[ntpwg] Comments on various NTS drafts
Florian Weimer <fweimer@redhat.com> Fri, 03 April 2015 04:03 UTC
Return-Path: <ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org>
X-Original-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Delivered-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3958F1A017E for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Thu, 2 Apr 2015 21:03:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qIOAs8fw1rJP for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Thu, 2 Apr 2015 21:03:33 -0700 (PDT)
Received: from lists.ntp.org (lists.ntp.org [149.20.68.7]) by ietfa.amsl.com (Postfix) with ESMTP id 3052B1A017C for <ntp-archives-ahFae6za@lists.ietf.org>; Thu, 2 Apr 2015 21:03:33 -0700 (PDT)
Received: from lists.ntp.org (lists.ntp.org [149.20.68.7]) by lists.ntp.org (Postfix) with ESMTP id 2209886DAE3 for <ntp-archives-ahFae6za@lists.ietf.org>; Fri, 3 Apr 2015 04:03:33 +0000 (UTC)
X-Original-To: ntpwg@lists.ntp.org
Delivered-To: ntpwg@lists.ntp.org
Received: from mail1.ntp.org (mail1.ntp.org [IPv6:2001:4f8:fff7:1::5]) by lists.ntp.org (Postfix) with ESMTP id DBFCC86D4F1 for <ntpwg@lists.ntp.org>; Thu, 2 Apr 2015 09:52:29 +0000 (UTC)
Received: from mx1.redhat.com ([209.132.183.28]) by mail1.ntp.org with esmtps (TLSv1:AES256-SHA:256) (Exim 4.77 (FreeBSD)) (envelope-from <fweimer@redhat.com>) id 1YdbnP-000I4e-Sr for ntpwg@lists.ntp.org; Thu, 02 Apr 2015 09:52:29 +0000
Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (Postfix) with ESMTPS id D38902B649C for <ntpwg@lists.ntp.org>; Thu, 2 Apr 2015 09:52:18 +0000 (UTC)
Received: from oldenburg.str.redhat.com (oldenburg.str.redhat.com [10.33.200.60]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t329qHhg018720 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ntpwg@lists.ntp.org>; Thu, 2 Apr 2015 05:52:18 -0400
Message-ID: <551D1150.5080500@redhat.com>
Date: Thu, 02 Apr 2015 11:52:16 +0200
From: Florian Weimer <fweimer@redhat.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: ntpwg@lists.ntp.org
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22
X-SA-Exim-Connect-IP: 209.132.183.28
X-SA-Exim-Rcpt-To: ntpwg@lists.ntp.org
X-SA-Exim-Mail-From: fweimer@redhat.com
X-SA-Exim-Version: 4.2
X-SA-Exim-Scanned: Yes (on mail1.ntp.org)
X-Mailman-Approved-At: Fri, 03 Apr 2015 04:01:38 +0000
Subject: [ntpwg] Comments on various NTS drafts
X-BeenThere: ntpwg@lists.ntp.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: IETF Working Group for Network Time Protocol <ntpwg.lists.ntp.org>
List-Unsubscribe: <http://lists.ntp.org/options/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=unsubscribe>
List-Archive: <http://lists.ntp.org/pipermail/ntpwg>
List-Post: <mailto:ntpwg@lists.ntp.org>
List-Help: <mailto:ntpwg-request@lists.ntp.org?subject=help>
List-Subscribe: <http://lists.ntp.org/listinfo/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=subscribe>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org
Sender: ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org
Here are a few comments on those drafts. I hope they are useful. I strongly recommend reusing (D)TLS instead of implementing your own cryptographic protocol. I have marked the issues which would go away with a proper implementation of (D)TLS with “(D)”. With DTLS, the server could just send the client cookie and the HMAC key, disregarding the client certificate. # RFC 7384 compliance First of all, the proposed protocol fails to implement the requirements of RFC 7384. This is mostly due to the fact that several of its requirements are *impossible* to implement: Section 5.1.2 is likely bogus because it is not implementable in practice (end-to-end security makes intermediate clocks obsolete). Section 5.6.1 requires frequent key refresh. This is impossible to implement in practice (ultimate keys cannot be refreshed without operator intervention), and not necessary as long as sufficiently strong cryptographic primitives (non-broken algorithms) are used. Section 5.9 is impossible to implement. There is no protection against DoS from MITM attacks. Protection against low-rate message spoofing without knowledge of the keys seems reasonable, though. In