[Ntp] Re: Wrong NTS key exporter context in use for AES-128-GCM-SIV

Miroslav Lichvar <mlichvar@redhat.com> Tue, 17 September 2024 13:13 UTC

Return-Path: <mlichvar@redhat.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 160F9C14F686 for <ntp@ietfa.amsl.com>; Tue, 17 Sep 2024 06:13:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.253
X-Spam-Level:
X-Spam-Status: No, score=-2.253 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dH-mnwtU3yxE for <ntp@ietfa.amsl.com>; Tue, 17 Sep 2024 06:13:55 -0700 (PDT)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A103C16A128 for <ntp@ietf.org>; Tue, 17 Sep 2024 06:13:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1726578834; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=5VEQxtQWo5gejiq4JwAMxS+WQNOmRP35YHTM8KfCFAU=; b=aXiBJlmUbVpDXCRWz3K4A4UKg3AGyaAPdlWAlxv8PeSy9b3uRLCIBcs9lzJF4tEvyZ6WSm H5Y/LBfAJOe70QzkXkIjz6FXivIV5ij1dihO7OKVufCxi+654NT0JmmvXw2wYV+N3pVpcO s/RqB34wSjumw7EeuuWc5JxhKDU47Os=
Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-394-E419KkMsNu6T3OGt-MSc9A-1; Tue, 17 Sep 2024 09:13:51 -0400
X-MC-Unique: E419KkMsNu6T3OGt-MSc9A-1
Received: from mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id E84911956057; Tue, 17 Sep 2024 13:13:49 +0000 (UTC)
Received: from localhost (unknown [10.43.135.229]) by mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id C546A19560AA; Tue, 17 Sep 2024 13:13:48 +0000 (UTC)
Date: Tue, 17 Sep 2024 15:13:46 +0200
From: Miroslav Lichvar <mlichvar@redhat.com>
To: David Venhoek <david@venhoek.nl>
Message-ID: <ZumAiro4IqmQgz2m@localhost>
References: <Zuft30p5rxdjn50i@localhost> <CAPz_-SW_8kppGzomn6YR9K+aiuu1wBrC1xeDCTHNeFAVzUeJLQ@mail.gmail.com>
MIME-Version: 1.0
In-Reply-To: <CAPz_-SW_8kppGzomn6YR9K+aiuu1wBrC1xeDCTHNeFAVzUeJLQ@mail.gmail.com>
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.40
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
Message-ID-Hash: D6SMQSHXVGOYQSLR6YPZIAGB2JA35XVW
X-Message-ID-Hash: D6SMQSHXVGOYQSLR6YPZIAGB2JA35XVW
X-MailFrom: mlichvar@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-ntp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: ntp@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Ntp] Re: Wrong NTS key exporter context in use for AES-128-GCM-SIV
List-Id: Network Time Protocol <ntp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/SHxuO-T_tBc6kSNphZRro79Fxa0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Owner: <mailto:ntp-owner@ietf.org>
List-Post: <mailto:ntp@ietf.org>
List-Subscribe: <mailto:ntp-join@ietf.org>
List-Unsubscribe: <mailto:ntp-leave@ietf.org>

On Mon, Sep 16, 2024 at 11:48:32AM +0200, David Venhoek wrote:
> First, it seems you only support 2 algorithms right now. If you
> implement a third alongside the fix for this issue in clients, then
> you could use the presence of the third option (or rather, of any aead
> other than the two the old version supported) as indicator that it is
> a fixed client. This is a bit messy, but should work with the current
> clients out there in the wild, as both ntpsec and ntpd-rs support
> aeads beyond this set. On the client side then of course exporting
> both keys is still needed, but that is not a problem on the wire.

ntpsec, at least in default configuration, seems to be requesting only
one AEAD. I'd not expect clients to request AEADs with longer
keys (making longer cookies) unless specifically configured to do so.

When an implementation adds support for AES-128-GCM-SIV, I think it
will normally be requesting only two AEADs, the one that has to be
supported by every server and the new GCM one.

> Also, I think the server sending cookies for both is not as bad as you
> make it out to be. It would only need to do this on the initial set of
> cookies, as during the normal ntp request response routines it knows
> which keys the client used, so it can use that knowledge to just send
> a specialised cookie.

Good point.

> In any case, I would suggest fixing the underlying cause right now,
> even if it needs a special case for aes-128-gcm-siv, just to ensure
> that any future extensions go smoother. But I would bet you already
> did that or are planning to do that.

Yes, I have that part ready. The question is what else needs to be
done.

Thanks,

-- 
Miroslav Lichvar