[ntpwg] Forward of NTS discussion #1
dieter.sibold@ptb.de Mon, 10 March 2014 15:26 UTC
Return-Path: <ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org>
X-Original-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Delivered-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC56E1A0438 for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Mon, 10 Mar 2014 08:26:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.147
X-Spam-Level:
X-Spam-Status: No, score=-4.147 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_16=0.6, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.547] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I613UAN0oBSM for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Mon, 10 Mar 2014 08:26:23 -0700 (PDT)
Received: from lists.ntp.org (lists.ntp.org [149.20.68.7]) by ietfa.amsl.com (Postfix) with ESMTP id ADF0D1A035E for <ntp-archives-ahFae6za@lists.ietf.org>; Mon, 10 Mar 2014 08:26:23 -0700 (PDT)
Received: from lists.ntp.org (lists.ntp.org [149.20.68.7]) by lists.ntp.org (Postfix) with ESMTP id A72CB86DAE3 for <ntp-archives-ahFae6za@lists.ietf.org>; Mon, 10 Mar 2014 15:26:18 +0000 (UTC)
X-Original-To: ntpwg@lists.ntp.org
Delivered-To: ntpwg@lists.ntp.org
Received: from mail1.ntp.org (mail1.ntp.org [IPv6:2001:4f8:fff7:1::5]) by lists.ntp.org (Postfix) with ESMTP id EC04986D33C for <ntpwg@lists.ntp.org>; Mon, 10 Mar 2014 15:26:12 +0000 (UTC)
Received: from mx1.bs.ptb.de ([192.53.103.106]) by mail1.ntp.org with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <dieter.sibold@ptb.de>) id 1WN25c-0005dn-Br for ntpwg@lists.ntp.org; Mon, 10 Mar 2014 15:26:12 +0000
Received: from mx1.bs.ptb.de (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id 9A941D0CCA7 for <ntpwg@lists.ntp.org>; Mon, 10 Mar 2014 16:25:58 +0100 (CET)
Received: from rose.bs.ptb.de (rose.bs.ptb.de [141.25.85.201]) by mx1.bs.ptb.de (Postfix) with ESMTP id 7523AD0CC7D for <ntpwg@lists.ntp.org>; Mon, 10 Mar 2014 16:25:58 +0100 (CET)
X-KeepSent: F5B80301:964676B8-C1257C97:00549B0C; type=4; name=$KeepSent
To: NTP Working Group <ntpwg@lists.ntp.org>
X-Mailer: IBM Notes Release 9.0.1 October 14, 2013
Message-ID: <OFF5B80301.964676B8-ONC1257C97.00549B0C-C1257C97.0054C5D3@ptb.de>
From: dieter.sibold@ptb.de
Date: Mon, 10 Mar 2014 16:25:57 +0100
X-MIMETrack: Serialize by Router on ROSE/PTB(Release 9.0.1HF198 | January 23, 2014) at 03/10/2014 16:25:57
MIME-Version: 1.0
X-SA-Exim-Connect-IP: 192.53.103.106
X-SA-Exim-Rcpt-To: ntpwg@lists.ntp.org
X-SA-Exim-Mail-From: dieter.sibold@ptb.de
X-SA-Exim-Version: 4.2
X-SA-Exim-Scanned: Yes (on mail1.ntp.org)
Subject: [ntpwg] Forward of NTS discussion #1
X-BeenThere: ntpwg@lists.ntp.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: IETF Working Group for Network Time Protocol <ntpwg.lists.ntp.org>
List-Unsubscribe: <http://lists.ntp.org/options/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=unsubscribe>
List-Archive: <http://lists.ntp.org/pipermail/ntpwg>
List-Post: <mailto:ntpwg@lists.ntp.org>
List-Help: <mailto:ntpwg-request@lists.ntp.org?subject=help>
List-Subscribe: <http://lists.ntp.org/listinfo/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=subscribe>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org
Sender: ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org
Hi all, enclosed you will find follow-ups on the NTS discussion that starts at March, the 4th. ---------------------------------- Physikalisch-Technische Bundesanstalt Dr. Dieter Sibold Q.42 - Serversysteme und Datenhaltung QM-Verantwortlicher der Stelle IT-Infrastruktur Bundesallee 100 D-38116 Braunschweig Tel: +49-531-592-84 20 E-Mail: dieter.sibold@ptb.de ----- Weitergeleitet von Dieter Sibold/PTB am 10.03.2014 16:24 ----- Von: "Steven M. Bellovin" <smb@cs.columbia.edu> An: dieter.sibold@ptb.de Kopie: Harlan Stenn <stenn@nwtime.org> Datum: 05.03.2014 12:36 Betreff: Re: IETF draft On Mar 5, 2014, at 5:43 57AM, dieter.sibold@ptb.de wrote: > Hello