IETF Logo Mail Archive

Re: [Ntp] Roughtime and Delay Attacks

Tal Mizrahi <tal.mizrahi.phd@gmail.com> Tue, 02 April 2019 07:53 UTC

Return-Path: <tal.mizrahi.phd@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45CBB120071 for <ntp@ietfa.amsl.com>; Tue, 2 Apr 2019 00:53:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jH4GYMiCV3Bs for <ntp@ietfa.amsl.com>; Tue, 2 Apr 2019 00:53:31 -0700 (PDT)
Received: from mail-qt1-x832.google.com (mail-qt1-x832.google.com [IPv6:2607:f8b0:4864:20::832]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18FE312006B for <ntp@ietf.org>; Tue, 2 Apr 2019 00:53:31 -0700 (PDT)
Received: by mail-qt1-x832.google.com with SMTP id x12so14117459qts.7 for <ntp@ietf.org>; Tue, 02 Apr 2019 00:53:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=PBnhuIeyV+/svm7eItLU0HdG/a1xjVWIG0KNUYmELtA=; b=hz3osN9KVDLp5i3bzZUtHlM+G1W1eaH/wCXlDecdeW/YQ5Mp+YlHQvW1LspVHyo1K4 orQBFbKPiTD2NvW1oq5G6+50VmEYSED24RnL00ecu3aQ89LzrnqfQ1EUvC0j4HEWdmv8 4pS3EcqhlSW+j6xdouS28p60PbBGDzzb6xksbIiv1flAou555/8D32KaEs7Lfajb1/gh ad8FEm+pOab0ExPXLuOECAmNt1v/4z5jss+x9xT2NT8zmDXkad73Jb6je/E6lnuveM0l pSYDiKXmpKe2AYoMBvdT3pM/nivbDdGDN9dXSUvRRu9toWH4xQBnrVHxBToKqaH9Ke2j +UWQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=PBnhuIeyV+/svm7eItLU0HdG/a1xjVWIG0KNUYmELtA=; b=Kahky6HQ0WMtKPTn2RN2CEsJjyD6Y9tnlDZfUcEBzUKJa1yASfFP3R5sVj4p5atba/ bZL+oRmSWvEOLQE7qyMJaJEK4ra/qlrt9u3/oprwr4oldczlUo3wbBK3tZuiWi7WsD2P aSgS9uCHEZJbJYGJGvo0Mp+1Q6sXd966LRQY9yGeVWwwJ9i1MkxrBbtTk0vFu8LbKNcf xb5mH/EbBARbwWzxyGhki29QdYj3Qs0lp17kAyo5lo0i/3Xxm+73urtQCHQVv7evGO6+ 1KrmzF3heGE0suKrF30jQjCOgBs2xAVDEt4xntX62iehn47wpwX2bHHVPMCuaqchw+nt zxWg==
X-Gm-Message-State: APjAAAWprNOoyr6yFlGJMlIun9rMHmEjO6B/Auf9TpXtSQyVdDeFscao u8p2pQ/0KGjKVmMXHcUnb9XuweUehJ6rSmTKmvY=
X-Google-Smtp-Source: APXvYqwnE5DvWpPRr9HygdK17lR9h2vTcSOMgb1TTidVXogGnhiPbbhMKKHJJgIbUVfvd0pJeuQYVRnD/w8Y4mu0OR8=
X-Received: by 2002:ac8:17ee:: with SMTP id r43mr55907169qtk.169.1554191610135; Tue, 02 Apr 2019 00:53:30 -0700 (PDT)
MIME-Version: 1.0
References: <CABUE3Xmg1vZedhEras54LC6WyChPhcZnqB2s1TNcMaoLbarkdQ@mail.gmail.com> <OFF21B3920.9A750F87-ONC12583D0.002454E6-C12583D0.00297785@ptb.de>
In-Reply-To: <OFF21B3920.9A750F87-ONC12583D0.002454E6-C12583D0.00297785@ptb.de>
From: Tal Mizrahi <tal.mizrahi.phd@gmail.com>
Date: Tue, 02 Apr 2019 10:53:19 +0300
Message-ID: <CABUE3X=n1uwynLGzMtOPVM0+8iocgt=yi=SO+6tS6Fd7SubGUw@mail.gmail.com>
To: kristof.teichel@ptb.de
Cc: ntp@ietf.org, Aanchal Malhotra <aanchal4@bu.edu>, Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000d5c7f10585876e17"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/YH9yfVvMu5HzwggpILjKrSMYCs4>
Subject: Re: [Ntp] Roughtime and Delay Attacks
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2019 07:53:34 -0000

Hi Kristof,

Thanks for the clarification.
Your description makes sense, and I believe this analysis MUST be in the
draft, preferably at the beginning of the draft.

