IETF Logo Mail Archive

Re: [Ntp] Antwort: Why Roughtime?

Ben Laurie <benl@google.com> Mon, 18 December 2023 15:51 UTC

Return-Path: <benl@google.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E0EAC14F615 for <ntp@ietfa.amsl.com>; Mon, 18 Dec 2023 07:51:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.606
X-Spam-Level:
X-Spam-Status: No, score=-17.606 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j-uzhNBJKtqu for <ntp@ietfa.amsl.com>; Mon, 18 Dec 2023 07:51:17 -0800 (PST)
Received: from mail-qt1-x82e.google.com (mail-qt1-x82e.google.com [IPv6:2607:f8b0:4864:20::82e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D770C14EB17 for <ntp@ietf.org>; Mon, 18 Dec 2023 07:51:17 -0800 (PST)
Received: by mail-qt1-x82e.google.com with SMTP id d75a77b69052e-42598c2b0b7so566121cf.1 for <ntp@ietf.org>; Mon, 18 Dec 2023 07:51:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1702914675; x=1703519475; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=bz3ywDTy9+P4pL8tv2X8dOKuVdo23kiw6NfSViyC3k4=; b=0SW3HW1cYbdgRcDsur6YYPh0J1o7HvbOC280+WEIiJBVSGEO9fXNv1pwMVw8Lj1uW1 9SmwtMozP5CNh1K/7PkhHC/Y6l5Dszor8VKOgg6FO0/9jOWLeH4k2E1w911E7y923b/h CZLmsw+k5/3K6XE87ztFPNX1ZRXfRQzhkXiX7aUoGX+bnm3EzDHVxpLnWr0BnqhEsByx +Tbp4GvHwehiw2rB3z/uI903HBDsMQVmhdW8YIwLJKcZOLlSwf0RrsqLVs3Iv6hYvdKV FvCagcjVauqVcnCNrxsOA6ZCeAQ6YKkBAIqkWWnlGu8YXxwZhdw7LTVasE8DRUl07cK2 Yobg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702914675; x=1703519475; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=bz3ywDTy9+P4pL8tv2X8dOKuVdo23kiw6NfSViyC3k4=; b=CdpYfJKIWDkfEHiacYZkG+SXHW8S4hTkJlawrqxBsFfb2Oqwan3lmgpIYbc+DP7wWt chfoxCXxYeRGiX6cebQQGxLQ8ZjnwRCBmRoH2uDOopBqFxcuuNCnq+RUwg7G1esTAR1+ a/j0xsmx5Q4yeynySl3JaAT4ZnWpXUIPKHE6pi0AoFQrMjnYHbBZ1PDcLGteEl7/v4wX FPyjSJqr1IRBrvmSk0eDQ4eH05ESQ2SzATvXTFjsRwoQw379e21aB9kP7N5hTkTPEHHG wzD3lUWdWvFvwJaDm0YA7saGk4kYejwalUS0OPizNFmPa62/lBdCEhcMkY4w+L5ySr2I Sw0g==
X-Gm-Message-State: AOJu0Ywg+Mxvi7l2U1dqcHfx8wLyOiM5rudGSqJkfrZzJYWCBU4vc8N9 3KWMLSGLxggq6AuU36Lc9/o7TAR3BhKnszF8+4KEl0llGR1+Q2ESwtdfD8uNYg==
X-Google-Smtp-Source: AGHT+IGGkZ/mU2RBadN7jix47csekPXfLjT0B8qrEKRWPMtRe4Fmueplaxcg61LBYgW3G0EZQKB+6diK/tyMMUh2pA8=
X-Received: by 2002:a05:622a:1341:b0:421:b83e:9845 with SMTP id w1-20020a05622a134100b00421b83e9845mr438548qtk.8.1702914675346; Mon, 18 Dec 2023 07:51:15 -0800 (PST)
MIME-Version: 1.0
References: <20231217043500.99D6128C1C3@107-137-68-211.lightspeed.sntcca.sbcglobal.net> <OFD134C0BA.CC9AC877-ONC1258A89.0029CB64-C1258A89.002CCA3E@ptb.de> <CABrd9SSeQvpSY1JiJn3Nh9FsMFOo1Djk8nR9DoQ1EfRRdOyv7w@mail.gmail.com> <OF60491801.92770502-ONC1258A89.005050E8-C1258A89.005431B9@ptb.de>
In-Reply-To: <OF60491801.92770502-ONC1258A89.005050E8-C1258A89.005431B9@ptb.de>
From: Ben Laurie <benl@google.com>
Date: Mon, 18 Dec 2023 15:50:55 +0000
Message-ID: <CABrd9STd9PSWWXB+=Uvg_p-8RLm4_qFofXoF1mN8NHdNoYqL5w@mail.gmail.com>
To: martin.langer=40ptb.de@dmarc.ietf.org
Cc: kristof.teichel@ptb.de, Hal Murray <halmurray@sonic.net>, ntp@ietf.org
Content-Type: multipart/alternative; boundary="0000000000004ee4ed060ccab839"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/pS49DlJEVb089gK9QAVWvzxp6xw>
Subject: Re: [Ntp] Antwort: Why Roughtime?
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Dec 2023 15:51:18 -0000

