Re: [Ntp] Antw: [EXT] Re: Post NTS, Is shared key authentication interesting?

Miroslav Lichvar <mlichvar@redhat.com> Wed, 27 May 2020 10:27 UTC

Return-Path: <mlichvar@redhat.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9FAF3A0CDA for <ntp@ietfa.amsl.com>; Wed, 27 May 2020 03:27:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qnsi13dPGHO6 for <ntp@ietfa.amsl.com>; Wed, 27 May 2020 03:27:20 -0700 (PDT)
Received: from us-smtp-delivery-1.mimecast.com (us-smtp-2.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6EBCC3A0CD6 for <ntp@ietf.org>; Wed, 27 May 2020 03:27:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1590575239; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=NaKuY6ttnCchzhpvCOtRy2ejC5U9D50J/auQ/Y0FXaU=; b=GenKw8ItjXDiDBe/OAxvsZ/6E94f3K3Poeto3TXX6ZH15743Bcv5hNELduJjE2ep8spt28 PX48ieZZ/rgiTTHpcUAU1QqPfDXQmVBLbpMxRuJgHTpSwgcrxyETqUT8/cQDthizRwlADl v6jftjqLwICF42asBPhqCdAZTu8uDrQ=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-171-DOIibGGNPguTJUluez3QJQ-1; Wed, 27 May 2020 06:27:17 -0400
X-MC-Unique: DOIibGGNPguTJUluez3QJQ-1
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id A4414100CCC2; Wed, 27 May 2020 10:27:15 +0000 (UTC)
Received: from localhost (holly.tpb.lab.eng.brq.redhat.com [10.43.134.11]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 7F484619C0; Wed, 27 May 2020 10:27:12 +0000 (UTC)
Date: Wed, 27 May 2020 12:24:59 +0200
From: Miroslav Lichvar <mlichvar@redhat.com>
To: Kurt Roeckx <kurt@roeckx.be>
Cc: Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de>, Hal Murray <hmurray@megapathdsl.net>, "ntp@ietf.org" <ntp@ietf.org>
Message-ID: <20200527102459.GA1749@localhost>
References: <68248D4C020000916A6A8CFC@gwsmtp.uni-regensburg.de> <54A83DA70200003B43047E14@gwsmtp.uni-regensburg.de> <5ECE33E0020000A10003934B@gwsmtp.uni-regensburg.de> <20200527095536.GR2915@roeckx.be>
MIME-Version: 1.0
In-Reply-To: <20200527095536.GR2915@roeckx.be>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/npPYbWOLk_cPGU4MfDTdtS8xA20>
Subject: Re: [Ntp] Antw: [EXT] Re: Post NTS, Is shared key authentication interesting?
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 May 2020 10:27:22 -0000

On Wed, May 27, 2020 at 11:55:36AM +0200, Kurt Roeckx wrote:
> I'm not sure I fully understand what you're talking about, but
> sending an error message that something with the crypto was bad
> it a bad idea. You should pretend that everything was ok. An
> attacker should not be able to see the difference between an ok
> and a not ok message. Look for instance at the TLS RFCs what they
> write about a Bleichenbacher attack.

That doesn't look to me like it would apply to the NTP authentication
using a crypto hash function or AES-(SIV-)CMAC. With Autokey and NTS
the server can respond with a NAK message to let the client know it is
using an old key/cookie. The client doesn't need to guess what is
wrong and can quickly start a new key establishment.

With a symmetric key, there is not much the client can do when it
receives a NAK, except maybe log an error message. I'm not sure how
useful that would be. The admin should be able to figure it out what's
wrong even with no error message.

-- 
Miroslav Lichvar