IETF Logo Mail Archive

Re: [ntpwg] NTS: The question of CMS vs. (D)TLS

Florian Weimer <fweimer@redhat.com> Thu, 02 July 2015 13:54 UTC

Return-Path: <ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org>
X-Original-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Delivered-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B629A1A903C for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Thu, 2 Jul 2015 06:54:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qgCMrprndIYr for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Thu, 2 Jul 2015 06:54:29 -0700 (PDT)
Received: from lists.ntp.org (lists.ntp.org [149.20.68.7]) by ietfa.amsl.com (Postfix) with ESMTP id C88211A902E for <ntp-archives-ahFae6za@lists.ietf.org>; Thu, 2 Jul 2015 06:54:29 -0700 (PDT)
Received: from lists.ntp.org (lists.ntp.org [149.20.68.7]) by lists.ntp.org (Postfix) with ESMTP id C0C0C86DB27 for <ntp-archives-ahFae6za@lists.ietf.org>; Thu, 2 Jul 2015 13:54:29 +0000 (UTC)
X-Original-To: ntpwg@lists.ntp.org
Delivered-To: ntpwg@lists.ntp.org
Received: from mail1.ntp.org (mail1.ntp.org [IPv6:2001:4f8:fff7:1::5]) by lists.ntp.org (Postfix) with ESMTP id 97A4B86D48C for <ntpwg@lists.ntp.org>; Thu, 2 Jul 2015 13:54:07 +0000 (UTC)
Received: from mx1.redhat.com ([209.132.183.28]) by mail1.ntp.org with esmtps (TLSv1:AES256-SHA:256) (Exim 4.77 (FreeBSD)) (envelope-from <fweimer@redhat.com>) id 1ZAewB-000FCW-3v for ntpwg@lists.ntp.org; Thu, 02 Jul 2015 13:54:07 +0000
Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (Postfix) with ESMTPS id 51C2F38882F; Thu, 2 Jul 2015 13:53:58 +0000 (UTC)
Received: from oldenburg.str.redhat.com (ovpn-204-25.brq.redhat.com [10.40.204.25]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t62DrtKa007399 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 2 Jul 2015 09:53:57 -0400
Message-ID: <55954272.9020902@redhat.com>
Date: Thu, 02 Jul 2015 15:53:54 +0200
From: Florian Weimer <fweimer@redhat.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: kristof.teichel@ptb.de, ntpwg@lists.ntp.org
References: <OF0D8F7CB4.A1C8057D-ONC1257E76.004B19F6-C1257E76.004B2BC4@ptb.de>
In-Reply-To: <OF0D8F7CB4.A1C8057D-ONC1257E76.004B19F6-C1257E76.004B2BC4@ptb.de>
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22
X-SA-Exim-Connect-IP: 209.132.183.28
X-SA-Exim-Rcpt-To: ntpwg@lists.ntp.org
X-SA-Exim-Mail-From: fweimer@redhat.com
X-SA-Exim-Version: 4.2
X-SA-Exim-Scanned: Yes (on mail1.ntp.org)
Subject: Re: [ntpwg] NTS: The question of CMS vs. (D)TLS
X-BeenThere: ntpwg@lists.ntp.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: IETF Working Group for Network Time Protocol <ntpwg.lists.ntp.org>
List-Unsubscribe: <http://lists.ntp.org/options/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=unsubscribe>
List-Archive: <http://lists.ntp.org/pipermail/ntpwg/>
List-Post: <mailto:ntpwg@lists.ntp.org>
List-Help: <mailto:ntpwg-request@lists.ntp.org?subject=help>
List-Subscribe: <http://lists.ntp.org/listinfo/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=subscribe>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Errors-To: ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org
Sender: ntpwg <ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org>

On 07/02/2015 03:41 PM, kristof.teichel@ptb.de wrote:

> In particular, due to the above conversation, I had always understood your 
> proposed approach as follows: 
> - use (D)TLS for the negotiation phase, have rand ("key input value" or 
> "KIV" in our current terminology) and resulting shared key ("cookie" in 
> our current terminology) be part of that negotiation 
> - end negotiation phase, end (D)TLS session
> - go into post-negotiation phase, where the rand/KIV is included in each 
> timesync request (as opposed to a session ticket) and forms the basis for 
> the server to generate the cookie which is used as key for the HMAC 
> included in a timesync response

This is still fine, except that I would like to replace client
certificate hash with an opaque value of variable length.  The CMS-based
protocol could still put the client-cert hash there, but a DTLS-based
implementation would store a session ticket in this place.

Even for the CMS-based negotiation phase, I suggest to send back this
field to the client.  This means that it's up to the implementation what
to put there.  It could be the client certificate hash, but the server
implementation could use something else (which might provide it with
additional state).

Does this make sense?

> I like(d) this approach for its clean distinction of negotiation and 
> post-negotiation phase. I especially liked that different methods of 
> handling the cryptographic aspects (i.e. CMS-based vs. (D)TLS) would have 
> to be specified separately only for the negotiation phase and that the 
> post-negotiation phase would not differentiate. 
> This reduces complexity for both specification and implementation. 
> Additionally, it retains the low cryptographic requirements for a timesync 
> response (performing exactly two HMAC operations).

I think this is possible if the small change I outlined above is made to
the protocol.

> I'm not a big fan of an approach which requires specification and 
> implementation to make a differentiation between security approaches 
> (CMS-based vs. (D)TLS) for post-negotiation phase (timesync) traffic. 
> Also, it seems to me like the use of a session ticket for post-negotiation 
> traffic, as described by you currently, would in effect be very similar to 
> "just run NTP over (D)TLS, with session resumption using session tickets". 
> What am I missing here?

Sorry for the confusion.  It's conceptually a session ticket.  I don't
propose to implement it using DTLS on the server side (although you
probably could, but I wouldn't recommend it).

> I see your point here. I am unsure, however, how highly we should place 
> the requirement for this kind of DoS protection.

I think it's reasonable to provide space to keep additional state which
can be used to support various (implementation-defined) mechanisms.  It
is not necessary to specify the precise mechanism.  If the server sends
back the ticket that takes the place of the client certificate hash, and
the client includes that instead of the hash in post-negotiation
requests, this would be sufficient for server-side state extensions.
The CMS-based reference implementation could simply send back the client
certificate hash, but the protocol is open to more elaborate approaches
(and these server-side mechanisms would not require client changes).

The exception to this rule is protection of the asymmetric cryptographic
operation in the negotiation phase—this rather expensive operation
should only be reachable after the client has proven control over the
client address it supplied (so that we can assume it has not been
spoofed).  This is what a Photuris-style cookie achieves.

-- 
Florian Weimer / Red Hat Product Security
_______________________________________________
ntpwg mailing list
ntpwg@lists.ntp.org
http://lists.ntp.org/listinfo/ntpwg

v2.23.0 | Report a Bug | By Email