS attacks. Nevertheless, as you already mentioned, these kind of consideration should be added to the security considerations. We will put this on the TODO list. Sorry for the error in the draft regarding the calculation of the cookie. Our intention was and is to calculate it just as you recommended (just as Stephen already mentioned) with the only difference, that you recommend to use the certificate and not the public key. Your arguments are convincing, especially in the context of authorized time service. So, I think we will change the draft accordingly. We will also re-draft the minium requirements for the applied hash algorithm. Also thanks for the suggestion of using CMS. This certainly has to be done. There is currently a discussion of using DANE as an additional alternative approach to exchange certificates. During the last NTP WG session in London, Brian Habermann strongly encouraged to evaluate this. What's your impression? Does anybody mind if we include the NTP mailing list in the discussion? Greetings ---------------------------------- Physikalisch-Technische Bundesanstalt Dr. Dieter Sibold Q.42 - Serversysteme und Datenhaltung QM-Verantwortlicher der Stelle IT-Infrastruktur Bundesallee 100 D-38116 Braunschweig Tel: +49-531-592-84 20 E-Mail: dieter.sibold@ptb.de "Steven M. Bellovin" ---05.03.2014 20:55:11---OK, let me think about that. I was reading quickly so I could get the message out before boarding m Von: "Steven M. Bellovin" <smb@cs.columbia.edu> An: Stephen Röttger <stephen.roettger@gmail.com> Kopie: Dieter Sibold <dieter.sibold@ptb.de>, Harlan Stenn <stenn@nwtime.org>, "kristof.teichel" <kristof.teichel@ptb.de> Datum: 05.03.2014 20:55 Betreff: Re: IETF draft OK, let me think about that. I was reading quickly so I could get the message out before boarding my flight.... You can think about other scenarios along those lines. On Mar 5, 2014, at 3:51 PM, Stephen Röttger <stephen.roettger@gmail.com> wrote: > The key is used in the interval before its disclosure. > In time interval t, the clients will receive a packet with a MAC calculated with a still unknown key k. > The clients will buffer this packet in order to verify it later. > In t+1, the key for t will be made public and the clients can verify the MAC for the buffered packet. > > Also, since the keys are calculated as a one-way function chain, e.g. k_i = H(k_{i+1}), the client can verify to which time interval the disclosed key belongs and that it wasn't disclosed yet when the packet was received. > > > On Wed, Mar 5, 2014 at 9:44 PM, Steven M. Bellovin <smb@cs.columbia.edu> wrote: > Then what is the point of the key? > > On Mar 5, 2014, at 3:42 PM, Stephen Röttger <stephen.roettger@gmail.com> wrote: > > > But the client will know that the key was already disclosed without receiving any packets from the server. > > This is due to the loose time synchronization and the fixed disclosing intervals. > > > > > > On Wed, Mar 5, 2014 at 9:38 PM, Steven M. Bellovin <smb@cs.columbia.edu> wrote: > > > > > > > > There is a slightly-convoluted attack scenario against the broadcast > > > mode. Assume a tree of switches, where the attacker is attached > > > to some switch that is on-path to the victim. The attacker DOSes > > > the link towards the victim, waits for the next broadcast time > > > message (with the accompanying key disclosure), then lifts the DOS > > > and sends a bogus time message authenticated with that key to the > > > victim. > > > > > > I don't see how this attack scenario will work. The client will not accept any broadcast messages he receives, if the corresponding key has already been disclosed. He can verify that since he is loosely time synchronized to the server, i.e. the maximum time difference is bounded. > > > > That’s the point of the DoS attack — it keeps the client from receiving the broadcast with that key. > > > > --Steve Bellovin, https://www.cs.columbia.edu/~smb ----- Weitergeleitet von Dieter Sibold/PTB am 10.03.2014 16:27 ----- Von: Kristof Teichel/PTB An: "Steven M. Bellovin" <smb@cs.columbia.edu> Kopie: Dieter Sibold/PTB@PTB, Harlan Stenn <stenn@nwtime.org>, Stephen Röttger <stephen.roettger@gmail.com> Datum: 06.03.2014 14:17 Betreff: Re: IETF draft Hello all, I wanted to reinforce what Stephen said: TESLA works with timed disclosure of the