Re: [Ntp] Antw: [EXT] Re: Post NTS, Is shared key authentication interesting?

Miroslav Lichvar <> Wed, 27 May 2020 10:27 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A9FAF3A0CDA for <>; Wed, 27 May 2020 03:27:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Qnsi13dPGHO6 for <>; Wed, 27 May 2020 03:27:20 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6EBCC3A0CD6 for <>; Wed, 27 May 2020 03:27:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=mimecast20190719; t=1590575239; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=NaKuY6ttnCchzhpvCOtRy2ejC5U9D50J/auQ/Y0FXaU=; b=GenKw8ItjXDiDBe/OAxvsZ/6E94f3K3Poeto3TXX6ZH15743Bcv5hNELduJjE2ep8spt28 PX48ieZZ/rgiTTHpcUAU1QqPfDXQmVBLbpMxRuJgHTpSwgcrxyETqUT8/cQDthizRwlADl v6jftjqLwICF42asBPhqCdAZTu8uDrQ=
Received: from ( []) (Using TLS) by with ESMTP id us-mta-171-DOIibGGNPguTJUluez3QJQ-1; Wed, 27 May 2020 06:27:17 -0400
X-MC-Unique: DOIibGGNPguTJUluez3QJQ-1
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A4414100CCC2; Wed, 27 May 2020 10:27:15 +0000 (UTC)
Received: from localhost ( []) by (Postfix) with ESMTPS id 7F484619C0; Wed, 27 May 2020 10:27:12 +0000 (UTC)
Date: Wed, 27 May 2020 12:24:59 +0200
From: Miroslav Lichvar <>
To: Kurt Roeckx <>
Cc: Ulrich Windl <>, Hal Murray <>, "" <>
Message-ID: <20200527102459.GA1749@localhost>
References: <> <> <> <>
MIME-Version: 1.0
In-Reply-To: <>
X-Scanned-By: MIMEDefang 2.79 on
X-Mimecast-Spam-Score: 0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Archived-At: <>
Subject: Re: [Ntp] Antw: [EXT] Re: Post NTS, Is shared key authentication interesting?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 27 May 2020 10:27:22 -0000

On Wed, May 27, 2020 at 11:55:36AM +0200, Kurt Roeckx wrote:
> I'm not sure I fully understand what you're talking about, but
> sending an error message that something with the crypto was bad
> it a bad idea. You should pretend that everything was ok. An
> attacker should not be able to see the difference between an ok
> and a not ok message. Look for instance at the TLS RFCs what they
> write about a Bleichenbacher attack.

That doesn't look to me like it would apply to the NTP authentication
using a crypto hash function or AES-(SIV-)CMAC. With Autokey and NTS
the server can respond with a NAK message to let the client know it is
using an old key/cookie. The client doesn't need to guess what is
wrong and can quickly start a new key establishment.

With a symmetric key, there is not much the client can do when it
receives a NAK, except maybe log an error message. I'm not sure how
useful that would be. The admin should be able to figure it out what's
wrong even with no error message.

Miroslav Lichvar