On Mon, 18 Dec 2023 at 15:20, <martin.langer=40ptb.de@dmarc.ietf.org> wrote:

> Hello all,
>
> But if I configure an NTS server in my client and the keys and
> certificates are valid,
> then I would expect the server not to intentionally send me false time
> information.


Why?

 ...and if I have multiple NTS-secured time servers, then the client can
> also protect
> itself against Byzantine errors.


>
> I'm still not really convinced by the server malfeasance mechanism. Is
> this really
> necessary for a "rough" time? What are the advantages over handling
> Byzantine
> errors or using something like NTP pools?


Evidence - badly behaved servers, whether deliberately so or not, can have
their behaviour revealed and get removed from pools.

In my humble opinion, Roughtime offers an advantage if I have weak hardware
> that doesn't or can't do TLS, so you just digitally sign the time
> information directly.
>
> I'd be happier if it didn't give the impression (as it does in some blogs
> and papers)
> that Roughtime solves the chicken-and-egg problem.


Verifiable transparency (and that is definitely the way I prefer to think
about roughtime) has been shown to be useful as a security mechanism. Since
time is absolutely key to many security protocols, we need high assurance
that time is correct. NTS provides no *verifiable* assurance at all,
roughtime does.


> I also want Roughtime to be
> minimalistic. ...why not just sign a Unix timestamp in seconds or max.
> milliseconds
> with EC or ED25519 and send it from the server to the client?  ...or NTPv4
> with an
> extension field containing a digital signature.  ...something like that as
> a suggestion.
>
> but I may be seeing several things wrong. ...I'm always happy to be proven
> wrong.
>
> kind regards,
> Martin
>
> __________________________________________
>
> Dr.-Ing. Martin Langer
> Physikalisch-Technische Bundesanstalt (PTB)
> Working Group 4.42 "Dissemination of Time"
> Bundesallee 100,
> 38116 Braunschweig (Germany)
> Tel.: +49 531 592-4470 <+49%20531%205924470>
> E-Mail: martin.langer@ptb.de
> __________________________________________
>
>
>
> Von:        "Ben Laurie" <benl=40google.com@dmarc.ietf.org>
> An:        kristof.teichel=40ptb.de@dmarc.ietf.org
> Kopie:        "Hal Murray" <halmurray@sonic.net>, ntp@ietf.org
> Datum:        18.12.2023 15:11
> Betreff:        Re: [Ntp] Antwort: Why Roughtime?
> Gesendet von:        "ntp" <ntp-bounces@ietf.org>
> ------------------------------
>
>
>
>
>
> On Mon, 18 Dec 2023 at 08:09, <kristof.teichel=*40ptb.de@dmarc.ietf.org*
> <40ptb.de@dmarc.ietf.org>> wrote:
> Hey Hal, all,
>
> I whole-heartedly agree with Hal's points.
> In June, Martin and I sent a lengthy mail containing feedback on the
> Roughtime draft.
> Perhaps there was too much in there for these points (malfeasance
> reporting is unclear what it would actually do; no malfeasance report
> doesn't mean good intentions; any security protocol could just ditch key
> lifetimes and go back to pre-shared keys [and thereby eliminate TLS] with
> little extra work, NTS too) to really come through succinctly, but all of
> them have been concerns of ours as well.
>
> Further, I still think it is a bad idea to say 'We solve the
> chicken-and-egg problem of bootstrapping' with what seems like a mere
> reduction of a security feature (key lifetimes). It feels more like
> navigating around one of the operational ways in which the problem
> manifests rather than solving it (which makes sense, since the problem is
> probably fundamentally unsolvable). And to be clear: I'm not saying at all
> that it's bad to use long-term keys - I am just saying it's dangerous to
> imply that this is the bootstrapping solution the world has been waiting for
>
> I think you've both missed an important point: if an NTS server gives me
> incorrect time and I point that out, there's no way for you to know, in
> general, whether my claim is true or not. With roughtime, I can present
> evidence.
>
> Besten Gruß / Kind regards,
> Kristof Teichel
>
> __________________________________________
>
> Dr.-Ing. Kurt Kristof Teichel
> Physikalisch-Technische Bundesanstalt (PTB)
> Arbeitsgruppe 4.42 "Zeitübertragung"
> Bundesallee 100
> 38116 Braunschweig (Germany)
> Tel.: *+49 531 592-4471* <+49%20531%205924471>
> E-Mail: *kristof.teichel@ptb.de* <kristof.teichel@ptb.de>
> __________________________________________
>
>
