Re: [ntpwg] Unlinkability formulations in merged draft "NTS-4-NTP"
Sharon Goldberg <goldbe@cs.bu.edu> Wed, 08 March 2017 16:44 UTC
Return-Path: <ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org>
X-Original-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Delivered-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D31D1293FB for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Wed, 8 Mar 2017 08:44:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.311
X-Spam-Level:
X-Spam-Status: No, score=-1.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (2048-bit key) reason="fail (message has been altered)" header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5axtTmiwjvch for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Wed, 8 Mar 2017 08:44:40 -0800 (PST)
Received: from lists.ntp.org (psp3.ntp.org [185.140.48.241]) by ietfa.amsl.com (Postfix) with ESMTP id 7BCEA129621 for <ntp-archives-ahFae6za@lists.ietf.org>; Wed, 8 Mar 2017 08:44:40 -0800 (PST)
Received: from lists.ntp.org (lists.ntp.org [10.224.90.243]) by lists.ntp.org (Postfix) with ESMTP id 3CF0486DB1B for <ntp-archives-ahFae6za@lists.ietf.org>; Wed, 8 Mar 2017 16:44:40 +0000 (UTC)
X-Original-To: ntpwg@lists.ntp.org
Delivered-To: ntpwg@lists.ntp.org
Received: from mail1.ntp.org (fortinet.ntp.org [10.224.90.254]) by lists.ntp.org (Postfix) with ESMTP id A6E8B86DAED for <ntpwg@lists.ntp.org>; Wed, 8 Mar 2017 16:43:51 +0000 (UTC)
Received: from mail-it0-f46.google.com ([209.85.214.46]) by mail1.ntp.org with esmtps (TLSv1:AES128-SHA:128) (Exim 4.77 (FreeBSD)) (envelope-from <sharon.goldbe@gmail.com>) id 1clegi-000GeH-Jj for ntpwg@lists.ntp.org; Wed, 08 Mar 2017 16:43:51 +0000
Received: by mail-it0-f46.google.com with SMTP id h10so105457427ith.1 for <ntpwg@lists.ntp.org>; Wed, 08 Mar 2017 08:43:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=C6Xt+G8b62dmnmFfObRjwtbG5QfyRB/jdmWo0sShht0=; b=FbreFnhzWGhkZgnYiNA08S70QwARMr1vbMYWowGNJsOrHOvbYBbYKP/BESjZ4p0dLl PusXsEIZwHb2BLvfBtl7i1oRFJzih42e7b48tq/1+a6hy+lqBHfGgnVIo6HdQBLkRchf QfZEhna6Uy/6bflTjINRWRJsLtD/CifRUAWZe3MskSt12eyBKVOW77SqadlHjb2Uhg/6 Bpxq3H+6MtrAIWgindCXiBs2I9rTZCwhmXMmAIKyRZJ2VmWrIEOOeAPNfO3Vg/sX8F1p A8Pt8bb3L8vlq7LC5D/Gh1SD1KYafDHYgSv8ji25NtZN2pNtC+Is0wAT/6sDwtKGGMi5 tpmA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=C6Xt+G8b62dmnmFfObRjwtbG5QfyRB/jdmWo0sShht0=; b=Dcq8SOUgEPkauonuekS1sRAP5qqtnX65BEaq0yf75Igx7IXfz2u4PJpmI8kYJX3m3T +Wi5sgsVQPpEHUkOSHikoKOqPlkAGULtMdGESieHbSte+rmmp4OqaofKZv3iJacgNVU+ CjqagyfbjJqgZPAX4EaJvXI2wJS3/Pr6SZa9cAjSY18CEgmLbxrSDQUZHAdj0KAjNqXw nzJ7NGaTOeKkO/7d9RmaBcX4qr0d8mK6VF2VTDmQSQiQu7NkAm7G3RNTCBiqhgenG+pr Q9l9zAkcpU/5/2SitzglLanShp+G255DgWVY4IFiA+Y1/1PXoCvZsMX9tsOb2HfM7Xbw KH9w==
X-Gm-Message-State: AMke39lPWtlmFETkaHzyxOjwCZpA2q8pSE8QRUUeFYlEvcrBjLnmFExonp8/SsTyRdfVuRpgaJAElhb/1IbAng==
X-Received: by 10.36.153.197 with SMTP id a188mr27112614ite.5.1488991418449; Wed, 08 Mar 2017 08:43:38 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.141.197 with HTTP; Wed, 8 Mar 2017 08:42:57 -0800 (PST)
In-Reply-To: <CAJHGrrQ1P5cQrVs-rFY0wPqjqe0jxzK2m3CQ3qzsOM0E1-rZSA@mail.gmail.com>
References: <OFDFA8201C.9FF6AA26-ONC12580DD.004A82AE-C12580DD.004BEDC7@ptb.de> <CAJHGrrRLHR=BvWso5hqFdW7uO5ycp1KwwhYz2j881+p75x5mDQ@mail.gmail.com> <CAJHGrrQ1P5cQrVs-rFY0wPqjqe0jxzK2m3CQ3qzsOM0E1-rZSA@mail.gmail.com>
From: Sharon Goldberg <goldbe@cs.bu.edu>
Date: Wed, 08 Mar 2017 11:42:57 -0500
X-Google-Sender-Auth: 4x0e3omZf9UFJbgGfG3b0LPJsMg
Message-ID: <CAJHGrrTpUpX44SbqqLhm9O5gzmgmSygyuPGeNjj0fxCA4E0Nfw@mail.gmail.com>
To: kristof.teichel@ptb.de
