Re: [Ntp] Fwd: DTLS Lite Security for the Network Time Protocol.
Miroslav Lichvar <mlichvar@redhat.com> Tue, 14 August 2018 11:31 UTC
Return-Path: <mlichvar@redhat.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B69212DD85 for <ntp@ietfa.amsl.com>; Tue, 14 Aug 2018 04:31:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3DNgYlJJ9NMG for <ntp@ietfa.amsl.com>; Tue, 14 Aug 2018 04:31:42 -0700 (PDT)
Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4702130E31 for <ntp@ietf.org>; Tue, 14 Aug 2018 04:31:42 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id C23DE402316D; Tue, 14 Aug 2018 11:31:41 +0000 (UTC)
Received: from localhost (unknown [10.43.134.11]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 06DF32142F20; Tue, 14 Aug 2018 11:31:40 +0000 (UTC)
Date: Tue, 14 Aug 2018 13:31:39 +0200
From: Miroslav Lichvar <mlichvar@redhat.com>
To: Kristof Teichel <k.teichel@gmail.com>
Cc: "ntp@ietf.org" <ntp@ietf.org>
Message-ID: <20180814113139.GF7454@localhost>
References: <9d4c4bbb-1876-9faa-e6e9-1ddb3787518e@nwtime.org> <e782ea93-7e84-008c-981a-1a157ddfffc3@nwtime.org> <CAAksvJxaBXin_iKsx=s3PtVZEkSjKgo_eXqxvfWQFcAx8obDhA@mail.gmail.com> <20180814080314.GD7454@localhost> <CAAksvJyFttkLCAC_qCNzhoRtJPk=fGy6TADLEjefo+ScQcVfSQ@mail.gmail.com> <CAAksvJyFO38Jy-22bmp+V6PB0qR2EZBeWM_JePHZ_X7Qmyf2Kw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAAksvJyFO38Jy-22bmp+V6PB0qR2EZBeWM_JePHZ_X7Qmyf2Kw@mail.gmail.com>
User-Agent: Mutt/1.10.0 (2018-05-17)
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Tue, 14 Aug 2018 11:31:41 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Tue, 14 Aug 2018 11:31:41 +0000 (UTC) for IP:'10.11.54.6' DOMAIN:'int-mx06.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'mlichvar@redhat.com' RCPT:''
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/dBhfZfJOfNU5nF3H-uZSjfc2vr0>
Subject: Re: [Ntp] Fwd: DTLS Lite Security for the Network Time Protocol.
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Aug 2018 11:31:45 -0000
On Tue, Aug 14, 2018 at 01:00:11PM +0200, Kristof Teichel wrote: > On Tue, 14 Aug 2018 at 10:03, Miroslav Lichvar <mlichvar@redhat.com> wrote: > > I think there is also still the issue with replays able to cause a > > denial of service. A proposal for securing the symmetric mode needs to > > include a mechanism that will prevent such attacks, as the on-wire > > layer cannot do that on its own. > > Fair enough. > But couldn't this be fixed by adding a few nonces in extension fields (and > arguably improved even just by using the timestamps as a half-baked > replacement for nonces)? I guess it could be as long as a peer can get a number of nonces without changing the state of the other peer and something (based on crypto?) guarantess that nonces cannot be reused. It probably has to be separate from the normal polling in the symmetric mode, where only one request per poll can have a response. The protocol needs to work even when the peers use uneven polling intervals. > > - Broadcast Mode: Seems to use asymmetric signatures in a straightforward > Depending on the device, asymmetric signatures are not necessarily limited > to a few milliseconds though. > I remember that we concluded that a weak embedded processor could be fully > busy processing a signature for an amount of time sufficient to disturb > other operations. Or fail completely - depending on how pessimistic one is > regarding the weakest hardware involved. Oh, I see. Maybe a multithreaded implementation would mitigate that? > Does interleaved play well with broadcast? I have never thought about that. I think it works well. It's actually a bit more secure that the basic broadcast mode as clients can check for missing messages. > It does seem to me like the timestamp-as-sequence-number (in combination > with signatures) might be adequate against strictly only replay attacks. As long as everything works as expected, it could work. The trouble is with various failures, e.g. bad RTC battery and server booting in 1970, which NTP clients may interpret as 2106, a GPS firmware issue (week overflow), successful attacks on the server, etc. IMHO the protocol should be immune to such failures. -- Miroslav Lichvar
- [Ntp] DTLS Lite Security for the Network Time Pro… Harlan Stenn
- Re: [Ntp] DTLS Lite Security for the Network Time… Salz, Rich
- Re: [Ntp] DTLS Lite Security for the Network Time… Kristof Teichel
- Re: [Ntp] DTLS Lite Security for the Network Time… Miroslav Lichvar
- [Ntp] Fwd: DTLS Lite Security for the Network Tim… Kristof Teichel
- Re: [Ntp] Fwd: DTLS Lite Security for the Network… Miroslav Lichvar
- Re: [Ntp] DTLS Lite Security for the Network Time… Ragnar Sundblad