[ntpwg] Antwort: Comments on various NTS drafts
dieter.sibold@ptb.de Wed, 15 April 2015 04:09 UTC
Return-Path: <ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org>
X-Original-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Delivered-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 298DF1B2B9E for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Tue, 14 Apr 2015 21:09:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3WtwSb3eDJ2L for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Tue, 14 Apr 2015 21:09:22 -0700 (PDT)
Received: from psp3.ntp.org (psp3.ntp.org [149.20.68.23]) by ietfa.amsl.com (Postfix) with ESMTP id 985691B2B9F for <ntp-archives-ahFae6za@lists.ietf.org>; Tue, 14 Apr 2015 21:09:22 -0700 (PDT)
Received: from psp3.ntp.org (localhost.ntp.org [127.0.0.1]) by psp3.ntp.org (Postfix) with ESMTP id 8FEB939877 for <ntp-archives-ahFae6za@lists.ietf.org>; Tue, 14 Apr 2015 21:09:22 -0700 (PDT)
X-Original-To: ntpwg@lists.ntp.org
Delivered-To: ntpwg@lists.ntp.org
Received: from mail1.ntp.org (mail1.ntp.org [IPv6:2001:4f8:fff7:1::5]) by lists.ntp.org (Postfix) with ESMTP id D1ACA86D48C for <ntpwg@lists.ntp.org>; Sun, 12 Apr 2015 03:06:39 +0000 (UTC)
Received: from mx1.bs.ptb.de ([192.53.103.106]) by mail1.ntp.org with esmtps (TLSv1:AES256-SHA:256) (Exim 4.77 (FreeBSD)) (envelope-from <dieter.sibold@ptb.de>) id 1Yh8E4-0002tT-GU for ntpwg@lists.ntp.org; Sun, 12 Apr 2015 03:06:39 +0000
Received: from mx1.bs.ptb.de (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id 5AEBFD6E5DB; Fri, 10 Apr 2015 16:11:41 +0200 (CEST)
Received: from rose.bs.ptb.de (rose.bs.ptb.de [141.25.85.201]) by mx1.bs.ptb.de (Postfix) with ESMTP id 3A65ED69E2D; Fri, 10 Apr 2015 16:11:41 +0200 (CEST)
In-Reply-To: <551D1150.5080500@redhat.com>
References: <551D1150.5080500@redhat.com>
To: Florian Weimer <fweimer@redhat.com>
MIME-Version: 1.0
X-KeepSent: EC232DE6:A8D2B0E6-C1257E23:004D3B95; type=4; name=$KeepSent
X-Mailer: IBM Notes Release 9.0.1FP3 January 12, 2015
Message-ID: <OFEC232DE6.A8D2B0E6-ONC1257E23.004D3B95-C1257E23.004DF89C@ptb.de>
From: dieter.sibold@ptb.de
Date: Fri, 10 Apr 2015 16:11:39 +0200
X-MIMETrack: S/MIME Sign by eclipse on Dieter Sibold/PTB(Release 9.0.1FP3|January 12, 2015) at 10.04.2015 16:11:39, Serialize by eclipse on Dieter Sibold/PTB(Release 9.0.1FP3|January 12, 2015) at 10.04.2015 16:11:39, Serialize complete at 10.04.2015 16:11:39, Itemize by eclipse on Dieter Sibold/PTB(Release 9.0.1FP3|January 12, 2015) at 10.04.2015 16:11:40, S/MIME Sign complete at 10.04.2015 16:11:40, Serialize by Router on ROSE/PTB(Release 9.0.1FP3HF79 | February 9, 2015) at 04/10/2015 16:11:41, Serialize complete at 04/10/2015 16:11:41
X-SA-Exim-Connect-IP: 192.53.103.106
X-SA-Exim-Rcpt-To: ntpwg@lists.ntp.org
X-SA-Exim-Mail-From: dieter.sibold@ptb.de
X-SA-Exim-Version: 4.2
X-SA-Exim-Scanned: Yes (on mail1.ntp.org)
Subject: [ntpwg] Antwort: Comments on various NTS drafts
X-BeenThere: ntpwg@lists.ntp.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: IETF Working Group for Network Time Protocol <ntpwg.lists.ntp.org>
List-Unsubscribe: <http://lists.ntp.org/options/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=unsubscribe>
List-Archive: <http://lists.ntp.org/pipermail/ntpwg/>
List-Post: <mailto:ntpwg@lists.ntp.org>
List-Help: <mailto:ntpwg-request@lists.ntp.org?subject=help>
List-Subscribe: <http://lists.ntp.org/listinfo/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=subscribe>
Cc: ntpwg@lists.ntp.org
Content-Type: multipart/mixed; boundary="===============6148188470893215293=="
Errors-To: ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org
Sender: ntpwg <ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org>
Hello Florian, we added some mor questions to your initial comments. ntpwg-bounces+dieter.sibold=ptb.de@lists.ntp.org schrieb am 02.04.2015 11:52:16: > Von: Florian Weimer <fweimer@redhat.com> > An: ntpwg@lists.ntp.org > Datum: 03.04.2015 06:03 > Betreff: [ntpwg] Comments on various NTS drafts > Gesendet von: ntpwg-bounces+dieter.sibold=ptb.de@lists.ntp.org > > Here are a few comments on those drafts. I hope they are useful. > > I strongly recommend reusing (D)TLS instead of implementing your own > cryptographic protocol. I have marked the issues which would go away > with a proper implementation of (D)TLS with ?(D)?. With DTLS, the > server could just send the client cookie and the HMAC key, disregarding > the client certificate. Do I understand it correctly that you're proposing something like: * do the key exchange via dtls * the server creates a random client cookie and calculates the client specific key from that (using a server secret as well) and sends both to the client * the time sync packets would just send the rand in the request and the server can calculate the shared key for the response > > # RFC 7384 compliance > > First of all, the proposed protocol fails to implement the requirements > of RFC 7384. This is mostly due to the fact that several of its > requirements are *impossible* to implement: > > Section 5.1.2 is likely bogus because it is not implementable in > practice (end-to-end security makes intermediate clocks obsolete). > > Section 5.6.1 requires frequent