Re: [Ntp] Benjamin Kaduk's Discuss on draft-ietf-ntp-using-nts-for-ntp-23: (with DISCUSS and COMMENT)
Benjamin Kaduk <kaduk@mit.edu> Mon, 23 March 2020 00:26 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B39893A0926; Sun, 22 Mar 2020 17:26:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kv_XJlm_IKaN; Sun, 22 Mar 2020 17:26:43 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 225443A0925; Sun, 22 Mar 2020 17:26:42 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 02N0Qa5h028714 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 22 Mar 2020 20:26:39 -0400
Date: Sun, 22 Mar 2020 17:26:36 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Kurt Roeckx <kurt@roeckx.be>
Cc: Ragnar Sundblad <ragge@netnod.se>, ntp-chairs@ietf.org, ntp@ietf.org, Karen O'Donoghue <odonoghue@isoc.org>, The IESG <iesg@ietf.org>, draft-ietf-ntp-using-nts-for-ntp@ietf.org
Message-ID: <20200323002636.GH50174@kduck.mit.edu>
References: <158388613361.15157.697889274707951578@ietfa.amsl.com> <D92AF7D4-3CFC-42FB-A8C0-405C98B76658@netnod.se> <20200319212155.GL50174@kduck.mit.edu> <415F5AF0-7F99-42F7-BA8A-FC21A8D3B875@netnod.se> <20200322233930.GK22330@roeckx.be>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20200322233930.GK22330@roeckx.be>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/Rwx2fSvuLxnrgf4u75olzLBo-uI>
Subject: Re: [Ntp] Benjamin Kaduk's Discuss on draft-ietf-ntp-using-nts-for-ntp-23: (with DISCUSS and COMMENT)
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Mar 2020 00:26:45 -0000
Hi Kurt!
On Mon, Mar 23, 2020 at 12:39:30AM +0100, Kurt Roeckx wrote:
> On Sun, Mar 22, 2020 at 05:47:16PM +0100, Ragnar Sundblad wrote:
> > > > > Section 9
> > > > >
> > > > > We should probably have some discussion of the consequences of
> > > > > compromise of the server's cookie-encryption key. Possibly also for
> > > > > when the key associated with a cookie is compromised from a client,
> > > > > though if cookies are single-use the scope may be quite limited. (That
> > > > > is, since we are using the shared symmetric key for authentication by
> > > > > virtue of "I didn't send it so it must be from the other party that has
> > > > > the key".)
> > > >
> > > > NTP and NTS-KE server operators are expected to remove compromised keys as soon
> > > > as the compromise is discovered. This would cause the NTP servers to respond
> > > > with NTS NAK, thus forcing key renegotiation. We are aware that this does
> > > > not protect against MITM attacks where the attacker has access to a
> > > > compromised cookie encryption key.
> > >
> > > I did not doubt that you are aware of this; the question is whether all
> > > future readers of this document will similarly be aware.
> >
> > Right, we added a new section ("Key Compromise") to describe the
> > problem and how it should be handled.
>
> I think this is at least a step in the right direction. I think
> there are 2 keys:
> - The key for the X.509 certificate
> - The key that is negiotatiated during NTS-KE
>
> Both of them can be compromised, and I think the new section only
> talks about the 2nd key, and talks about how to deal with that
> event, but I think it's also important to deal with the first key.
I think it's talking about a third key, the one internal to the NTS
server(s) that is used to self-encrypt the cookies that are handed out to
clients. Compromising this key affects all clients, so is particularly
noteworthy. Compromising the X.509 key does the same, though is in theory
covered by the security considerations of other documents (e.g., RFC 5280).
Compromising the result of the NTS-KE negotiation affects only the one
client in question, and thus has something of a narrower scope. I wouldn't
turn down text that discussed the consequences of its compromise, though!
-Ben
- [Ntp] Benjamin Kaduk's Discuss on draft-ietf-ntp-… Benjamin Kaduk via Datatracker
- Re: [Ntp] Benjamin Kaduk's Discuss on draft-ietf-… Franke, Daniel
- Re: [Ntp] Benjamin Kaduk's Discuss on draft-ietf-… Ragnar Sundblad
- Re: [Ntp] Benjamin Kaduk's Discuss on draft-ietf-… Benjamin Kaduk
- Re: [Ntp] Benjamin Kaduk's Discuss on draft-ietf-… Ragnar Sundblad
- Re: [Ntp] Benjamin Kaduk's Discuss on draft-ietf-… Benjamin Kaduk
- Re: [Ntp] Benjamin Kaduk's Discuss on draft-ietf-… Kurt Roeckx
- Re: [Ntp] Benjamin Kaduk's Discuss on draft-ietf-… Benjamin Kaduk
- Re: [Ntp] Benjamin Kaduk's Discuss on draft-ietf-… Sandra Murphy
- Re: [Ntp] Benjamin Kaduk's Discuss on draft-ietf-… Ragnar Sundblad
- Re: [Ntp] Benjamin Kaduk's Discuss on draft-ietf-… Sandra Murphy