keys. Therefore it should be impossible to make the client accept a bogus packet authenticated with an "old" key, because by the schedule it knows that this key was already disclosed and as such gives no proof of origin. There is a slight detail that Dieter and I spoke about but did not communicate further: it might be better to have not only one interval step between usage and disclosure of a key, but at least two. This is because the client can not be perfectly sure that the server's clock is not one interval ahead, but it can be certain that the server's clock is *at most* one interval ahead. Note that using a delay of only one interval can only make the client discard a "good" packet, though, it can not make the client accept a bogus packet. So this is more a general comment for understanding about TESLA, and should not be relevant to the above discussion. Regards, Kristof Teichel -----"Steven M. Bellovin" <smb@cs.columbia.edu> schrieb: ----- An: Stephen Röttger <stephen.roettger@gmail.com> Von: "Steven M. Bellovin" <smb@cs.columbia.edu> Datum: 05.03.2014 20:55 Kopie: Dieter Sibold <dieter.sibold@ptb.de>, Harlan Stenn <stenn@nwtime.org>, "kristof.teichel" <kristof.teichel@ptb.de> Betreff: Re: IETF draft OK, let me think about that. I was reading quickly so I could get the message out before boarding my flight.... You can think about other scenarios along those lines. On Mar 5, 2014, at 3:51 PM, Stephen Röttger <stephen.roettger@gmail.com> wrote: > The key is used in the interval before its disclosure. > In time interval t, the clients will receive a packet with a MAC calculated with a still unknown key k. > The clients will buffer this packet in order to verify it later. > In t+1, the key for t will be made public and the clients can verify the MAC for the buffered packet. > > Also, since the keys are calculated as a one-way function chain, e.g. k_i = H(k_{i+1}), the client can verify to which time interval the disclosed key belongs and that it wasn't disclosed yet when the packet was received. > > > On Wed, Mar 5, 2014 at 9:44 PM, Steven M. Bellovin <smb@cs.columbia.edu> wrote: > Then what is the point of the key? > > On Mar 5, 2014, at 3:42 PM, Stephen Röttger <stephen.roettger@gmail.com> wrote: > > > But the client will know that the key was already disclosed without receiving any packets from the server. > > This is due to the loose time synchronization and the fixed disclosing intervals. > > > > > > On Wed, Mar 5, 2014 at 9:38 PM, Steven M. Bellovin <smb@cs.columbia.edu> wrote: > > > > > > > > There is a slightly-convoluted attack scenario against the broadcast > > > mode. Assume a tree of switches, where the attacker is attached > > > to some switch that is on-path to the victim. The attacker DOSes > > > the link towards the victim, waits for the next broadcast time > > > message (with the accompanying key disclosure), then lifts the DOS > > > and sends a bogus time message authenticated with that key to the > > > victim. > > > > > > I don't see how this attack scenario will work. The client will not accept any broadcast messages he receives, if the corresponding key has already been disclosed. He can verify that since he is loosely time synchronized to the server, i.e. the maximum time difference is bounded. > > > > That’s the point of the DoS attack — it keeps the client from receiving the broadcast with that key. > > > > --Steve Bellovin, https://www.cs.columbia.edu/~smb ----- Weitergeleitet von Dieter Sibold/PTB am 10.03.2014 16:27 ----- Von: "Steven M. Bellovin" <smb@cs.columbia.edu> An: kristof.teichel@ptb.de Kopie: dieter.sibold@ptb.de, Harlan Stenn <stenn@nwtime.org>, Stephen Röttger <stephen.roettger@gmail.com> Datum: 07.03.2014 04:46 Betreff: Re: IETF draft On Mar 6, 2014, at 8:17 53AM, kristof.teichel@ptb.de wrote: > Hello all, > > I wanted to reinforce what Stephen said: TESLA works with timed disclosure of the keys. Therefore it should be impossible to make the client accept a bogus packet authenticated with an "old" key, because by the schedule it knows that this key was already disclosed and as such gives no proof of origin. > > There is a slight detail that Dieter and I spoke about but did not communicate further: it might be better to have not only one interval step between usage and disclosure of a key, but at least