Steven, > > thank you very much for your comments. Especially your suggestion of > considering CMS. We shall consider all of your comments with care. Thinking further, the initial setup may need more care to prevent replay attacks. Let me think about this a bit. Also, about that attack scenario I mentioned: that's the sort of thing that should be in the security considerations, but doesn't otherwise merit any changes. The discussion should also include a suggested range of values for the TESLA-like mechanism, with guidance on when to go higher or lower. > > Do you mind if I pass your comments to the NTP working group? Of course not. --Steve Bellovin, https://www.cs.columbia.edu/~smb ----- Weitergeleitet von Dieter Sibold/PTB am 10.03.2014 16:24 ----- Von: "Steven M. Bellovin" <smb@cs.columbia.edu> An: "dieter.sibold@ptb.de" <dieter.sibold@ptb.de> Kopie: Harlan Stenn <stenn@nwtime.org> Datum: 05.03.2014 14:20 Betreff: Re: IETF draft Looking further , there's a serious risk of replay of the server_cert message. The best defense is to have a random challenge in the client message; the reply should sign it. Alternatively, sign the current time in the reply. --Steve Bellovin, https://www.cs.columbia.edu/~smb Sent from from a handheld; please excuse tyops > On Mar 5, 2014, at 5:43 AM, dieter.sibold@ptb.de wrote: > > Hello Steven, > > thank you very much for your comments. Especially your suggestion of > considering CMS. We shall consider all of your comments with care. > > Do you mind if I pass your comments to the NTP working group? > > Regards > Dieter > > > ---------------------------------- > Physikalisch-Technische Bundesanstalt > Dr. Dieter Sibold > Q.42 - Serversysteme und Datenhaltung > QM-Verantwortlicher der Stelle IT-Infrastruktur > Bundesallee 100 > D-38116 Braunschweig > Tel: +49-531-592-84 20 > E-Mail: dieter.sibold@ptb.de > > > > Von: "Steven M. Bellovin" <smb@cs.columbia.edu> > An: dieter.sibold@ptb.de > Kopie: Harlan Stenn <stenn@nwtime.org> > Datum: 04.03.2014 16:58 > Betreff: Re: IETF draft > > > > I got tethering working while at the airport, so I did a quick > read-through. > I think your basic security model is sound; however, there are risks and > a minor error. > > > 5.1 is confusing. It says > > The server does not keep a > state of the client. Therefore it has to recalculate the cookie each > time it receives a request from the client. To this end, the client > has to attach the hash value of its public key to each request (see > Section 6.4). > > However, just the hash of the public key does not allow recalculation > of that HMAC, because you need the full cert to calculate that HMAC. > > I suggest that it instead use > > cookie = MSB_128 (HMAC(server seed, H(X.509 cert of client))), > > Note that it uses the cert, not the key, because that lists any > organizational data that might be needed. This in turn matters > for access control decisions by the server, which in turn matters > a lot for broadcast. > > There is a slightly-convoluted attack scenario against the broadcast > mode. Assume a tree of switches, where the attacker is attached > to some switch that is on-path to the victim. The attacker DOSes > the link towards the victim, waits for the next broadcast time > message (with the accompanying key disclosure), then lifts the DOS > and sends a bogus time message authenticated with that key to the > victim. > > > 6.3.2: You're directly encrypting something other than a symmetric > key with a public key algorithm. You're also signing something > without hashes, etc. That whole concept is very, very fragile. > Seriously consider using CMS which may imply encrypting that > stuff with a symmetric key that is properly wrapped. I suggest > consulting with Russ Housley on the best format for what you want > to do here -- there are many subtle traps when doing public key > signing or encryption. > > > 8.1: is SHA-1 accepted? I'd say no; there's no reason to