IETF Logo Mail Archive

Re: [Ntp] NTP Security (was NTPv5: big picture)

Magnus Danielson <magnus@rubidium.se> Mon, 18 January 2021 21:28 UTC

Return-Path: <magnus@rubidium.se>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B8503A0B9F for <ntp@ietfa.amsl.com>; Mon, 18 Jan 2021 13:28:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.361
X-Spam-Level:
X-Spam-Status: No, score=-2.361 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.262, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rubidium.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jZw08-srhJkx for <ntp@ietfa.amsl.com>; Mon, 18 Jan 2021 13:28:51 -0800 (PST)
Received: from pio-pvt-msa1.bahnhof.se (pio-pvt-msa1.bahnhof.se [79.136.2.40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24D813A0B91 for <ntp@ietf.org>; Mon, 18 Jan 2021 13:28:47 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by pio-pvt-msa1.bahnhof.se (Postfix) with ESMTP id 50DCC3F518; Mon, 18 Jan 2021 22:28:45 +0100 (CET)
Authentication-Results: pio-pvt-msa1.bahnhof.se; dkim=pass (2048-bit key; secure) header.d=rubidium.se header.i=@rubidium.se header.b="Ugv1qWH0"; dkim-atps=neutral
X-Virus-Scanned: Debian amavisd-new at bahnhof.se
Received: from pio-pvt-msa1.bahnhof.se ([127.0.0.1]) by localhost (pio-pvt-msa1.bahnhof.se [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QzLdfBhD-yQx; Mon, 18 Jan 2021 22:28:43 +0100 (CET)
Received: by pio-pvt-msa1.bahnhof.se (Postfix) with ESMTPA id C99DB3F4EB; Mon, 18 Jan 2021 22:28:42 +0100 (CET)
Received: from machine.local (unknown [192.168.0.15]) by magda-gw (Postfix) with ESMTPSA id 50BD59A0072; Mon, 18 Jan 2021 22:28:42 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=rubidium.se; s=rubidium; t=1611005322; bh=ihMJ/Qohwspdor+FnFrXjILSgot2TirCeG+wNuIycFc=; h=Cc:Subject:To:References:From:Date:In-Reply-To:From; b=Ugv1qWH04K6cDn0LgNxOjz0aoA1u3epc0Lw0VVuARYVpjIVdi4QyqpoE+iTF8IWDW PoBivb3WTh1Lma50UvN+I1FGMn+iN/eGelG9+oSTmGM2rTjSleI7jpaD5WPTLRvHML sUXCo4+AdNNbByT3VJ4YUj4CpKtl2Z38QB2pEH0xKe2QZ/tgEZAgJ7NH7CN9tFWGKC fHYPerTRNVI/hA2VoxwBQFe0bVqyN/TJJTrDUycRDAoDt++aTezzmHt9qhqje5M9T2 7++NLoGInXN0DaanaMYls6n1vgxgX8PiUtGJOZ6/9sP2qEc3w6sFymUtlRaMBlHtKc iuY9Urs0yNI7g==
Cc: magnus@rubidium.se, Miroslav Lichvar <mlichvar@redhat.com>, ntp@ietf.org
To: Kurt Roeckx <kurt@roeckx.be>
References: <20210118113806.33BBE40605C@ip-64-139-1-69.sjc.megapath.net> <c6fda979-0b3e-99fc-2dc5-25b7cde4c42b@rubidium.se> <20210118162517.GA2410317@localhost> <acdd42d0-9b58-4b26-0798-55a42bc0b6de@rubidium.se> <YAX6gJiREb2RE6Gs@roeckx.be>
From: Magnus Danielson <magnus@rubidium.se>
Message-ID: <c5378682-e03f-9e46-24d5-025eb4a57c05@rubidium.se>
Date: Mon, 18 Jan 2021 22:28:41 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:78.0) Gecko/20100101 Thunderbird/78.6.1
MIME-Version: 1.0
In-Reply-To: <YAX6gJiREb2RE6Gs@roeckx.be>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/TqkPoJK1K0kDCcZWrlUZx4dYWeA>
Subject: Re: [Ntp] NTP Security (was NTPv5: big picture)
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Jan 2021 21:28:56 -0000

