Re: [TICTOC] [Ntp] draft-ietf-ntp-mac, extensions

Matthew Van Gundy <mvangund@cisco.com> Thu, 01 March 2018 23:40 UTC

Return-Path: <mvangund@cisco.com>
X-Original-To: tictoc@ietfa.amsl.com
Delivered-To: tictoc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5956D12FB0D; Thu, 1 Mar 2018 15:40:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.53
X-Spam-Level:
X-Spam-Status: No, score=-14.53 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BN0qqJdvOSG8; Thu, 1 Mar 2018 15:40:48 -0800 (PST)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C304D12FACC; Thu, 1 Mar 2018 15:40:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1866; q=dns/txt; s=iport; t=1519947647; x=1521157247; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=Zg+8BYN4Aom8cG/lcHWllXuQIygmkqdUUmmfenlmcWk=; b=TKUHxQyHyZ57fWShUgSsZOePli8HLa9RQYhQor8bwNJo9kYrapRw6PNZ jCKPnm4GRa/YcMpfpV0GikTbaipN9BFTJnAR0gbMtRVeXTaqIoTIslL/C iIHM2Gjd35kZeG8oW/GZGSe6lifqPX//gb49uaHsdKa/8X/oLbNqXMD+t g=;
X-Files: signature.asc : 269
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AmAQD0jpha/4MNJK1dGQEBAQEBAQEBAQEBAQcBAQEBAYNQZnCOH3SNBYICgRaULIIVBwMjhQ0Cgl4hNBgBAgEBAQEBAQJrJ4UkAQV5EAsOCgklDwVJhS4QrE+Ia4ImBYUiBIIngz2DLYMuAQECAYFSg1eCMgSOaYtvCYZSihuPA4l7h1iBLh44gVIzGggbFYJ+gi8CG4IZjUkBAQE
X-IronPort-AV: E=Sophos;i="5.47,409,1515456000"; d="asc'?scan'208";a="144567392"
Received: from alln-core-1.cisco.com ([173.36.13.131]) by rcdn-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 01 Mar 2018 23:40:46 +0000
Received: from saucy.localdomain (saucy.cisco.com [64.100.220.11]) by alln-core-1.cisco.com (8.14.5/8.14.5) with SMTP id w21NekE9003880; Thu, 1 Mar 2018 23:40:46 GMT
Received: from mvangund-retina.ddns.asig.cisco.com (mvangund-retina.ddns.asig.cisco.com [64.100.220.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by saucy.localdomain (Postfix) with ESMTPS id 3zsppQ0wq6zFpZq; Thu, 1 Mar 2018 18:40:46 -0500 (EST)
Date: Thu, 01 Mar 2018 18:40:45 -0500
From: Matthew Van Gundy <mvangund@cisco.com>
To: Hal Murray <hmurray@megapathdsl.net>
Cc: ntp@ietf.org, tictoc@ietf.org
Message-ID: <20180301234045.GE41820@mvangund-retina.ddns.asig.cisco.com>
References: <20180301070636.2CFDF40605C@ip-64-139-1-69.sjc.megapath.net>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="o0ZfoUVt4BxPQnbU"
Content-Disposition: inline
In-Reply-To: <20180301070636.2CFDF40605C@ip-64-139-1-69.sjc.megapath.net>
User-Agent: Mutt/1.9.1 (2017-09-22)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tictoc/kN2Wz2o4sO3ihxX_2vJu6nhXeTw>
Subject: Re: [TICTOC] [Ntp] draft-ietf-ntp-mac, extensions
X-BeenThere: tictoc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Timing over IP Connection and Transfer of Clock BOF <tictoc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tictoc>, <mailto:tictoc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tictoc/>
List-Post: <mailto:tictoc@ietf.org>
List-Help: <mailto:tictoc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tictoc>, <mailto:tictoc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Mar 2018 23:40:52 -0000

On Wed, Feb 28, 2018 at 11:06:36PM -0800, Hal Murray wrote:
> Why is AES-CMAC more interesting than one of the digests supported by OpenSSL?

The keyed-hash construction that NTP uses is not a secure message
authentication code, it is vulnerable to the classic length extension
attack [1] when used with common hash functions, such as MD5, SHA-1,
and the SHA-2 family of hash functions.  This allows an attacker to
append additional forged NTPv4 extension fields on to an authenticated
NTPv4 packet.  draft-ietf-ntp-mac-03 refers to this attack through its
reference to the BCK paper in section 2 [2] even though it does not
explicitly call out length extension attacks in the body of the draft.

In current usage, this rarely poses a problem.  In the NTP reference
implementation extension fields are only used by Autokey.  If you have
Autokey disabled, it does not give an attacker any additional power.
However, if NTPv4 extension fields catch on for uses other than
Autokey, this will become problematic.

AES-CMAC is a secure message authentication code and, therefore, is
not vulnerable to this kind of attack.

[1] https://en.wikipedia.org/wiki/Length_extension_attack
[2] https://tools.ietf.org/html/draft-ietf-ntp-mac-03#section-2

Cheers,
Matt

--
Matthew Van Gundy, Technical Leader
Advanced Security Initiatives Group
Cisco Systems, Inc.