two. This is because the client can not be perfectly sure that the server's clock is not one interval ahead, but it can be certain that the server's clock is *at most* one interval ahead. > Note that using a delay of only one interval can only make the client discard a "good" packet, though, it can not make the client accept a bogus packet. So this is more a general comment for understanding about TESLA, and should not be relevant to the above discussion. Sounds good. The fact that you do by definition have pretty good time sync at this point gives much more assurance than one normally has when using timestamps in security protocols. Correct me if I'm wrong, though: aren't there some control functions, such as indicating an impending leap-second? > > Regards, > Kristof Teichel > > > -----"Steven M. Bellovin" <smb@cs.columbia.edu> schrieb: ----- > An: Stephen Röttger <stephen.roettger@gmail.com> > Von: "Steven M. Bellovin" <smb@cs.columbia.edu> > Datum: 05.03.2014 20:55 > Kopie: Dieter Sibold <dieter.sibold@ptb.de>, Harlan Stenn <stenn@nwtime.org>, "kristof.teichel" <kristof.teichel@ptb.de> > Betreff: Re: IETF draft > > OK, let me think about that. I was reading quickly so I could get the message out before boarding my flight.... > > You can think about other scenarios along those lines. > > On Mar 5, 2014, at 3:51 PM, Stephen Röttger <stephen.roettger@gmail.com> wrote: > > > The key is used in the interval before its disclosure. > > In time interval t, the clients will receive a packet with a MAC calculated with a still unknown key k. > > The clients will buffer this packet in order to verify it later. > > In t+1, the key for t will be made public and the clients can verify the MAC for the buffered packet. > > > > Also, since the keys are calculated as a one-way function chain, e.g. k_i = H(k_{i+1}), the client can verify to which time interval the disclosed key belongs and that it wasn't disclosed yet when the packet was received. > > > > > > On Wed, Mar 5, 2014 at 9:44 PM, Steven M. Bellovin <smb@cs.columbia.edu> wrote: > > Then what is the point of the key? > > > > On Mar 5, 2014, at 3:42 PM, Stephen Röttger <stephen.roettger@gmail.com> wrote: > > > > > But the client will know that the key was already disclosed without receiving any packets from the server. > > > This is due to the loose time synchronization and the fixed disclosing intervals. > > > > > > > > > On Wed, Mar 5, 2014 at 9:38 PM, Steven M. Bellovin <smb@cs.columbia.edu> wrote: > > > > > > > > > > > There is a slightly-convoluted attack scenario against the broadcast > > > > mode. Assume a tree of switches, where the attacker is attached > > > > to some switch that is on-path to the victim. The attacker DOSes > > > > the link towards the victim, waits for the next broadcast time > > > > message (with the accompanying key disclosure), then lifts the DOS > > > > and sends a bogus time message authenticated with that key to the > > > > victim. > > > > > > > > I don't see how this attack scenario will work. The client will not accept any broadcast messages he receives, if the corresponding key has already been disclosed. He can verify that since he is loosely time synchronized to the server, i.e. the maximum time difference is bounded. > > > > > > That’s the point of the DoS attack — it keeps the client from receiving the broadcast with that key. > > > > > > > > > > --Steve Bellovin, https://www.cs.columbia.edu/~smb > > > > > --Steve Bellovin, https://www.cs.columbia.edu/~smb ----- Weitergeleitet von Dieter Sibold/PTB am 10.03.2014 16:27 ----- Von: "Steven M. Bellovin" <smb@cs.columbia.edu> An: dieter.sibold@ptb.de Kopie: Stephen <stephen.roettger@gmail.com>, kristof.teichel@ptb.de, Harlan Stenn <stenn@nwtime.org>, Harlan Stenn <stenn@ntp.org> Datum: 07.03.2014 04:54 Betreff: Re: IETF draft On Mar 6, 2014, at 5:40 50AM, dieter.sibold@ptb.de wrote: > There is currently a discussion of using DANE as an additional alternative > approach to exchange certificates. During the last NTP WG session in > London, Brian Habermann strongly encouraged to evaluate this. What's your > impression? I like DANE, but there are two things to think about here. First, DANE is a lot slower than just a certificate chain, because you have to go out to the DNS a lot. I don't think that's a big issue, but