include > it for new protocols. > > > > >> On Mar 4, 2014, at 3:51 PM, dieter.sibold@ptb.de wrote: >> >> Hello Steven, >> >> that's a pity, I'm just arrived at the IETF meeting. So we missed. > Anyway, >> if you could read the draft we should very much appreciate to get your >> comments. >> >> Greetings and a nice journey >> Dieter Sibold >> >> >> ---------------------------------- >> Physikalisch-Technische Bundesanstalt >> Dr. Dieter Sibold >> Q.42 - Serversysteme und Datenhaltung >> QM-Verantwortlicher der Stelle IT-Infrastruktur >> Bundesallee 100 >> D-38116 Braunschweig >> Tel: +49-531-592-84 20 >> E-Mail: dieter.sibold@ptb.de >> >> >> >> Von: "Steven M. Bellovin" <smb@cs.columbia.edu> >> An: Harlan Stenn <stenn@nwtime.org> >> Kopie: Dieter Sibold <dieter.sibold@ptb.de> >> Datum: 04.03.2014 11:11 >> Betreff: Re: IETF draft >> >> >> >> >>> On Mar 3, 2014, at 7:44 PM, Harlan Stenn <stenn@nwtime.org> wrote: >>> >>> Hi Steve, >>> >>>> On 2/11/14 11:08 PM, Harlan Stenn wrote: >>>> Howdy sir, >>>> >>>> If you have time to look at this that would be swell. >>> >>> The Network Time Security document I sent you from Dieter is going to >>> be discussed at this Wednesday's NTP IETF meeting. We figure there will >>> be one more go-round before it's finalized, but if you have had a chance >>> to review the document it will certainly speed the process along. >>> >>> You are doing well, I trust, and your weather isn't too horrible? >> I'll see if I can read it before then. I'm at the IETF meeting, but I >> leave today; I have to teach on Wednesday. >> >> >> --Steve Bellovin, > https://www.cs.columbia.edu/~smb > > > --Steve Bellovin, https://www.cs.columbia.edu/~smb > > > > > > ----- Weitergeleitet von Dieter Sibold/PTB am 10.03.2014 16:24 ----- Von: dieter.sibold@ptb.de An: ntpwg@lists.ntp.org Datum: 05.03.2014 18:31 Betreff: [ntpwg] WG: Comments to NTS draft Gesendet von: ntpwg-bounces+dieter.sibold=ptb.de@lists.ntp.org Enclosed you will find valuable comments from Steven Bellovin on the Network Time Security draft. He allowed me to send it to the mailing list. Dieter ---------------------------------- Physikalisch-Technische Bundesanstalt Dr. Dieter Sibold Q.42 - Serversysteme und Datenhaltung QM-Verantwortlicher der Stelle IT-Infrastruktur Bundesallee 100 D-38116 Braunschweig Tel: +49-531-592-84 20 E-Mail: dieter.sibold@ptb.de ----- Weitergeleitet von Dieter Sibold/PTB am 05.03.2014 13:21 ----- Von: "Steven M. Bellovin" <smb@cs.columbia.edu> An: dieter.sibold@ptb.de Kopie: Harlan Stenn <stenn@nwtime.org> Datum: 04.03.2014 16:58 Betreff: Re: IETF draft I got tethering working while at the airport, so I did a quick read-through. I think your basic security model is sound; however, there are risks and a minor error. 5.1 is confusing. It says The server does not keep a state of the client. Therefore it has to recalculate the cookie each time it receives a request from the client. To this end, the client has to attach the hash value of its public key to each request (see Section 6.4). However, just the hash of the public key does not allow recalculation of that HMAC, because you need the full cert to calculate that HMAC. I suggest that it instead use cookie = MSB_128 (HMAC(server seed, H(X.509 cert of client))), Note that it uses the cert, not the key, because that lists any organizational data that might be needed. This in turn matters for access control decisions by the server, which in turn matters a lot for broadcast. There is a slightly-convoluted attack scenario against the broadcast mode. Assume a tree of switches, where the attacker is attached to some switch that is on-path to the victim. The attacker DOSes the link towards the victim, waits for the next broadcast time message (with the accompanying key disclosure), then lifts the DOS and sends a bogus time message authenticated with that key to the victim. 