Re: [Ntp] Antwort: Why Roughtime?
Ben Laurie <benl@google.com> Mon, 18 December 2023 15:51 UTC
Return-Path: <benl@google.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E0EAC14F615 for <ntp@ietfa.amsl.com>; Mon, 18 Dec 2023 07:51:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.606
X-Spam-Level:
X-Spam-Status: No, score=-17.606 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j-uzhNBJKtqu for <ntp@ietfa.amsl.com>; Mon, 18 Dec 2023 07:51:17 -0800 (PST)
Received: from mail-qt1-x82e.google.com (mail-qt1-x82e.google.com [IPv6:2607:f8b0:4864:20::82e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D770C14EB17 for <ntp@ietf.org>; Mon, 18 Dec 2023 07:51:17 -0800 (PST)
Received: by mail-qt1-x82e.google.com with SMTP id d75a77b69052e-42598c2b0b7so566121cf.1 for <ntp@ietf.org>; Mon, 18 Dec 2023 07:51:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1702914675; x=1703519475; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=bz3ywDTy9+P4pL8tv2X8dOKuVdo23kiw6NfSViyC3k4=; b=0SW3HW1cYbdgRcDsur6YYPh0J1o7HvbOC280+WEIiJBVSGEO9fXNv1pwMVw8Lj1uW1 9SmwtMozP5CNh1K/7PkhHC/Y6l5Dszor8VKOgg6FO0/9jOWLeH4k2E1w911E7y923b/h CZLmsw+k5/3K6XE87ztFPNX1ZRXfRQzhkXiX7aUoGX+bnm3EzDHVxpLnWr0BnqhEsByx +Tbp4GvHwehiw2rB3z/uI903HBDsMQVmhdW8YIwLJKcZOLlSwf0RrsqLVs3Iv6hYvdKV FvCagcjVauqVcnCNrxsOA6ZCeAQ6YKkBAIqkWWnlGu8YXxwZhdw7LTVasE8DRUl07cK2 Yobg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702914675; x=1703519475; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=bz3ywDTy9+P4pL8tv2X8dOKuVdo23kiw6NfSViyC3k4=; b=CdpYfJKIWDkfEHiacYZkG+SXHW8S4hTkJlawrqxBsFfb2Oqwan3lmgpIYbc+DP7wWt chfoxCXxYeRGiX6cebQQGxLQ8ZjnwRCBmRoH2uDOopBqFxcuuNCnq+RUwg7G1esTAR1+ a/j0xsmx5Q4yeynySl3JaAT4ZnWpXUIPKHE6pi0AoFQrMjnYHbBZ1PDcLGteEl7/v4wX FPyjSJqr1IRBrvmSk0eDQ4eH05ESQ2SzATvXTFjsRwoQw379e21aB9kP7N5hTkTPEHHG wzD3lUWdWvFvwJaDm0YA7saGk4kYejwalUS0OPizNFmPa62/lBdCEhcMkY4w+L5ySr2I Sw0g==
X-Gm-Message-State: AOJu0Ywg+Mxvi7l2U1dqcHfx8wLyOiM5rudGSqJkfrZzJYWCBU4vc8N9 3KWMLSGLxggq6AuU36Lc9/o7TAR3BhKnszF8+4KEl0llGR1+Q2ESwtdfD8uNYg==
X-Google-Smtp-Source: AGHT+IGGkZ/mU2RBadN7jix47csekPXfLjT0B8qrEKRWPMtRe4Fmueplaxcg61LBYgW3G0EZQKB+6diK/tyMMUh2pA8=
X-Received: by 2002:a05:622a:1341:b0:421:b83e:9845 with SMTP id w1-20020a05622a134100b00421b83e9845mr438548qtk.8.1702914675346; Mon, 18 Dec 2023 07:51:15 -0800 (PST)
MIME-Version: 1.0
References: <20231217043500.99D6128C1C3@107-137-68-211.lightspeed.sntcca.sbcglobal.net> <OFD134C0BA.CC9AC877-ONC1258A89.0029CB64-C1258A89.002CCA3E@ptb.de> <CABrd9SSeQvpSY1JiJn3Nh9FsMFOo1Djk8nR9DoQ1EfRRdOyv7w@mail.gmail.com> <OF60491801.92770502-ONC1258A89.005050E8-C1258A89.005431B9@ptb.de>
In-Reply-To: <OF60491801.92770502-ONC1258A89.005050E8-C1258A89.005431B9@ptb.de>
From: Ben Laurie <benl@google.com>
Date: Mon, 18 Dec 2023 15:50:55 +0000
Message-ID: <CABrd9STd9PSWWXB+=Uvg_p-8RLm4_qFofXoF1mN8NHdNoYqL5w@mail.gmail.com>
To: martin.langer=40ptb.de@dmarc.ietf.org
Cc: kristof.teichel@ptb.de, Hal Murray <halmurray@sonic.net>, ntp@ietf.org
Content-Type: multipart/alternative; boundary="0000000000004ee4ed060ccab839"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/pS49DlJEVb089gK9QAVWvzxp6xw>
Subject: Re: [Ntp] Antwort: Why Roughtime?
