[Ntp] Roughtime: Proving inaccuracy of servers.
Hal Murray <halmurray@sonic.net> Mon, 23 October 2023 03:10 UTC
Return-Path: <halmurray@sonic.net>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34FFEC151075 for <ntp@ietfa.amsl.com>; Sun, 22 Oct 2023 20:10:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fHy_RM4P6fpv for <ntp@ietfa.amsl.com>; Sun, 22 Oct 2023 20:10:53 -0700 (PDT)
Received: from c.mail.sonic.net (c.mail.sonic.net [64.142.111.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA3E3C151084 for <ntp@ietf.org>; Sun, 22 Oct 2023 20:10:36 -0700 (PDT)
Received: from 107-137-68-211.lightspeed.sntcca.sbcglobal.net (104-182-38-69.lightspeed.sntcca.sbcglobal.net [104.182.38.69]) (authenticated bits=0) by c.mail.sonic.net (8.16.1/8.16.1) with ESMTPSA id 39N3AZbZ018794 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Sun, 22 Oct 2023 20:10:35 -0700
Received: from hgm (localhost [IPv6:::1]) by 107-137-68-211.lightspeed.sntcca.sbcglobal.net (Postfix) with ESMTP id 3E56528C245; Sun, 22 Oct 2023 20:10:35 -0700 (PDT)
X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8
To: Watson Ladd <watsonbladd@gmail.com>
cc: Hal Murray <halmurray@sonic.net>, ntp@ietf.org
From: Hal Murray <halmurray@sonic.net>
In-Reply-To: Message from Watson Ladd <watsonbladd@gmail.com> of "Sun, 22 Oct 2023 11:42:58 -0700." <CACsn0c=rdBJL0Y2fcERuf9C4wEr-KHpsQj39ksGThKzJ2nUG3Q@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Sun, 22 Oct 2023 20:10:35 -0700
Message-Id: <20231023031035.3E56528C245@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
X-Sonic-CAuth: UmFuZG9tSVaT4zCQ3MHafPyetlWSfqZvXHJp6Sy101EbLE8Amb57MJAtYyVnJ0sqBTZ2IRutwgUn8Hs/SwhPuIPE74tHsw4cn3g8UGeeffc=
X-Sonic-ID: C;2Nbmu1Fx7hG+wkeIR+6Zsg== M;9NH8u1Fx7hG+wkeIR+6Zsg==
X-Sonic-Spam-Details: -1.5/5.0 by cerberusd
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/gFCTOAlNDxycLRWoDSoeSNlV2Xo>
Subject: [Ntp] Roughtime: Proving inaccuracy of servers.
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Oct 2023 03:10:58 -0000
Looking at section 9.2 Measurement sequence
The client randomly permutes three servers from
the list, and seqeuntially queries them. The first
probe uses a NONC that is randomly generated.
The second query uses H(resp||rand) where rand
is a random 32 byte value and resp is the entire
response to the first probe. The third query uses
H(resp||rand) for a different 32 byte value.
I don't see how you can prove much from that. All you know is that the first
packet was sent before the second and also before the third.
If the first server replies with a time from yesterday, you can't prove that
you didn't save a packet from then.
If the second or third server replies with a time from tomorrow, you can't
prove anything unless you go through another step to get another time stamped
signing for your data collection.
If the NONC for the third server is based on the resp from the second server,
then you have the second server bracketed.
If you want tight proof on all 3 servers, I think you have to make an extra
probe before probing the 3 and another after. The one after is optional.
It's only needed if you want to prove the 3rd server gave a time from the
future. That's assuming that each NONC is based on a hash of the previous
packet.
What sort of bounds are you thinking of? seconds? days? microseconds?
Here is an idea for your prove-it collection. Use NTS.
Every NTP+NTS response already contains the time and a nonce authenticated by
the server.
The catch is that they are authenticated by a working key which you don't know
so I can't prove to you that they were authenticated by the server. That's
easy to fix. The server needs a public/private key. That's in addition to
the public/private keys for the TLS certificate. Extend the NTS-KE protocol
to include signing the working key with its private key.
If I want to prove anything, I have to expose the working key. Be sure to get
a new one first.
I'm assuming the nonce would be H(rand||several recent packets)
That's packets from NTS servers supporting the new extension.
I'm ignoring other traffic.
Normally, NTP tries to spread the requests out in time. The polling interval
is usually somewhere between a minute and 15 minutes.
If you get a bogus time in the future, it would be easy to fire off a reqest
to another NTS server.
If you get a time in the past, you can only prove it if the time is older than
your most recent resonse. You could get time from a good server, then try the
bad one again.
--
These are my opinions. I hate spam.
- Re: [Ntp] I-D Action: draft-ietf-ntp-roughtime-08… Hal Murray
- Re: [Ntp] I-D Action: draft-ietf-ntp-roughtime-08… Hal Murray
- [Ntp] I-D Action: draft-ietf-ntp-roughtime-08.txt internet-drafts
- Re: [Ntp] I-D Action: draft-ietf-ntp-roughtime-08… Hal Murray
- Re: [Ntp] I-D Action: draft-ietf-ntp-roughtime-08… Watson Ladd
- [Ntp] Roughtime: Proving inaccuracy of servers. Hal Murray