Re: [openpgp] Dealing with clock skew

Jon Callas <joncallas@icloud.com> Sat, 16 November 2019 23:06 UTC

Return-Path: <joncallas@icloud.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A5A412022E for <openpgp@ietfa.amsl.com>; Sat, 16 Nov 2019 15:06:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=icloud.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9EFUn4TvC8QV for <openpgp@ietfa.amsl.com>; Sat, 16 Nov 2019 15:06:15 -0800 (PST)
Received: from pv50p00im-ztdg10012001.me.com (pv50p00im-ztdg10012001.me.com [17.58.6.51]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBD6A12006F for <openpgp@ietf.org>; Sat, 16 Nov 2019 15:06:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=icloud.com; s=1a1hai; t=1573945574; bh=2dnGcdfWX5AnIwBBlHWkazzkOUjPciN4cm9zlquSuE0=; h=Content-Type:Subject:From:Date:Message-Id:To; b=CNsRrcRKY8I/9dBb5EW2P9L714Pu/DvC+d+IacQnJwLUGBUXcNsaiE1EUCdO5hJyF m0+EBVk85Sd30JPMPkyPpFTV4C3Evtch3xqPuvwQR75h/5gldcdbqD9LZB/tUgbtRB vvOMvMgMHMO28zP5eTjp5DZoj2cKOL/27OQIEkMjaQVwITEiFuXOXkxLrY1ZMBd0vx kphaW8Efh1cB9SYyTqSSVH3F4WDUub7HE6I3SQsNmHc5dX0KoV40xb6GAbCVkNs/VB WgN/QS1lRAXw8kHqtHbE2F/O/fGhpNrkuXNfSl66ZjpwDu/EhiBHvdTBs/zPeebYPC XToz9c7jLKW8Q==
Received: from [192.168.7.69] (thing1.merrymeet.com [173.164.244.99]) by pv50p00im-ztdg10012001.me.com (Postfix) with ESMTPSA id 378412807B8; Sat, 16 Nov 2019 23:06:14 +0000 (UTC)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Jon Callas <joncallas@icloud.com>
In-Reply-To: <e91c2197-e7f4-b17a-7c6e-81c6e03a3966@pep.foundation>
Date: Sat, 16 Nov 2019 15:06:13 -0800
Cc: Jon Callas <joncallas@icloud.com>, openpgp@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <E1285219-4AF1-4C92-89D1-38B0D57FBC47@icloud.com>
References: <87zhgxo0bm.wl-neal@walfield.org> <e91c2197-e7f4-b17a-7c6e-81c6e03a3966@pep.foundation>
To: Claudio Luck <claudio.luck@pep.foundation>
X-Mailer: Apple Mail (2.3445.104.11)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-11-16_08:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1908290000 definitions=main-1911160216
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/pD4GG6wv-xdYqmOsw46XdL4FHbA>
Subject: Re: [openpgp] Dealing with clock skew
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Nov 2019 23:06:17 -0000


> On Nov 16, 2019, at 9:40 AM, Claudio Luck <claudio.luck@pep.foundation> wrote:
> 
> If we live in an asynchronous messaging world with no global time
> concept, then the sender is free to hand out back-dated signatures. The
> receiver can't tell the difference between in-transit delay and
> back-dating. This can be used on purpose by the sender to induce some
> tolerance at the receiver side.

We do live in that world; it's not an if.

Newton argued for a notion of absolute time, but also conceded Galileo's point that you can switch frames of reference and have a conversion between them. Leibniz, on the other hand, argued that space is meaningless except as relative distance and that time *only* makes sense as an expression of relative motion. Ernst Mach also had a number of pithy things to say about this, particularly that even if you have absolute space or time, all math and physics works if you declare that you're still and the universe is moving or ticking.

I'm especially fond of Poincaré's "The Measure of Time" as he hits not only on the physical aspects but the experiential ones as well (English translation here: <https://en.wikisource.org/wiki/The_Measure_of_Time>). Of course, Einstein tied a bow around all of this in his Special Relativity which flat out declares what Leibniz gestures toward, that space and time are linked and there is no preferred frame of reference.

Of course, I can do the same thing towards Einstein that Leibniz and Mach did and note that if there's no preferred position or clock, I can just declare one and everything works fine. Operationally, this is what we do with GPS/atomic/NTP time. We declare that to be our frame of reference.

However, even that breaks down for surprisingly short distances. Network delays and the consequent "lag" means that you can't establish primacy on most multiplayer games in a lot of circumstances. This is why lots of them try to avoid situations where jumping around corners etc. are easy to cheat at. This is exactly the same problem you're talking about. There are a lot of interesting papers, but here's one that is precisely trying to create an absolute frame of reference, "Lag Compensation for First-Person Shooter Games in Cloud Gaming" <https://link.springer.com/chapter/10.1007/978-3-319-90415-3_5>. Note that they're not doing any mathematical security (like signatures) here, this is all trusting the network. They have this problem because it is inherent to any system that has space and time involved with it.

In the general case, you can't consider a time measurement to be a scalar, it has to be at the very least a complex number of the form [time, skew]. As Derek noted, Kerberos used a skew of five minutes. While Neal Walfield noted in his original post that he's seen skew of 20min, I concur that that seems a bit long. My naive home set-up commonly has alarms across devices being ±2s or less, but that's because they're all getting time from some combination of NTP and cellular network time, which is ultimately GPS time (and of course, skew). I think five minutes is likely reasonable, but *some* skew is unavoidable. Moreover, anyone who's on satellite networks is seeing latency of over a second and once you throw in normal exponential backoff, five minutes seems about as short as is reasonable.

Thus, you're absolutely right, if time is a scalar, then someone can cheat. There are situations (like real-time internet games) where the exact problem you mention, that someone can hide cheating in the skew is a well-known, unsolvable problem.

	Jon