[secdir] SECDIR review of draft-ietf-ntp-ntpv4-proto-11
Richard Barnes <rbarnes@bbn.com> Wed, 11 March 2009 02:49 UTC
Return-Path: <rbarnes@bbn.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 293653A6B29; Tue, 10 Mar 2009 19:49:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KTwpIwUfWbiJ; Tue, 10 Mar 2009 19:49:17 -0700 (PDT)
Received: from mx3.bbn.com (mx3.bbn.com [128.33.1.81]) by core3.amsl.com (Postfix) with ESMTP id 36A853A6923; Tue, 10 Mar 2009 19:49:16 -0700 (PDT)
Received: from [128.89.255.165] (helo=Richard-Barnes-Laptop.local) by mx3.bbn.com with esmtp (Exim 4.63) (envelope-from <rbarnes@bbn.com>) id 1LhEVy-0005rh-Al; Tue, 10 Mar 2009 22:49:50 -0400
Message-ID: <49B726CD.9040107@bbn.com>
Date: Tue, 10 Mar 2009 22:49:49 -0400
From: Richard Barnes <rbarnes@bbn.com>
User-Agent: Thunderbird 2.0.0.19 (Macintosh/20081209)
MIME-Version: 1.0
To: IESG <iesg@ietf.org>, SECDIR <secdir@ietf.org>, IETF Discussion <ietf@ietf.org>, draft-ietf-ntp-ntpv4-proto@tools.ietf.org
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: [secdir] SECDIR review of draft-ietf-ntp-ntpv4-proto-11
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Mar 2009 02:49:18 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document defines an update to the Network Time Protocol, a mechanism that Internet hosts can use to synchronize their clocks. I have strong reservations about the security mechanisms specified in this document. The central security requirement for this protocol is that protocol endpoints be authenticated and that messages be integrity-protected. These protections are provided primarily by signing messages with a custom MD5-based MAC (i.e., not HMAC-MD5), as in NTPv3, although extensions are included to enable the use of the Autokey scheme for using X.509 certificates to authenticate digital signatures. Both of these schemes are a little bit troubling. For the MAC scheme: In addition to using a custom MAC instead of a more standard one, the MAC relies on the MD5 hash function, for which there are known algorithms to find collisions. I would expect the document to either or both of: 1. Replace MD5 with a stronger hash 2. Argue that the weaknesses in MD5 do not lead to MAC vulnerabilities The document seems to take the latter approach by referring to an NDSS paper on hash transitions. However, this paper does not address the vulnerabilities of MD5-based MACs in any detail (the closest it comes is to say that "because TLS uses HMAC, the current collision-only attacks most likely do not represent a threat"), much less consider the special MAC used by NTP (v3 and v4). I would suggest the authors find a better, more specific reference, or incorporate a mechanism for hash agility. For the Autokey scheme: I have not reviewed Autokey thoroughly, but my initial impression is that it is a far more complicated scheme than is necessary for the simple distribution and revocation of keys for NTP. (ISTM that it would suffice to have, e.g., a simple format for specifying keys and KEYIDs, encapsulated in S/MIME and distributed either out of band or in a special payload type.) In any case, it seems inappropriate for a Standards-track document to refer to a cryptographic protocol described only in a university-internal technical report. Such a scheme should be subject to the same standard of review as other cryptographic systems used within IETF protocols. The document properly notes that as specified, broadcast clients are vulnerable to DoS attacks from some broadcast servers, but only says that "Access controls and/or cryptographic authentication means should be provided for additional security in such cases." This text should be replaced with something more precise, even if only to say "Protections against these attacks is left to future work" without specifying what the solution would look like.
- [secdir] SECDIR review of draft-ietf-ntp-ntpv4-pr… Richard Barnes