> -----"ntp" <*ntp-bounces@ietf.org* <ntp-bounces@ietf.org>> schrieb: -----
> An: *ntp@ietf.org* <ntp@ietf.org>
> Von: "Hal Murray" <*halmurray@sonic.net* <halmurray@sonic.net>>
> Gesendet von: "ntp" <*ntp-bounces@ietf.org* <ntp-bounces@ietf.org>>
> Datum: 17.12.2023 05:35
> Kopie: "Hal Murray" <*halmurray@sonic.net* <halmurray@sonic.net>>
> Betreff: [Ntp] Why Roughtime?
>
> I think Roughtime has 2 goals:
>
> The first is:
>   Furthermore clients may lack even a basic idea of the time, creating
>   bootstrapping problems. Roughtime uses a list of keys and servers
>   to resolve this issue.
>
> The second is:
>   Roughtime is a protocol for rough time synchronization that
>   enables clients to provide cryptographic proof of server malfeasance.
>
> Why do we need a separate protocol and separate servers?
>
> For the bootstraping problem, the important idea is key lifetime.  NTS
> uses traditional web certificates and their root certificate bundle.  The
> root certificate bundle is distributed and maintained by OSes/distros so
> NTS doesn't have to operate a separate key distribution mechanism.  That
> path has a limited key lifetime policy.  If it isn't long enough, we will
> have to use self signed certificates and invent a new key distribution
> mechanism.  Roughtime has the same problem so whatever they are planning to
> use for key distribution can be used by NTS to distribute their self-signed
> root certificates.
>
> Note that "lifetime" is a potentially ambiguous term.  Suppose you get a
> certificate with a 2 year lifetime.  That clock starts ticking when you
> purchase the certificate.  After a year, the useful lifetime is the time
> remaining, only 1 year.  The clock keeps ticking while the box and firmware
> are sitting on a retail shelf or the spares shelf.
>
> We should issue a new key every year or so even if their lifetime is 10s
> of years.  There is no significant cost to a server to support 100s of
> keys.  The newer ones will have a longer useful life -- last year's key
> will expire a year before this year's key.
>
> What is Roughtime's target market?  What sort of key lifetime does that
> need?
> How about traffic volume?
>
>
> On to server malfeasance.
>
> I'm curious about the proof part.  Is Roughtime planning to take server
> operators to court?
> Where else would you need a strong proof as compared to "Hey, your server
> is broken!"?
>
> The NTP pool has a monitoring system that drops a server when it doesn't
> respond or returns time that is too far off.  It sends email to the
> operator.
>
> NTS already signs NTP packets and that includes a nonce field.  The catch
> is that the key used for signing each packet is a client-server working key
> rather than a private key of a public/private pair.  We can fix that by
> adding a slot to NTS-KE which is the KE server signing the working key with
> it's private key.  (If the working key is exposed in a malfeasance report,
> the client needs to run NTS-KE again to get a new one.)
>
> Wikipedia says;
>   Malfeasance is the willful and intentional action that injures a party.
>
> The proof scheme described by Roughtime doesn't prove the "willful and
> intentional" part.  Servers screwup because of bugs in software, firmware,
> or hardware as well as network troubles and bad luck and inadequate
> operational procedures.
>
> There is another aspect to consider.  The lack of malfeasance reports
> doesn't prove correct operations.  If a bad guy takes over a server, he can
> respond correctly except to the system he is attacking.  You can't depend
> on monitoring by other sites.
>
>
> In recent mail, Chris mentioned "consensus".  NTP already does that.  Does
> Roughtime have better heuristics for consensus than NTP is using?
>
>
> Have I missed something that Roughtime does and NTP can't do with a simple
> extension?
>
>
> --
> These are my opinions.  I hate spam.
>
>
>
> _______________________________________________
> ntp mailing list
> *ntp@ietf.org* <ntp@ietf.org>
> *https://www.ietf.org/mailman/listinfo/ntp*
> <https://www.ietf.org/mailman/listinfo/ntp>
> _______________________________________________
> ntp mailing list
> *ntp@ietf.org* <ntp@ietf.org>
> *https://www.ietf.org/mailman/listinfo/ntp*
> <https://www.ietf.org/mailman/listinfo/ntp>
> _______________________________________________
> ntp mailing list
> ntp@ietf.org
> https://www.ietf.org/mailman/listinfo/ntp
>
>
>

v2.23.0 | Report a Bug | By Email