key refresh. This is impossible to > implement in practice (ultimate keys cannot be refreshed without > operator intervention), and not necessary as long as sufficiently strong > cryptographic primitives (non-broken algorithms) are used. > > Section 5.9 is impossible to implement. There is no protection against > DoS from MITM attacks. Protection against low-rate message spoofing > without knowledge of the keys seems reasonable, though. > > In addition, RFC 7384, Section 3.2.10 indicates that securing the time > source of an entire organization from an external source is out of > scope. However, this is likely the most common application of a security > time protocol. > > # draft-ietf-ntp-network-time-security-08 > > * The client host name in the client_assoc is an unnecessary information > leak. > > * The client_assoc message needs a mechanism to select the server > certificate. This is desirable for metrics and required for server key > rollover without locking out the existing clients. Without this > mechanism, it is necessary to use multiple IP addresses. (D) via SNI. > > * The integrity checks on the server_assoc response are unclear. It is > not specified if host name verification is performed. (D) > > * In a trivial UDP-based implementation, the server_assoc response is > computed before two-way communication with the client IP address has > been proven, resulting in a denial of service vulnerability (CPU > overload due to signature computation for spoofed clients, traffic > amplification due to larger server response). This also affects the > server_cook message generation. Photuris cookies would address this. (D) > > * The server_cook message uses non-hybrid asymmetric encryption. With > ECC, this does not work because the provided payload space is not large > enough. The usual hybrid scheme should be used instead. This means that > an additional cryptographic primitive has to be negotiated. (D) > > * Client certificate management is a red flag for many organizations. It > would be better if the protocol would not use a client certificate at > all, and some other key agreement scheme (e.g., application key > extraction with TLS/DTLS, without client certificates, or a TLS response > containing an encrypted session key). (D) The client certificates can just be generated on the fly and don't have to be managed by the organization, i.e. they are self-signed. Actually, a random public key would be enough at this point, the cert is just there since it's easier to handle. > > * With a server without per-client state, the HMAC key setup has to be > performed on each response. This is quite costly. A different MAC > could be quite a bit cheaper in terms of CPU overhead. > > * I have doubts about the use of TESLA. > > . Is there sufficient operational experience with this protocol? > > . It is never stated explicitly, but reading the protocol > descriptions, it is expected that TESLA is secure against malicious > recipients. > > . TESLA uses a race condition for security, which seems inherently risky. > > . The use of time for security purposes interacts in a complex way > with using TESLA for time synchronization. > > # draft-ietf-ntp-cms-for-nts-message-02 > > * DER is used even for fast-path time synchronization messages (not just > for the handshake). This seems unnecessary. > > * Requiring a new OID in the Extended Key Usages attribute of > certificates (section 4) means that the browser PKI cannot be used to > authenticate hosts. This seems quite wrong. > > * Not all CMS algorithm parameters are negotiated at the NTS layer, as > suspected. (D) > > # draft-ietf-ntp-using-nts-for-ntp-00 > > * There is no cookie protection of server_assoc/server_cook responses, > as explained above. This is quite bad. (D) > > * The proposed protocol does not address UDP message size limitations. > UDP fragmentation is fundamentally broken. (D) Actually, that is on our To Do list. > > -- > Florian Weimer / Red Hat Product Security > _______________________________________________ > ntpwg mailing list > ntpwg@lists.ntp.org > http://lists.ntp.org/listinfo/ntpwg
_______________________________________________ ntpwg mailing list ntpwg@lists.ntp.org http://lists.ntp.org/listinfo/ntpwg
- [ntpwg] Comments on various NTS drafts Florian Weimer
- Re: [ntpwg] Comments on various NTS drafts Richard Welty
- Re: [ntpwg] Comments on various NTS drafts Florian Weimer
- Re: [ntpwg] Comments on various NTS drafts Richard Welty
- [ntpwg] Antwort: Re: Comments on various NTS draf… dieter.sibold
- [ntpwg] Antwort: Comments on various NTS drafts dieter.sibold
- Re: [ntpwg] Antwort: Comments on various NTS draf… Florian Weimer
- Re: [ntpwg] Antwort: Re: Comments on various NTS … Florian Weimer
- Re: [ntpwg] Comments on various NTS drafts Florian Weimer
- [ntpwg] Antwort: Re: Comments on various NTS draf… dieter.sibold
- [ntpwg] Antw: Re: Antwort: Re: Comments on variou… Ulrich Windl
- Re: [ntpwg] Antw: Re: Antwort: Re: Comments on va… Florian Weimer
- Re: [ntpwg] Antwort: Re: Comments on various NTS … Florian Weimer
- Re: [ntpwg] Antw: Re: Antwort: Re: Comments on va… kristof.teichel
- Re: [ntpwg] Antw: Re: Antwort: Re: Comments on va… Florian Weimer