addition, RFC 7384, Section 3.2.10 indicates that securing the time source of an entire organization from an external source is out of scope. However, this is likely the most common application of a security time protocol. # draft-ietf-ntp-network-time-security-08 * The client host name in the client_assoc is an unnecessary information leak. * The client_assoc message needs a mechanism to select the server certificate. This is desirable for metrics and required for server key rollover without locking out the existing clients. Without this mechanism, it is necessary to use multiple IP addresses. (D) via SNI. * The integrity checks on the server_assoc response are unclear. It is not specified if host name verification is performed. (D) * In a trivial UDP-based implementation, the server_assoc response is computed before two-way communication with the client IP address has been proven, resulting in a denial of service vulnerability (CPU overload due to signature computation for spoofed clients, traffic amplification due to larger server response). This also affects the server_cook message generation. Photuris cookies would address this. (D) * The server_cook message uses non-hybrid asymmetric encryption. With ECC, this does not work because the provided payload space is not large enough. The usual hybrid scheme should be used instead. This means that an additional cryptographic primitive has to be negotiated. (D) * Client certificate management is a red flag for many organizations. It would be better if the protocol would not use a client certificate at all, and some other key agreement scheme (e.g., application key extraction with TLS/DTLS, without client certificates, or a TLS response containing an encrypted session key). (D) * With a server without per-client state, the HMAC key setup has to be performed on each response. This is quite costly. A different MAC could be quite a bit cheaper in terms of CPU overhead. * I have doubts about the use of TESLA. . Is there sufficient operational experience with this protocol? . It is never stated explicitly, but reading the protocol descriptions, it is expected that TESLA is secure against malicious recipients. . TESLA uses a race condition for security, which seems inherently risky. . The use of time for security purposes interacts in a complex way with using TESLA for time synchronization. # draft-ietf-ntp-cms-for-nts-message-02 * DER is used even for fast-path time synchronization messages (not just for the handshake). This seems unnecessary. * Requiring a new OID in the Extended Key Usages attribute of certificates (section 4) means that the browser PKI cannot be used to authenticate hosts. This seems quite wrong. * Not all CMS algorithm parameters are negotiated at the NTS layer, as suspected. (D) # draft-ietf-ntp-using-nts-for-ntp-00 * There is no cookie protection of server_assoc/server_cook responses, as explained above. This is quite bad. (D) * The proposed protocol does not address UDP message size limitations. UDP fragmentation is fundamentally broken. (D) -- Florian Weimer / Red Hat Product Security _______________________________________________ ntpwg mailing list ntpwg@lists.ntp.org http://lists.ntp.org/listinfo/ntpwg
- [ntpwg] Comments on various NTS drafts Florian Weimer
- Re: [ntpwg] Comments on various NTS drafts Richard Welty
- Re: [ntpwg] Comments on various NTS drafts Florian Weimer
- Re: [ntpwg] Comments on various NTS drafts Richard Welty
- [ntpwg] Antwort: Re: Comments on various NTS draf… dieter.sibold
- [ntpwg] Antwort: Comments on various NTS drafts dieter.sibold
- Re: [ntpwg] Antwort: Comments on various NTS draf… Florian Weimer
- Re: [ntpwg] Antwort: Re: Comments on various NTS … Florian Weimer
- Re: [ntpwg] Comments on various NTS drafts Florian Weimer
- [ntpwg] Antwort: Re: Comments on various NTS draf… dieter.sibold
- [ntpwg] Antw: Re: Antwort: Re: Comments on variou… Ulrich Windl
- Re: [ntpwg] Antw: Re: Antwort: Re: Comments on va… Florian Weimer
- Re: [ntpwg] Antwort: Re: Comments on various NTS … Florian Weimer
- Re: [ntpwg] Antw: Re: Antwort: Re: Comments on va… kristof.teichel
- Re: [ntpwg] Antw: Re: Antwort: Re: Comments on va… Florian Weimer