X-SA-Exim-Connect-IP: 209.85.214.46
X-SA-Exim-Rcpt-To: ntpwg@lists.ntp.org
X-SA-Exim-Mail-From: sharon.goldbe@gmail.com
X-SA-Exim-Version: 4.2
X-SA-Exim-Scanned: Yes (on mail1.ntp.org)
Subject: Re: [ntpwg] Unlinkability formulations in merged draft "NTS-4-NTP"
X-BeenThere: ntpwg@lists.ntp.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: IETF Working Group for Network Time Protocol <ntpwg.lists.ntp.org>
List-Unsubscribe: <http://lists.ntp.org/options/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=unsubscribe>
List-Archive: <http://lists.ntp.org/pipermail/ntpwg/>
List-Post: <mailto:ntpwg@lists.ntp.org>
List-Help: <mailto:ntpwg-request@lists.ntp.org?subject=help>
List-Subscribe: <http://lists.ntp.org/listinfo/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=subscribe>
Cc: NTP Working Group <ntpwg@lists.ntp.org>
Content-Type: multipart/mixed; boundary="===============8361484668322600220=="
Errors-To: ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org
Sender: ntpwg <ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org>
Btw, let us know when is a good time to review the whole draft. I'd like to take a look before IETF. On Wed, Mar 8, 2017 at 11:41 AM, Sharon Goldberg <goldbe@cs.bu.edu> wrote: > This is looking good. I've taken a pass over what was sent and propose > the below candidate text. > > Note my use of the IETF "MUST". > > The relevant text in Section "Objectives": > > - Privacy: Once an NTS session has been established, NTS supports > unlinkability for devices that (1) use NTS as clients and (2) minimize the > information they expose in client query (mode 3) packets per > "draft-dfranke-ntp-data-minimization" . Unlinkability ensures that NTS > does not leak data that allows an attacker to track mobile NTP clients when > they move between networks. See [link to Section "Privacy Considerations"] > for details. > > The relevant text in Section "Privacy Considerations": > > Unlinkability prevents a device from being tracked when it changes network > addresses (e.g. because said device moved between different networks). In > other word, unlinkability thwarts an attacker that seeks to link a new > network address used by a device with a network address that it was > formerly using, because of recognizable data that device is persistently > sent as part of an NTS-secured NTP association. This is the justification > for continually supplying the client with fresh cookies, so that a cookie > never represents recognizable data in the sense outlined above. > > NTS's unlinkability object is merely to not leak any additional data that > could be used to link a device's network address. NTS does not rectify > legacy linkability issues that are already present in NTP. Thus, a client > that requires unlinkability MUST also minimize information transmitted in a > client query (mode 3) packet as described in the draft > "draft-dfranke-ntp-data-minimization" > > The unlinkability objective only holds for time synchronization traffic, > as opposed to key exchange traffic. This implies that it cannot be > guaranteed for devices that function not only as time clients, but also as > time servers (because the latter can be externally triggered to send > authentication data). > > It should also be noted that it could be possible to link devices that > operate as time servers from their time synchronization traffic, using > information exposed in (mode 4) server response packets (e.g. reference ID, > reference time, stratum, poll). Also, devices that respond to NTP control > queries could be linked using the information revealed by control queries. > > On Wed, Mar 8, 2017 at 10:12 AM, Sharon Goldberg <goldbe@cs.bu.edu> wrote: > >> Kristof, thanks for this. There are 3 documents in there, I assume you >> are talking about >> >> https://github.com/dfoxfranke/nts/blob/master/draft-ietf-ntp >> -using-nts-for-ntp.xml >> >> right? Also, there are some missing refs so the draft doesn't compile on >> xml2rfc ... >> >> On Wed, Mar 8, 2017 at 8:48 AM, <kristof.teichel@ptb.de> wrote: >> >>> Hello all, >>> >>> we have made a few changes to the merged draft (have been pushed to the >>> repository at https://github.com/dfoxfranke/nts) after some discussion >>> with Aanchal. >>> These changes are about the formulation of the text regarding >>> unlikability. >>> We would welcome any comments or suggestions. >>> >>> >>> The relevant text in Section "Objectives": >>> >>> - Privacy: NTS preserves unlinkability, i. e. it does not leak data that >>> would allow an attacker to track mobile NTP clients when they move between >>> networks. Note that unlinkability is not guaranteed for devices that >>> function as servers as well as clients, see [link to Section "Privacy >>> Considerations"]. >>> >>> The relevant text in Section "Privacy Considerations": >>> >>> Unlinkability shall prevent that a device can be tracked when it changes >>> networ adresses (e.g. because said device moved between different >>> networks). This is to say that an attacker shall be unable to link a new >>> address with one that was formerly used by the device, because of >>> recognizable data that the device persistently sends as part of an >>> NTS-secured NTP association. This is the justification for continually >>> supplying the client with fresh cookies, so that a cookie never represents >>> recognizable data in the sense outlined above. >>> >>> Note that the objective of NTS regarding unlinkability is merely to not >>> leak any additional data that would cause linkability. NTS does not rectify >>> legacy linkability issues that are already present in NTP. To minimize the >>> risk of being tracked by a passive adversary the NTP client has to minimize >>> the information it transmits within a client request (mode 3 packet) as >>> described in the draft "draft-dfranke-ntp-data-minimization" >>> >>> Also, the objective only holds for actual time synchronization traffic, >>> as opposed to key exchange traffic. This implies that it cannot be >>> guaranteed for devices that function not only as time clients, but also as >>> time servers (because the latter can be externally triggered to send >>> authentication data). >>> >>> >>> What do people here think? >>> >>> Best regards, >>> Kristof >>> _______________________________________________ >>> ntpwg mailing list >>> ntpwg@lists.ntp.org >>> http://lists.ntp.org/listinfo/ntpwg >>> >> >> >> >> -- >> Sharon Goldberg >> Computer Science, Boston University >> http://www.cs.bu.edu/~goldbe >> > > > > -- > Sharon Goldberg > Computer Science, Boston University > http://www.cs.bu.edu/~goldbe > -- Sharon Goldberg Computer Science, Boston University http://www.cs.bu.edu/~goldbe
_______________________________________________ ntpwg mailing list ntpwg@lists.ntp.org http://lists.ntp.org/listinfo/ntpwg
- [ntpwg] Unlinkability formulations in merged draf… kristof.teichel
- Re: [ntpwg] Unlinkability formulations in merged … Sharon Goldberg
- Re: [ntpwg] Unlinkability formulations in merged … Sharon Goldberg
- Re: [ntpwg] Unlinkability formulations in merged … Sharon Goldberg