Re: [Ntp] Post NTS, Is shared key authentication interesting?

Dieter Sibold <dsibold.ietf@gmail.com> Tue, 26 May 2020 17:06 UTC

Return-Path: <dsibold.ietf@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8ED73A0AAC for <ntp@ietfa.amsl.com>; Tue, 26 May 2020 10:06:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W6oT4gS5QN0I for <ntp@ietfa.amsl.com>; Tue, 26 May 2020 10:06:22 -0700 (PDT)
Received: from mail-wr1-x42e.google.com (mail-wr1-x42e.google.com [IPv6:2a00:1450:4864:20::42e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C5BC3A0B29 for <ntp@ietf.org>; Tue, 26 May 2020 10:06:20 -0700 (PDT)
Received: by mail-wr1-x42e.google.com with SMTP id j10so5558442wrw.8 for <ntp@ietf.org>; Tue, 26 May 2020 10:06:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=9Wwwj+2f63MZqw9TTHD/NZz3BghhzeO0KM+bzrlAX9g=; b=JR6aAKOo9ivLtYmNM2By9hJGru5hR+pH1vT6zjGq4hbKyloeb0Z1jy+ZvdEMHFqPOC TMdQUfdXOQxDbAzejwlnbt4MktRK+Ghnrvc45Cq4bLfe39JnKWKtMYvMKcIRsJ/D/Wup tZRKQMjnMVyRoIKs0VeezuSvAfZkYWuiLJjNHdm1dXbUoqivJaxsm1Nln4DZ02JacXav 0WRj50k/NtrBC83hdGbI23vCHg+0eE2HZRnuX5QQfH8Xmqo/2EKUFjsVgH6oc8azXydA pxlh170uC8sPCmmVdLLDqbQNXrZBz6ijmyRMBomGEPKl/QQSPB0vfjVh/rRwQLtEtIJV qT8Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=9Wwwj+2f63MZqw9TTHD/NZz3BghhzeO0KM+bzrlAX9g=; b=oTL6qk7S0nB475quij/elrCe53vk1mdr4y1m6HizmJWJm8mVl8b6NXAXVelvtJb03t WTIBPpISLfANLiesuC9uQSnxLUuUSYlR2DM9wRdEXRKVqBGi2OiROX/6/GzA3v1vul0m WVubZ5BmyIBPOPE7tm9TMH9M51l5ZhBZWZvEe+EEo/7jRPh3csJGmQqY7y8UWzQYBUgr 7lWt46dSEBixgujw4brx4dMgkAhCHIf+67RUYGe8USufRjqo78K6ArbGSPulp4f3WsdT ZKfluqDzM59KijxymYbVyQ9gNi3Rfpji2lEmmeEW2qq21VzqVA35n5w/ao+pa/o4k6w6 3tRg==
X-Gm-Message-State: AOAM533R7hT2qL4pOqqSx9YnkwIC6/2TePWM0g/lEzqFvaU+WQ6nVOze px6AQFWE5Ax2AK8SdXlUrHIZdISF
X-Google-Smtp-Source: ABdhPJwSTpCck5zR2px6pq0hILoqV1MHT2QcnJXxCe6zyw9Jjke9wL/HyeCgUt+J2lGE7DZxVPCeeQ==
X-Received: by 2002:adf:d0d0:: with SMTP id z16mr7649159wrh.308.1590512778321; Tue, 26 May 2020 10:06:18 -0700 (PDT)
Received: from [192.168.111.35] (p200300d17f3f0800513137cd06976816.dip0.t-ipconnect.de. [2003:d1:7f3f:800:5131:37cd:697:6816]) by smtp.gmail.com with ESMTPSA id j135sm119453wmj.43.2020.05.26.10.06.17 for <ntp@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 26 May 2020 10:06:17 -0700 (PDT)
From: "Dieter Sibold" <dsibold.ietf@gmail.com>
To: "NTP WG" <ntp@ietf.org>
Date: Tue, 26 May 2020 19:06:16 +0200
X-Mailer: MailMate Trial (1.13.1r5671)
Message-ID: <3ACC3E7D-23F7-41C6-B642-B4A59E4E6AD4@gmail.com>
In-Reply-To: <CAJm83bAqnfu1zVQk30AHTHCVLNWDd5+FcLsn3mak3pqA69QNnw@mail.gmail.com>
References: <20200525075606.52F0C40605C@ip-64-139-1-69.sjc.megapath.net> <20200525083046.GB25987@localhost> <CAJm83bDMY0ZSU2u6WFm4FbYmcN39NqDhoTmb5pr4TYOTtve1Tw@mail.gmail.com> <CACsn0cm4P3-E4EC1ZO3Upw_x3Dg746DuL4ZEu-1O1XG-cg2+sg@mail.gmail.com> <20200526152328.GE18070@localhost> <CAJm83bAqnfu1zVQk30AHTHCVLNWDd5+FcLsn3mak3pqA69QNnw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/Q6tbNGr6QOcG8zW6FLmNxAiKjYk>
Subject: Re: [Ntp] Post NTS, Is shared key authentication interesting?
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2020 17:06:25 -0000

Also, NTS is not designed for NTP’s symmetric mode, which will be well 
served by the old approach.

Dieter

On 26 May 2020, at 17:34, Daniel Franke wrote:

> I could go either way on this. What moves me a bit toward Miroslav's 
> point
> of view is that the PSK handshakes in TLS 1.3 unfortunately did not 
> get the
> same care and attention from the TLS WG as the rest of the protocol 
> did,
> and as a result we got things like 
> https://eprint.iacr.org/2019/347.pdf.
> This particular attack doesn't harm us since we distinguish between 
> client
> and server packets at the application level, but it suggests that if 
> we're
> considering relying on TLS-PSK we can't simply assume that the TLS WG 
> has
> given us an adequate foundation to build on; we need to check their 
> work
> and make that assessment ourselves.
>
> On Tue, May 26, 2020 at 11:23 AM Miroslav Lichvar 
> <mlichvar@redhat.com>
> wrote:
>
>> On Tue, May 26, 2020 at 10:55:41AM -0400, Watson Ladd wrote:
>>> On Mon, May 25, 2020 at 9:29 AM Daniel Franke <dfoxfranke@gmail.com>
>> wrote:
>>>> I would like NTPv5's shared key authentication to be a little more
>> closely integrated with NTS. Either accomplish it by doing a PSK TLS
>> handshake for NTS-KE, or skip NTS-KE and have pre-shared S2C/C2S keys 
>> and a
>> shorter cookie giving just a key ID.
>>>
>>> I think PSK TLS is a better idea: all the complexity gets dumped on
>>> the TLS stack, while the NTP specific parts don't change.
>>
>> A different point of view would be to avoid exposing the NTS+TLS 
>> stack
>> to attackers if not necessary. The complexity of the NTP MAC is
>> minimal when compared to that.
>>
>> --
>> Miroslav Lichvar
>>
>>
> _______________________________________________
> ntp mailing list
> ntp@ietf.org
> https://www.ietf.org/mailman/listinfo/ntp