Re: [Ntp] Benjamin Kaduk's Discuss on draft-ietf-ntp-using-nts-for-ntp-23: (with DISCUSS and COMMENT)
Kurt Roeckx <kurt@roeckx.be> Sun, 22 March 2020 23:39 UTC
Return-Path: <kurt@roeckx.be>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 386983A0907; Sun, 22 Mar 2020 16:39:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n2AB8mfBxFum; Sun, 22 Mar 2020 16:39:33 -0700 (PDT)
Received: from excelsior.roeckx.be (excelsior.roeckx.be [IPv6:2a05:7300:0:100::3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA58E3A0852; Sun, 22 Mar 2020 16:39:32 -0700 (PDT)
Received: from intrepid.roeckx.be (localhost [127.0.0.1]) by excelsior.roeckx.be (Postfix) with ESMTP id 6F377A8A06C3; Sun, 22 Mar 2020 23:39:30 +0000 (UTC)
Received: by intrepid.roeckx.be (Postfix, from userid 1000) id 4CF321FE0CC4; Mon, 23 Mar 2020 00:39:30 +0100 (CET)
Date: Mon, 23 Mar 2020 00:39:30 +0100
From: Kurt Roeckx <kurt@roeckx.be>
To: Ragnar Sundblad <ragge@netnod.se>
Cc: Benjamin Kaduk <kaduk@MIT.EDU>, ntp-chairs@ietf.org, ntp@ietf.org, Karen O'Donoghue <odonoghue@isoc.org>, The IESG <iesg@ietf.org>, draft-ietf-ntp-using-nts-for-ntp@ietf.org
Message-ID: <20200322233930.GK22330@roeckx.be>
References: <158388613361.15157.697889274707951578@ietfa.amsl.com> <D92AF7D4-3CFC-42FB-A8C0-405C98B76658@netnod.se> <20200319212155.GL50174@kduck.mit.edu> <415F5AF0-7F99-42F7-BA8A-FC21A8D3B875@netnod.se>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <415F5AF0-7F99-42F7-BA8A-FC21A8D3B875@netnod.se>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/uptu7fW07Lasqy8UGNgNsnGCKxs>
Subject: Re: [Ntp] Benjamin Kaduk's Discuss on draft-ietf-ntp-using-nts-for-ntp-23: (with DISCUSS and COMMENT)
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Mar 2020 23:39:53 -0000
On Sun, Mar 22, 2020 at 05:47:16PM +0100, Ragnar Sundblad wrote:
> > > > Section 9
> > > >
> > > > We should probably have some discussion of the consequences of
> > > > compromise of the server's cookie-encryption key. Possibly also for
> > > > when the key associated with a cookie is compromised from a client,
> > > > though if cookies are single-use the scope may be quite limited. (That
> > > > is, since we are using the shared symmetric key for authentication by
> > > > virtue of "I didn't send it so it must be from the other party that has
> > > > the key".)
> > >
> > > NTP and NTS-KE server operators are expected to remove compromised keys as soon
> > > as the compromise is discovered. This would cause the NTP servers to respond
> > > with NTS NAK, thus forcing key renegotiation. We are aware that this does
> > > not protect against MITM attacks where the attacker has access to a
> > > compromised cookie encryption key.
> >
> > I did not doubt that you are aware of this; the question is whether all
> > future readers of this document will similarly be aware.
>
> Right, we added a new section ("Key Compromise") to describe the
> problem and how it should be handled.
I think this is at least a step in the right direction. I think
there are 2 keys:
- The key for the X.509 certificate
- The key that is negiotatiated during NTS-KE
Both of them can be compromised, and I think the new section only
talks about the 2nd key, and talks about how to deal with that
event, but I think it's also important to deal with the first key.
Kurt
- [Ntp] Benjamin Kaduk's Discuss on draft-ietf-ntp-… Benjamin Kaduk via Datatracker
- Re: [Ntp] Benjamin Kaduk's Discuss on draft-ietf-… Franke, Daniel
- Re: [Ntp] Benjamin Kaduk's Discuss on draft-ietf-… Ragnar Sundblad
- Re: [Ntp] Benjamin Kaduk's Discuss on draft-ietf-… Benjamin Kaduk
- Re: [Ntp] Benjamin Kaduk's Discuss on draft-ietf-… Ragnar Sundblad
- Re: [Ntp] Benjamin Kaduk's Discuss on draft-ietf-… Benjamin Kaduk
- Re: [Ntp] Benjamin Kaduk's Discuss on draft-ietf-… Kurt Roeckx
- Re: [Ntp] Benjamin Kaduk's Discuss on draft-ietf-… Benjamin Kaduk
- Re: [Ntp] Benjamin Kaduk's Discuss on draft-ietf-… Sandra Murphy
- Re: [Ntp] Benjamin Kaduk's Discuss on draft-ietf-… Ragnar Sundblad
- Re: [Ntp] Benjamin Kaduk's Discuss on draft-ietf-… Sandra Murphy