6.3.2: You're directly encrypting something other than a symmetric key with a public key algorithm. You're also signing something without hashes, etc. That whole concept is very, very fragile. Seriously consider using CMS which may imply encrypting that stuff with a symmetric key that is properly wrapped. I suggest consulting with Russ Housley on the best format for what you want to do here -- there are many subtle traps when doing public key signing or encryption. 8.1: is SHA-1 accepted? I'd say no; there's no reason to include it for new protocols. --Steve Bellovin, https://www.cs.columbia.edu/~smb _______________________________________________ ntpwg mailing list ntpwg@lists.ntp.org http://lists.ntp.org/listinfo/ntpwg ----- Weitergeleitet von Dieter Sibold/PTB am 10.03.2014 16:24 ----- Von: Stephen Röttger <stephen.roettger@gmail.com> An: "Steven M. Bellovin" <smb@cs.columbia.edu> Kopie: Dieter Sibold <dieter.sibold@ptb.de>, Harlan Stenn <stenn@nwtime.org>, "kristof.teichel" <kristof.teichel@ptb.de> Datum: 05.03.2014 21:36 Betreff: Fwd: Re: IETF draft Hi Steven, Thank you very much for your comments. 5.1 is confusing. It says The server does not keep a state of the client. Therefore it has to recalculate the cookie each time it receives a request from the client. To this end, the client has to attach the hash value of its public key to each request (see Section 6.4). However, just the hash of the public key does not allow recalculation of that HMAC, because you need the full cert to calculate that HMAC. I suggest that it instead use cookie = MSB_128 (HMAC(server seed, H(X.509 cert of client))), Note that it uses the cert, not the key, because that lists any organizational data that might be needed. This in turn matters for access control decisions by the server, which in turn matters a lot for broadcast. There is actually an error in the draft in this chapter. Our real intention was to write: cookie = MSB_128 (HMAC(server seed, H(public key of client))). (note that additional Hash operation on the public key) I think using H(X.509 cert of client) instead would only make a difference if two clients use the same public key but different certificates. Since it has no drawbacks and will probably be easier to implement as well, I think this would be a good modification. There is a slightly-convoluted attack scenario against the broadcast mode. Assume a tree of switches, where the attacker is attached to some switch that is on-path to the victim. The attacker DOSes the link towards the victim, waits for the next broadcast time message (with the accompanying key disclosure), then lifts the DOS and sends a bogus time message authenticated with that key to the victim. I don't see how this attack scenario will work. The client will not accept any broadcast messages he receives, if the corresponding key has already been disclosed. He can verify that since he is loosely time synchronized to the server, i.e. the maximum time difference is bounded. 6.3.2: You're directly encrypting something other than a symmetric key with a public key algorithm. You're also signing something without hashes, etc. That whole concept is very, very fragile. Seriously consider using CMS which may imply encrypting that stuff with a symmetric key that is properly wrapped. I suggest consulting with Russ Housley on the best format for what you want to do here -- there are many subtle traps when doing public key signing or encryption. Yes, we definitely have to specify the message format. This one is on our TODO list :). 