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Dec 2023 15:51:18 -0000
On Mon, 18 Dec 2023 at 15:20, <martin.langer=40ptb.de@dmarc.ietf.org> wrote: > Hello all, > > But if I configure an NTS server in my client and the keys and > certificates are valid, > then I would expect the server not to intentionally send me false time > information. Why? ...and if I have multiple NTS-secured time servers, then the client can > also protect > itself against Byzantine errors. > > I'm still not really convinced by the server malfeasance mechanism. Is > this really > necessary for a "rough" time? What are the advantages over handling > Byzantine > errors or using something like NTP pools? Evidence - badly behaved servers, whether deliberately so or not, can have their behaviour revealed and get removed from pools. In my humble opinion, Roughtime offers an advantage if I have weak hardware > that doesn't or can't do TLS, so you just digitally sign the time > information directly. > > I'd be happier if it didn't give the impression (as it does in some blogs > and papers) > that Roughtime solves the chicken-and-egg problem. Verifiable transparency (and that is definitely the way I prefer to think about roughtime) has been shown to be useful as a security mechanism. Since time is absolutely key to many security protocols, we need high assurance that time is correct. NTS provides no *verifiable* assurance at all, roughtime does. > I also want Roughtime to be > minimalistic. ...why not just sign a Unix timestamp in seconds or max. > milliseconds > with EC or ED25519 and send it from the server to the client? ...or NTPv4 > with an > extension field containing a digital signature. ...something like that as > a suggestion. > > but I may be seeing several things wrong. ...I'm always happy to be proven > wrong. > > kind regards, > Martin > > __________________________________________ > > Dr.-Ing. Martin Langer > Physikalisch-Technische Bundesanstalt (PTB) > Working Group 4.42 "Dissemination of Time" > Bundesallee 100, > 38116 Braunschweig (Germany) > Tel.: +49 531 592-4470 <+49%20531%205924470> > E-Mail: martin.langer@ptb.de > __________________________________________ > > > > Von: "Ben Laurie" <benl=40google.com@dmarc.ietf.org> > An: kristof.teichel=40ptb.de@dmarc.ietf.org > Kopie: "Hal Murray" <halmurray@sonic.net>, ntp@ietf.org > Datum: 18.12.2023 15:11 > Betreff: Re: [Ntp] Antwort: Why Roughtime? > Gesendet von: "ntp" <ntp-bounces@ietf.org> > ------------------------------ > > > > > > On Mon, 18 Dec 2023 at 08:09, <kristof.teichel=*40ptb.de@dmarc.ietf.org* > <40ptb.de@dmarc.ietf.org>> wrote: > Hey Hal, all, > > I whole-heartedly agree with Hal's points. > In June, Martin and I sent a lengthy mail containing feedback on the > Roughtime draft. > Perhaps there was too much in there for these points (malfeasance > reporting is unclear what it would actually do; no malfeasance report > doesn't mean good intentions; any security protocol could just ditch key > lifetimes and go back to pre-shared keys [and thereby eliminate TLS] with > little extra work, NTS too) to really come through succinctly, but all of > them have been concerns of ours as well. > > Further, I still think it is a bad idea to say 'We solve the > chicken-and-egg problem of bootstrapping' with what seems like a mere > reduction of a security feature (key lifetimes). It feels more like > navigating around one of the operational ways in which the problem > manifests rather than solving it (which makes sense, since the problem is > probably fundamentally unsolvable). And to be clear: I'm not saying at all > that it's bad to use long-term keys - I am just saying it's dangerous to > imply that this is the bootstrapping solution the world has been waiting for > > I think you've both missed an important point: if an NTS server gives me > incorrect time and I point that out, there's no way for you to know, in > general, whether my claim is true or not. With roughtime, I can present > evidence. > > Besten Gruß / Kind regards, > Kristof Teichel > > __________________________________________ > > Dr.-Ing. Kurt Kristof Teichel > Physikalisch-Technische Bundesanstalt (PTB) > Arbeitsgruppe 4.42 "Zeitübertragung" > Bundesallee 100 > 38116 Braunschweig (Germany) > Tel.: *+49 531 592-4471* <+49%20531%205924471> > E-Mail: *kristof.teichel@ptb.de* <kristof.teichel@ptb.de> > __________________________________________ > > > -----"ntp" <*ntp-bounces@ietf.org* <ntp-bounces@ietf.org>> schrieb: ----- > An: *ntp@ietf.org* <ntp@ietf.org> > Von: "Hal Murray" <*halmurray@sonic.net* <halmurray@sonic.net>> > Gesendet von: "ntp" <*ntp-bounces@ietf.org* <ntp-bounces@ietf.org>> > Datum: 17.12.2023 05:35 > Kopie: "Hal Murray" <*halmurray@sonic.net* <halmurray@sonic.net>> > Betreff: [Ntp] Why Roughtime? > > I think Roughtime has 2 goals: > > The first is: > Furthermore clients may lack even a basic idea of the time, creating > bootstrapping problems. Roughtime