Cheers,
Tal.


On Tue, Apr 2, 2019 at 10:33 AM <kristof.teichel@ptb.de> wrote:

> Hi all,
>
> I think it is essential that we get started on not only a threat analysis,
> but also a clear list of goals and (I believe roughtime is one of the few
> cases where this might make sense) non-goals.
> Off the top of my head:
> - Roughtime is supposed to do one thing very well: if a server is giving
> out visibly false time (with unconspicuously small RTT), then Roughtime can
> give cryptographic proof of this server's message not fitting into the time
> context of other servers' messages
> - Absence of proof of malfeasance is not proof of absence of malfeasance!
> Roughtime should probably not be used as a witness that a server is overall
> "good" (at best that it has been good so far...).
> - Roughtime (AFAIK) still needs to include some considerations of RTT in
> its analysis somehow (see below).
>
>
> Towards that last point and also Tal's question:
> A case distinction (perhaps better presented as a table) should be made
> for the relations between "good/bad" offset and "long/short" RTT:
> * Good offset at short RTT: proof that (in this instance!!), the server
> behaved well and the association was not attacked
> * Good offset at long RTT: could imply either good or bad server
> behavior... certainly an oddity, so potentially report-worthy?
> * Bad offset at short RTT: strong proof of server malfeasance, absolutely
> report-worthy and actually the reason why Roughtime was built
> * Bad offset at long RTT: no proof of server malfeasance in particular...
> but proof that something bad is going on, and IMO report-worthy
>
> The crux here is that the distinction of "long/short" RTT actually depends
> on the offset.
> That is why I'm not convinced that a simple threshold is the way to go for
> RTT handling.
> Perhaps attaching the RTT or half the RTT to metadata for every offset
> measurement is better?
> As in: "this server's time messages yielded a measured offset of X with a
> possible error of Y"... and then evaluate this as an interval [X-Y, X+Y]
> and make your "good/bad" criteria also an interval?
> Then the measurement interval can be contained in the criteria intervall
> (i.e. everything is good), can lie partly inside and partly outside of it
> (i.e. uncertain result) or they can be completely disjoint (i.e. proof of
> server malfeasance).
> This does cause a good amount of possibly unwanted complexity... but it
> would also be significantly more expressive!
>
>
> Thanks for the helpful discussion and best regards,
> Kristof
>
>
>
>
>
> Von:        "Tal Mizrahi" <tal.mizrahi.phd@gmail.com>
> An:        "Aanchal Malhotra" <aanchal4@bu.edu>, "Watson Ladd" <
> watsonbladd@gmail.com>, kristof.teichel@ptb.de, ntp@ietf.org
> Datum:        02.04.2019 06:14
> Betreff:        [Ntp] Roughtime and Delay Attacks
> Gesendet von:        "ntp" <ntp-bounces@ietf.org>
> ------------------------------
>
>
>
> Hi Aanchal, Watson, Kristof,
>
> Thanks for a fruitful discussion in Prague.
>
> To summarize our discussion regarding delay attacks: in order to roughly
> detect delay attacks, a client has a MAX bound on the RTT. If the RTT of a
> request-response handshake exceeds MAX, the client ignores the
> corresponding server. Indeed, I believe this helps the client to roughly
> detect delay attacks.
>
> Question: in the scenario above, i.e., RTT>MAX, how can the client prove
> the server's malfeasance? The cryptographic chain in this example would
> indicate that all the servers are well, and the client has no way to prove
> that RTT>MAX. What am I missing?
>
> Thanks,
> Tal._______________________________________________
> ntp mailing list
> ntp@ietf.org
> https://www.ietf.org/mailman/listinfo/ntp
>
>
>

v2.23.0 | Report a Bug | By Email