Re: [Ntp] Roughtime and Delay Attacks
Tal Mizrahi <tal.mizrahi.phd@gmail.com> Tue, 02 April 2019 07:53 UTC
Return-Path: <tal.mizrahi.phd@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45CBB120071 for <ntp@ietfa.amsl.com>; Tue, 2 Apr 2019 00:53:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jH4GYMiCV3Bs for <ntp@ietfa.amsl.com>; Tue, 2 Apr 2019 00:53:31 -0700 (PDT)
Received: from mail-qt1-x832.google.com (mail-qt1-x832.google.com [IPv6:2607:f8b0:4864:20::832]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18FE312006B for <ntp@ietf.org>; Tue, 2 Apr 2019 00:53:31 -0700 (PDT)
Received: by mail-qt1-x832.google.com with SMTP id x12so14117459qts.7 for <ntp@ietf.org>; Tue, 02 Apr 2019 00:53:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=PBnhuIeyV+/svm7eItLU0HdG/a1xjVWIG0KNUYmELtA=; b=hz3osN9KVDLp5i3bzZUtHlM+G1W1eaH/wCXlDecdeW/YQ5Mp+YlHQvW1LspVHyo1K4 orQBFbKPiTD2NvW1oq5G6+50VmEYSED24RnL00ecu3aQ89LzrnqfQ1EUvC0j4HEWdmv8 4pS3EcqhlSW+j6xdouS28p60PbBGDzzb6xksbIiv1flAou555/8D32KaEs7Lfajb1/gh ad8FEm+pOab0ExPXLuOECAmNt1v/4z5jss+x9xT2NT8zmDXkad73Jb6je/E6lnuveM0l pSYDiKXmpKe2AYoMBvdT3pM/nivbDdGDN9dXSUvRRu9toWH4xQBnrVHxBToKqaH9Ke2j +UWQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=PBnhuIeyV+/svm7eItLU0HdG/a1xjVWIG0KNUYmELtA=; b=Kahky6HQ0WMtKPTn2RN2CEsJjyD6Y9tnlDZfUcEBzUKJa1yASfFP3R5sVj4p5atba/ bZL+oRmSWvEOLQE7qyMJaJEK4ra/qlrt9u3/oprwr4oldczlUo3wbBK3tZuiWi7WsD2P aSgS9uCHEZJbJYGJGvo0Mp+1Q6sXd966LRQY9yGeVWwwJ9i1MkxrBbtTk0vFu8LbKNcf xb5mH/EbBARbwWzxyGhki29QdYj3Qs0lp17kAyo5lo0i/3Xxm+73urtQCHQVv7evGO6+ 1KrmzF3heGE0suKrF30jQjCOgBs2xAVDEt4xntX62iehn47wpwX2bHHVPMCuaqchw+nt zxWg==
X-Gm-Message-State: APjAAAWprNOoyr6yFlGJMlIun9rMHmEjO6B/Auf9TpXtSQyVdDeFscao u8p2pQ/0KGjKVmMXHcUnb9XuweUehJ6rSmTKmvY=
X-Google-Smtp-Source: APXvYqwnE5DvWpPRr9HygdK17lR9h2vTcSOMgb1TTidVXogGnhiPbbhMKKHJJgIbUVfvd0pJeuQYVRnD/w8Y4mu0OR8=
X-Received: by 2002:ac8:17ee:: with SMTP id r43mr55907169qtk.169.1554191610135; Tue, 02 Apr 2019 00:53:30 -0700 (PDT)
MIME-Version: 1.0
References: <CABUE3Xmg1vZedhEras54LC6WyChPhcZnqB2s1TNcMaoLbarkdQ@mail.gmail.com> <OFF21B3920.9A750F87-ONC12583D0.002454E6-C12583D0.00297785@ptb.de>
In-Reply-To: <OFF21B3920.9A750F87-ONC12583D0.002454E6-C12583D0.00297785@ptb.de>
From: Tal Mizrahi <tal.mizrahi.phd@gmail.com>
Date: Tue, 02 Apr 2019 10:53:19 +0300
Message-ID: <CABUE3X=n1uwynLGzMtOPVM0+8iocgt=yi=SO+6tS6Fd7SubGUw@mail.gmail.com>
To: kristof.teichel@ptb.de
Cc: ntp@ietf.org, Aanchal Malhotra <aanchal4@bu.edu>, Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000d5c7f10585876e17"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/YH9yfVvMu5HzwggpILjKrSMYCs4>
Subject: Re: [Ntp] Roughtime and Delay Attacks
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2019 07:53:34 -0000
Hi Kristof, Thanks for the clarification. Your description makes sense, and I believe this analysis MUST be in the draft, preferably at the beginning of the draft. Cheers, Tal. On Tue, Apr 2, 2019 at 10:33 AM <kristof.teichel@ptb.de> wrote: > Hi all, > > I think it is essential that we get started on not only a threat analysis, > but also a clear list of goals and (I believe roughtime is one of the few > cases where this might make sense) non-goals. > Off the top of my head: > - Roughtime is supposed to do one thing very well: if a server is giving > out visibly false time (with unconspicuously small RTT), then Roughtime can > give cryptographic proof of this server's message not fitting into the time > context of other servers' messages > - Absence of proof of malfeasance is not proof of absence of malfeasance! > Roughtime should probably not be used as a witness that a server is