uses a list of keys and servers > to resolve this issue. > > The second is: > Roughtime is a protocol for rough time synchronization that > enables clients to provide cryptographic proof of server malfeasance. > > Why do we need a separate protocol and separate servers? > > For the bootstraping problem, the important idea is key lifetime. NTS > uses traditional web certificates and their root certificate bundle. The > root certificate bundle is distributed and maintained by OSes/distros so > NTS doesn't have to operate a separate key distribution mechanism. That > path has a limited key lifetime policy. If it isn't long enough, we will > have to use self signed certificates and invent a new key distribution > mechanism. Roughtime has the same problem so whatever they are planning to > use for key distribution can be used by NTS to distribute their self-signed > root certificates. > > Note that "lifetime" is a potentially ambiguous term. Suppose you get a > certificate with a 2 year lifetime. That clock starts ticking when you > purchase the certificate. After a year, the useful lifetime is the time > remaining, only 1 year. The clock keeps ticking while the box and firmware > are sitting on a retail shelf or the spares shelf. > > We should issue a new key every year or so even if their lifetime is 10s > of years. There is no significant cost to a server to support 100s of > keys. The newer ones will have a longer useful life -- last year's key > will expire a year before this year's key. > > What is Roughtime's target market? What sort of key lifetime does that > need? > How about traffic volume? > > > On to server malfeasance. > > I'm curious about the proof part. Is Roughtime planning to take server > operators to court? > Where else would you need a strong proof as compared to "Hey, your server > is broken!"? > > The NTP pool has a monitoring system that drops a server when it doesn't > respond or returns time that is too far off. It sends email to the > operator. > > NTS already signs NTP packets and that includes a nonce field. The catch > is that the key used for signing each packet is a client-server working key > rather than a private key of a public/private pair. We can fix that by > adding a slot to NTS-KE which is the KE server signing the working key with > it's private key. (If the working key is exposed in a malfeasance report, > the client needs to run NTS-KE again to get a new one.) > > Wikipedia says; > Malfeasance is the willful and intentional action that injures a party. > > The proof scheme described by Roughtime doesn't prove the "willful and > intentional" part. Servers screwup because of bugs in software, firmware, > or hardware as well as network troubles and bad luck and inadequate > operational procedures. > > There is another aspect to consider. The lack of malfeasance reports > doesn't prove correct operations. If a bad guy takes over a server, he can > respond correctly except to the system he is attacking. You can't depend > on monitoring by other sites. > > > In recent mail, Chris mentioned "consensus". NTP already does that. Does > Roughtime have better heuristics for consensus than NTP is using? > > > Have I missed something that Roughtime does and NTP can't do with a simple > extension? > > > -- > These are my opinions. I hate spam. > > > > _______________________________________________ > ntp mailing list > *ntp@ietf.org* <ntp@ietf.org> > *https://www.ietf.org/mailman/listinfo/ntp* > <https://www.ietf.org/mailman/listinfo/ntp> > _______________________________________________ > ntp mailing list > *ntp@ietf.org* <ntp@ietf.org> > *https://www.ietf.org/mailman/listinfo/ntp* > <https://www.ietf.org/mailman/listinfo/ntp> > _______________________________________________ > ntp mailing list > ntp@ietf.org > https://www.ietf.org/mailman/listinfo/ntp > > >
- [Ntp] Why Roughtime? Hal Murray
- [Ntp] Antwort: Why Roughtime? kristof.teichel
- Re: [Ntp] Antwort: Why Roughtime? Ben Laurie
- Re: [Ntp] Antwort: Why Roughtime? martin.langer
- Re: [Ntp] Antwort: Why Roughtime? Ben Laurie
- [Ntp] Antwort: Re: Antwort: Why Roughtime? kristof.teichel
- [Ntp] Antwort: Re: Antwort: Why Roughtime? kristof.teichel
- Re: [Ntp] Antwort: Re: Antwort: Why Roughtime? Watson Ladd
- Re: [Ntp] Antwort: Re: Antwort: Why Roughtime? Daniel Franke
- Re: [Ntp] Antwort: Why Roughtime? Hal Murray
- Re: [Ntp] Antwort: Why Roughtime? Daniel Franke
- Re: [Ntp] Antwort: Re: Antwort: Why Roughtime? Hal Murray
- Re: [Ntp] Antwort: Re: Antwort: Why Roughtime? Hal Murray
- Re: [Ntp] Antwort: Re: Antwort: Why Roughtime? Daniel Franke
- Re: [Ntp] Antwort: Re: Antwort: Why Roughtime? Ben Laurie
- Re: [Ntp] Antwort: Why Roughtime? Ben Laurie
- Re: [Ntp] Antwort: Re: Antwort: Why Roughtime? 黄振天
- Re: [Ntp] Antwort: Re: Antwort: Why Roughtime? 黄振天
- Re: [Ntp] Antwort: Re: Antwort: Why Roughtime? Zhentian Huang
- Re: [Ntp] Antwort: Why Roughtime? wangshuai@mail.zgclab.edu.cn