Re: [Ntp] Post NTS, Is shared key authentication interesting?

Daniel Franke <> Tue, 26 May 2020 15:34 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 807A63A03F2 for <>; Tue, 26 May 2020 08:34:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ULd6wzgAh7Xk for <>; Tue, 26 May 2020 08:34:42 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CA3C23A03EA for <>; Tue, 26 May 2020 08:34:42 -0700 (PDT)
Received: by with SMTP id w18so20786419ilm.13 for <>; Tue, 26 May 2020 08:34:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=IrLMpePNTx1BZN6sYvpeEDqPZ9h12rhsDt1t2CBnMDk=; b=eZpbPT42zF57IF8aOcfskQubQ5AeAR7CYIbcNuC+V1EbYDpT1t7ZZqN5MyL72qCDHM l1LV97qSt3dKLudvXFGoFEvRpvVumb0DnDYf0RMa7ae65XJ+hhow6QnJ6JBUtcJIofFk Nwef695uiccnDYFhEXp67ydUmKA+YvAATnN8xYZ9o/OK+O9XbR2Dsg4KApNdiETW9TKV FDgvUG3RwIjibEUXrrXMVYK1ZMnfTRCIdNbX9rUBFGAl60Cqj/UQLa7hPEDcQanJfi1s Du/VWn0Flz3a9zlkkuQE+O1x16voB6x3KPdt0CH/WmMXtSm6fbXzw9DB8q8/5ajz+MJv oZEQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=IrLMpePNTx1BZN6sYvpeEDqPZ9h12rhsDt1t2CBnMDk=; b=Y6iLZwcQozXvNS3gXNB8jD9Pfl6mMjdGztJk9rDDjj0kotiKnUFPYPErjdj0c68T7A uSE5uBd6VI0qWkel2rR+e/gwHgPIp+6hqbQ1wt/ZeXKwUdP0atKhSoKeXVRBMer61Zk9 iWtGN6qA9jT2BPNiuvVcrUTiV9T9DQRSmF4SIGy/JKN1spUWlZs/3W3+9iTwJ5x34GkM IA9oNstPQMfNKTpZ751bJ5en5z8Ak+S9suy23mrhn2TsrHdRhFKjYsNtydNWCyF7Suud AZNyP5pk89IKoBANzru65zezE3jL37z0xWSj7DNkexX761Qgg0evFF3ndaqc8OCoApNh bV1g==
X-Gm-Message-State: AOAM53146L7Ale5ZPElkeeHrcDNX0JCisuH/R8NQxSSioLR54nSAy3d0 FqdULme/ieLDYV19e1ZAPGbfU94OgokZI26Y1tg=
X-Google-Smtp-Source: ABdhPJwbQWBbIFFsjPB9DK4cGX5ttEHE4/fbZUSzRLVmqnLjWMFVbf0tQvXJdycYk+HKblfDVsMR4codgsfJGsfSOp4=
X-Received: by 2002:a92:c88b:: with SMTP id w11mr1619996ilo.244.1590507282139; Tue, 26 May 2020 08:34:42 -0700 (PDT)
MIME-Version: 1.0
References: <> <20200525083046.GB25987@localhost> <> <> <20200526152328.GE18070@localhost>
In-Reply-To: <20200526152328.GE18070@localhost>
From: Daniel Franke <>
Date: Tue, 26 May 2020 11:34:31 -0400
Message-ID: <>
To: Miroslav Lichvar <>
Cc: Watson Ladd <>, NTP WG <>
Content-Type: multipart/alternative; boundary="00000000000090909c05a68ed571"
Archived-At: <>
Subject: Re: [Ntp] Post NTS, Is shared key authentication interesting?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 26 May 2020 15:34:45 -0000

I could go either way on this. What moves me a bit toward Miroslav's point
of view is that the PSK handshakes in TLS 1.3 unfortunately did not get the
same care and attention from the TLS WG as the rest of the protocol did,
and as a result we got things like
This particular attack doesn't harm us since we distinguish between client
and server packets at the application level, but it suggests that if we're
considering relying on TLS-PSK we can't simply assume that the TLS WG has
given us an adequate foundation to build on; we need to check their work
and make that assessment ourselves.

On Tue, May 26, 2020 at 11:23 AM Miroslav Lichvar <>

> On Tue, May 26, 2020 at 10:55:41AM -0400, Watson Ladd wrote:
> > On Mon, May 25, 2020 at 9:29 AM Daniel Franke <>
> wrote:
> > > I would like NTPv5's shared key authentication to be a little more
> closely integrated with NTS. Either accomplish it by doing a PSK TLS
> handshake for NTS-KE, or skip NTS-KE and have pre-shared S2C/C2S keys and a
> shorter cookie giving just a key ID.
> >
> > I think PSK TLS is a better idea: all the complexity gets dumped on
> > the TLS stack, while the NTP specific parts don't change.
> A different point of view would be to avoid exposing the NTS+TLS stack
> to attackers if not necessary. The complexity of the NTP MAC is
> minimal when compared to that.
> --
> Miroslav Lichvar