it is a number of request/respond cycles to work your way up the tree; during this point, someone or something has got to keep state. Bear this in mind especially when the server (per my suggestion) is validating a client certificate. The other point is that it's unclear if the registrars are good enough at security to really trust their DNSSEC-authenticated records. There have been any number of name hijackings from them. By contrast, the CAs are in the security business. My own personal guess is that for NTP, it's fine. NTP is intended to work with a diversity of sources; even if one is the victim of an bad DNS registrar and the attacker launches the proper sort of active attack to intercept the traffic and respond with bad time info -- it's still just one source; NTP has always been able to work with a single falseticker per Mills' early papers. Mention the issue in the security considerations -- i.e., that a cautious site relying on DANE should pick time servers that rely on an assortment of DNS registrars -- if they're concerned about this attack. > > Does anybody mind if we include the NTP mailing list in the discussion? I have no objection, but please add me to the authorized posters list. > > Greetings > > > ---------------------------------- > Physikalisch-Technische Bundesanstalt > Dr. Dieter Sibold > Q.42 - Serversysteme und Datenhaltung > QM-Verantwortlicher der Stelle IT-Infrastruktur > Bundesallee 100 > D-38116 Braunschweig > Tel: +49-531-592-84 20 > E-Mail: dieter.sibold@ptb.de > > > > Von: "Steven M. Bellovin" <smb@cs.columbia.edu> > An: Stephen Röttger <stephen.roettger@gmail.com> > Kopie: Dieter Sibold <dieter.sibold@ptb.de>, Harlan Stenn > <stenn@nwtime.org>, "kristof.teichel" <kristof.teichel@ptb.de> > Datum: 05.03.2014 20:55 > Betreff: Re: IETF draft > > > > OK, let me think about that. I was reading quickly so I could get the > message out before boarding my flight.... > > You can think about other scenarios along those lines. > > On Mar 5, 2014, at 3:51 PM, Stephen Röttger <stephen.roettger@gmail.com> > wrote: > >> The key is used in the interval before its disclosure. >> In time interval t, the clients will receive a packet with a MAC > calculated with a still unknown key k. >> The clients will buffer this packet in order to verify it later. >> In t+1, the key for t will be made public and the clients can verify the > MAC for the buffered packet. >> >> Also, since the keys are calculated as a one-way function chain, e.g. k_i > = H(k_{i+1}), the client can verify to which time interval the disclosed > key belongs and that it wasn't disclosed yet when the packet was received. >> >> >> On Wed, Mar 5, 2014 at 9:44 PM, Steven M. Bellovin <smb@cs.columbia.edu> > wrote: >> Then what is the point of the key? >> >> On Mar 5, 2014, at 3:42 PM, Stephen Röttger <stephen.roettger@gmail.com> > wrote: >> >>> But the client will know that the key was already disclosed without > receiving any packets from the server. >>> This is due to the loose time synchronization and the fixed disclosing > intervals. >>> >>> >>> On Wed, Mar 5, 2014 at 9:38 PM, Steven M. Bellovin > <smb@cs.columbia.edu> wrote: >>> >>>> >>>> There is a slightly-convoluted attack scenario against the broadcast >>>> mode. Assume a tree of switches, where the attacker is attached >>>> to some switch that is on-path to the victim. The attacker DOSes >>>> the link towards the victim, waits for the next broadcast time >>>> message (with the accompanying key disclosure), then lifts the DOS >>>> and sends a bogus time message authenticated with that key to the >>>> victim. >>>> >>>> I don't see how this attack scenario will work. The client will not > accept any broadcast messages he receives, if the corresponding key has > already been disclosed. He can verify that since he is loosely time > synchronized to the server, i.e. the maximum time difference is bounded. >>> >>> That’s the point of the DoS attack — it keeps the client from receiving > the broadcast with that key. >>> >> >> > > > --Steve Bellovin, https://www.cs.columbia.edu/~smb > > > > > --Steve Bellovin, https://www.cs.columbia.edu/~smb _______________________________________________ ntpwg mailing list ntpwg@lists.ntp.org http://lists.ntp.org/listinfo/ntpwg
- [ntpwg] Forward of NTS discussion #2 dieter.sibold