Kurt,

On 2021-01-18 22:15, Kurt Roeckx wrote:
> On Mon, Jan 18, 2021 at 09:17:49PM +0100, Magnus Danielson wrote:
>> Hi,
>>
>> On 2021-01-18 17:25, Miroslav Lichvar wrote:
>>> On Mon, Jan 18, 2021 at 04:46:22PM +0100, Magnus Danielson wrote:
>>>> 6) If verified time matches that of the initial handshake request (as
>>>> updated using local time progess), then unauthenticated time in step 2
>>>> and 3 was valid, and thus the verification was valid and progress, else
>>>> fail.
>>>>
>>>> So, we see how unauthenticated time can be used to bootstrap the
>>>> handshake. Notice that this is not used to initiate node time, but only
>>>> for that handshake. Only after things is secured, you accept time as
>>>> being secured.
>>> I don't quite follow. If A was compromised at some point, how do you
>>> know you are not talking to the attacker intercepting your requests
>>> and giving you old signatures? Isn't the whole point of the validity
>>> period to prevent such attacks? If you don't know the current time,
>>> how can you validate anything that's not supposed to be trusted
>>> forever?
>>>
>> You actually do not trust the time you get initially. You validate it.
>> If your DNSSEC is invalid because of time, then the DNSSEC does not
>> validate. If your DNSSEC is invalid because false data, the DNSSEC does
>> not validate. Then, if and only if DNSSEC validate, only then you get
>> time but using the data-validated path, and only then you validate if
>> the original time and the validated time match up. If they don't, then
>> you do not trust either. If you can spoof the DNSSEC to validate, you
>> are toast anyway, if you have put your trust there.
> In case keys are compromised, an attacker can send you an invalid
> initial time. That same attacker can create DNSSEC records, which
> you're happy to validate with the wrong time. So now you think DNS
> is working properly and ask for the time again, and still get the
> wrong time.
The DNSSEC records need to validate data-wise for the time-attack to do
any good. The design goal was just to enable the DNSSEC validation to
have good enough time for time-validation for bootstrap.
>
> As far as I know, this requires at least 2 things to be compromised:
> Both DNSSEC and the X509 certificate. This is less likely than
> just 1 being compromised, but still possible. It would at least
> help that the DNSSEC and X509 certificate are not managed by the
> same organization.

For sure. If you have updated your basic DNSSEC key to be valid enough,
DNSSEC validation should be difficult. At the time it is "broken" we are
not alone to need the upgrade.

>
> The only options I see is:
> 1) You have enough sources so that all being compromised is
>    unlikely enough for your use case. This can be things like:
>    - A battery to keep your clock
>    - A source of time that makes you a stratum 1 servers like a
>      GPS receiver.
>    - 1 or more ntp servers (using NTS)
>    - Other sources of time like roughtime
Regular update that RTC. I've seen NTP fail because the RTC drifted away
and was not maintained.
> 2) The machine should trust something external:
>    - A human that sets the time correct
>    - An external DNS server that does DNSSEC validation for it,
>      and probably uses 1) itself.

If you trust DNSSEC and that key-chain as well as trust the X.509 chain,
then you put your core trust there. The bootstrap procedure I describe
is to bootstrap out of the situation you do not trust your own time well
enough. In fact, as you wake up, you also need to consider that your own
local time can be at error, and you need to bootstrap out of that. You
can test it through similar enough procedure, but if that fails, you
need to bootstrap time from external source.

Look at the DHS Resilient PNT common framework, already for Level 1 you
need to be able to in the field be able to reset to "factory settings"
to override any internal state that can be incorrect. It turns out from
bitter experience, you can't trust that at all times. Once you done your
homework, that's another story, and you need to maintain it just as with
keys.

Cheers,
Magnus

v2.23.0 | Report a Bug | By Email