overall > "good" (at best that it has been good so far...). > - Roughtime (AFAIK) still needs to include some considerations of RTT in > its analysis somehow (see below). > > > Towards that last point and also Tal's question: > A case distinction (perhaps better presented as a table) should be made > for the relations between "good/bad" offset and "long/short" RTT: > * Good offset at short RTT: proof that (in this instance!!), the server > behaved well and the association was not attacked > * Good offset at long RTT: could imply either good or bad server > behavior... certainly an oddity, so potentially report-worthy? > * Bad offset at short RTT: strong proof of server malfeasance, absolutely > report-worthy and actually the reason why Roughtime was built > * Bad offset at long RTT: no proof of server malfeasance in particular... > but proof that something bad is going on, and IMO report-worthy > > The crux here is that the distinction of "long/short" RTT actually depends > on the offset. > That is why I'm not convinced that a simple threshold is the way to go for > RTT handling. > Perhaps attaching the RTT or half the RTT to metadata for every offset > measurement is better? > As in: "this server's time messages yielded a measured offset of X with a > possible error of Y"... and then evaluate this as an interval [X-Y, X+Y] > and make your "good/bad" criteria also an interval? > Then the measurement interval can be contained in the criteria intervall > (i.e. everything is good), can lie partly inside and partly outside of it > (i.e. uncertain result) or they can be completely disjoint (i.e. proof of > server malfeasance). > This does cause a good amount of possibly unwanted complexity... but it > would also be significantly more expressive! > > > Thanks for the helpful discussion and best regards, > Kristof > > > > > > Von: "Tal Mizrahi" <tal.mizrahi.phd@gmail.com> > An: "Aanchal Malhotra" <aanchal4@bu.edu>, "Watson Ladd" < > watsonbladd@gmail.com>, kristof.teichel@ptb.de, ntp@ietf.org > Datum: 02.04.2019 06:14 > Betreff: [Ntp] Roughtime and Delay Attacks > Gesendet von: "ntp" <ntp-bounces@ietf.org> > ------------------------------ > > > > Hi Aanchal, Watson, Kristof, > > Thanks for a fruitful discussion in Prague. > > To summarize our discussion regarding delay attacks: in order to roughly > detect delay attacks, a client has a MAX bound on the RTT. If the RTT of a > request-response handshake exceeds MAX, the client ignores the > corresponding server. Indeed, I believe this helps the client to roughly > detect delay attacks. > > Question: in the scenario above, i.e., RTT>MAX, how can the client prove > the server's malfeasance? The cryptographic chain in this example would > indicate that all the servers are well, and the client has no way to prove > that RTT>MAX. What am I missing? > > Thanks, > Tal._______________________________________________ > ntp mailing list > ntp@ietf.org > https://www.ietf.org/mailman/listinfo/ntp > > >
- [Ntp] Roughtime and Delay Attacks Tal Mizrahi
- Re: [Ntp] Roughtime and Delay Attacks kristof.teichel
- Re: [Ntp] Roughtime and Delay Attacks Tal Mizrahi
- Re: [Ntp] Roughtime and Delay Attacks Tony Finch
- Re: [Ntp] Roughtime and Delay Attacks kristof.teichel
- Re: [Ntp] Roughtime and Delay Attacks Hal Murray
- Re: [Ntp] Roughtime and Delay Attacks kristof.teichel
- Re: [Ntp] Roughtime and Delay Attacks Stewart Bryant
- Re: [Ntp] Roughtime and Delay Attacks Watson Ladd
- Re: [Ntp] Roughtime and Delay Attacks Greg.Dowd
- Re: [Ntp] Roughtime and Delay Attacks Joachim Fabini
- Re: [Ntp] Roughtime and Delay Attacks Stewart Bryant