8.1: is SHA-1 accepted? I'd say no; there's no reason to include it for new protocols. Removing it sounds good to me. Thanks, Stephen ----- Weitergeleitet von Dieter Sibold/PTB am 10.03.2014 16:24 ----- Von: "Steven M. Bellovin" <smb@cs.columbia.edu> An: Stephen Röttger <stephen.roettger@gmail.com> Kopie: Dieter Sibold <dieter.sibold@ptb.de>, Harlan Stenn <stenn@nwtime.org>, "kristof.teichel" <kristof.teichel@ptb.de> Datum: 05.03.2014 21:38 Betreff: Re: IETF draft > > There is a slightly-convoluted attack scenario against the broadcast > mode. Assume a tree of switches, where the attacker is attached > to some switch that is on-path to the victim. The attacker DOSes > the link towards the victim, waits for the next broadcast time > message (with the accompanying key disclosure), then lifts the DOS > and sends a bogus time message authenticated with that key to the > victim. > > I don't see how this attack scenario will work. The client will not accept any broadcast messages he receives, if the corresponding key has already been disclosed. He can verify that since he is loosely time synchronized to the server, i.e. the maximum time difference is bounded. That’s the point of the DoS attack — it keeps the client from receiving the broadcast with that key. ----- Weitergeleitet von Dieter Sibold/PTB am 10.03.2014 16:24 ----- Von: Stephen Röttger <stephen.roettger@gmail.com> An: "Steven M. Bellovin" <smb@cs.columbia.edu> Kopie: Dieter Sibold <dieter.sibold@ptb.de>, Harlan Stenn <stenn@nwtime.org>, "kristof.teichel" <kristof.teichel@ptb.de> Datum: 05.03.2014 21:43 Betreff: Re: IETF draft But the client will know that the key was already disclosed without receiving any packets from the server. This is due to the loose time synchronization and the fixed disclosing intervals. On Wed, Mar 5, 2014 at 9:38 PM, Steven M. Bellovin <smb@cs.columbia.edu> wrote: > > There is a slightly-convoluted attack scenario against the broadcast > mode. Assume a tree of switches, where the attacker is attached > to some switch that is on-path to the victim. The attacker DOSes > the link towards the victim, waits for the next broadcast time > message (with the accompanying key disclosure), then lifts the DOS > and sends a bogus time message authenticated with that key to the > victim. > > I don't see how this attack scenario will work. The client will not accept any broadcast messages he receives, if the corresponding key has already been disclosed. He can verify that since he is loosely time synchronized to the server, i.e. the maximum time difference is bounded. That’s the point of the DoS attack — it keeps the client from receiving the broadcast with that key. ----- Weitergeleitet von Dieter Sibold/PTB am 10.03.2014 16:24 ----- Von: "Steven M. Bellovin" <smb@cs.columbia.edu> An: Stephen Röttger <stephen.roettger@gmail.com> Kopie: Dieter Sibold <dieter.sibold@ptb.de>, Harlan Stenn <stenn@nwtime.org>, "kristof.teichel" <kristof.teichel@ptb.de> Datum: 05.03.2014 21:44 Betreff: Re: IETF draft Then what is the point of the key? On Mar 5, 2014, at 3:42 PM, Stephen Röttger <stephen.roettger@gmail.com> wrote: > But the client will know that the key was already disclosed without receiving any packets from the server. > This is due to the loose time synchronization and the fixed disclosing intervals. > > > On Wed, Mar 5, 2014 at 9:38 PM, Steven M. Bellovin <smb@cs.columbia.edu> wrote: > > > > > There is a slightly-convoluted attack scenario against the broadcast > > mode. Assume a tree of switches, where the attacker is attached > > to some switch that is on-path to the victim. The attacker DOSes > > the link towards the victim, waits for the next broadcast time > > message (with the accompanying key disclosure), then lifts the DOS > > and sends a bogus time message authenticated with that key to the > > victim. > > > > I don't see how this attack scenario will work. The client will not accept any broadcast messages he receives, if the corresponding key has already been disclosed. He can verify that since he is loosely time synchronized to the server, i.e. the maximum time difference is bounded. > > That’s the point of the DoS attack — it keeps the client from receiving the broadcast with that key. > _______________________________________________ ntpwg mailing list ntpwg@lists.ntp.org http://lists.ntp.org/listinfo/ntpwg
- [ntpwg] Forward of NTS discussion #1 dieter.sibold