IETF Logo Mail Archive

Re: [TICTOC] [Ntp] WGLC for draft-ietf-ntp-mac

Harlan Stenn <stenn@nwtime.org> Thu, 01 March 2018 02:05 UTC

Return-Path: <stenn@nwtime.org>
X-Original-To: tictoc@ietfa.amsl.com
Delivered-To: tictoc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47B7012D96D; Wed, 28 Feb 2018 18:05:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4ioRS35iOzY4; Wed, 28 Feb 2018 18:05:20 -0800 (PST)
Received: from chessie.everett.org (chessie.everett.org [66.220.13.234]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB34912D963; Wed, 28 Feb 2018 18:05:20 -0800 (PST)
Received: from hms-mbp11.pfcs.com (96-41-166-181.dhcp.mdfd.or.charter.com [96.41.166.181]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by chessie.everett.org (Postfix) with ESMTPSA id 44F8FB85F; Thu, 1 Mar 2018 02:05:20 +0000 (UTC)
To: Matthew Van Gundy <mvangund@cisco.com>, Daniel Franke <dfoxfranke@gmail.com>
Cc: ntp@ietf.org, "tictoc@ietf.org" <tictoc@ietf.org>
References: <CF57EAFE-31F0-4ADD-A209-1802DB6CA643@isoc.org> <20180227230925.GJ33838@mvangund-retina.ddns.asig.cisco.com> <E1er18d-00029p-Li@stenn.ntp.org> <CAJm83bBVoYrYpEe+BHsUiRCzeR+C5Ui3G9MH1myHj8i7=GWU-A@mail.gmail.com> <20180228220413.GJ83301@mvangund-retina.ddns.asig.cisco.com>
From: Harlan Stenn <stenn@nwtime.org>
Message-ID: <b5ba0aa5-ef07-28af-38ba-5251fb8a2244@nwtime.org>
Date: Wed, 28 Feb 2018 18:05:19 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <20180228220413.GJ83301@mvangund-retina.ddns.asig.cisco.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="zfWh9Q58oEHYZe3c2VsYm7he64PJH1f7P"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tictoc/B-i28Q_YpwXpZo8jSfZV41j5zac>
Subject: Re: [TICTOC] [Ntp] WGLC for draft-ietf-ntp-mac
X-BeenThere: tictoc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Timing over IP Connection and Transfer of Clock BOF <tictoc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tictoc>, <mailto:tictoc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tictoc/>
List-Post: <mailto:tictoc@ietf.org>
List-Help: <mailto:tictoc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tictoc>, <mailto:tictoc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Mar 2018 02:05:22 -0000


On 2/28/18 2:04 PM, Matthew Van Gundy wrote:
> Hi Daniel,
> 
> On Wed, Feb 28, 2018 at 08:51:30AM -0500, Daniel Franke wrote:
>> The block size of AES is 128 bits, regardless of whether a 128- or 256-bit
>> key is used, and therefore the output of AES-CMAC is always 128 bits.
>> 160-bit digests are already supported by RFC7822, but there's no way to
>> make AES-CMAC produce one.
> 
> Understood.  Thanks for reminding me that RFC7822 explicitly updates the
> acceptable digest sizes to be 4, 20, or 24 octets long (inclusive of
> the 4 octet key id).  Given that, should I interpret "the resulting
> MAC tag SHOULD be 128 bits long" as, "When using draft-ietf-ntp-mac-03
> authentication, the MAC tag must be either 0-bits (Crypto-NAK) or
> 128-bits (AES-CMAC) long.  Otherwise, see RFC 7822."?

Please note that some of us think 7822 was not quite right, and have
been trying to fix it:

 https://tools.ietf.org/id/draft-stenn-ntp-extension-fields-05.txt

>>>> Forgive me if this has been discussed and I missed it.  But, to
>>>> improve quantum resistance should the draft recommend AES-256 over
>>>> AES-128?  I realize that the RFC 4493 construction specifically uses
>>>> AES-128, but is there any barrier to using AES-256?
> 
> Do you happen to know the rationale for recommending AES-128 over
> AES-256?  It seems like it would be appropriate to default to the more
> secure variant since implementations MAY always choose AES-128 as long
> as they understand the security implications of doing so.

I think the intent was to specify a minimum acceptable limit/digest.

And just to be sure I've said it, one of the nice things about MD5 was
that it was not considered "crypto" and could be freely exported or
imported.  The same cannot be said of AES-128-CMAC, or several other
mechanisms.

H
--
> Thanks,
> Matt
> 
>>
>> On Feb 28, 2018 7:47 AM, "Harlan Stenn" <stenn@ntp.org> wrote:
>>
>>> Most everybody seems to think that 160 bits of digest is all that will
>>> ever be needed.
>>>
>>> I'm perfectly happy making sure longer digests are supported.
>>> -- Harlan Stenn <stenn@ntp.org>
>>> http://networktimefoundation.org - be a member!
>>>
>>> _______________________________________________
>>> ntp mailing list
>>> ntp@ietf.org
>>> https://www.ietf.org/mailman/listinfo/ntp
>>>
>>>
>>>
>>> _______________________________________________
>>> ntp mailing list
>>> ntp@ietf.org
>>> https://www.ietf.org/mailman/listinfo/ntp

-- 
Harlan Stenn <stenn@nwtime.org>
http://networktimefoundation.org - be a member!

v2.23.0 | Report a Bug | By Email