IETF Logo Mail Archive

Re: [TICTOC] [ntpwg] security ID submitted for review

Kurt Roeckx <kurt@roeckx.be> Wed, 07 August 2013 10:23 UTC

Return-Path: <kurt@roeckx.be>
X-Original-To: tictoc@ietfa.amsl.com
Delivered-To: tictoc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7747921E80BE for <tictoc@ietfa.amsl.com>; Wed, 7 Aug 2013 03:23:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.998
X-Spam-Level:
X-Spam-Status: No, score=-2.998 tagged_above=-999 required=5 tests=[AWL=-0.399, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wMwP+L0XPdGp for <tictoc@ietfa.amsl.com>; Wed, 7 Aug 2013 03:23:29 -0700 (PDT)
Received: from gerard.telenet-ops.be (gerard.telenet-ops.be [195.130.132.48]) by ietfa.amsl.com (Postfix) with ESMTP id C8C4A21E80D7 for <tictoc@ietf.org>; Wed, 7 Aug 2013 03:23:27 -0700 (PDT)
Received: from intrepid.roeckx.be ([94.226.199.45]) by gerard.telenet-ops.be with bizsmtp id 9mPQ1m00G0zFtyu0HmPQkB; Wed, 07 Aug 2013 12:23:26 +0200
Received: by intrepid.roeckx.be (Postfix, from userid 1000) id 19564EB1C9; Wed, 7 Aug 2013 12:23:24 +0200 (CEST)
Date: Wed, 07 Aug 2013 12:23:24 +0200
From: Kurt Roeckx <kurt@roeckx.be>
To: "David L. Mills" <mills@udel.edu>
Message-ID: <20130807102324.GA17618@roeckx.be>
References: <51FAC820.3090401@udel.edu> <20130803174008.GA17578@roeckx.be> <52019C7B.9070602@udel.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <52019C7B.9070602@udel.edu>
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: NTP Working Group <ntpwg@lists.ntp.org>, "tictoc@ietf.org" <tictoc@ietf.org>
Subject: Re: [TICTOC] [ntpwg] security ID submitted for review
X-BeenThere: tictoc@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Timing over IP Connection and Transfer of Clock BOF <tictoc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tictoc>, <mailto:tictoc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tictoc>
List-Post: <mailto:tictoc@ietf.org>
List-Help: <mailto:tictoc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tictoc>, <mailto:tictoc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2013 10:23:36 -0000

Hi Dave,

On Wed, Aug 07, 2013 at 01:01:47AM +0000, David L. Mills wrote:
> Kurt,
> 
> Thanks for your reply.  As a window of history, the Autokey protocol
> was devised during several walks in Regents Park, London, in 1996.
> I thought the most significant hazzard was the replay of client
> messages requiring extensive server cryptographic computations.  At
> that time, I did not think that a middle-man attack would be
> significant.  Both of those assumptions are probably inadvisable
> today.
> 
> One problem with Autokey is the assumption that secret keys for each
> client can be manufactured using packet header fields and a hash of
> a server private value.  A middle-man can manipulate the header
> fields compromising the client private key.  There does not seem to
> be a solution for this problem other than requiring server state.

This proposal also generates a cookie based on the something the
client sends and a secret in the server, which is then encrypted
using the client's public key.

The ID does not mention that this message is signed by the server,
but Stephen's mail said it was.  This part is important to avoid
the man in the middle attack.

So as result the client got a unique secret for him, and only
the client and the server known it.  It can also be sure that
it really comes from the server, so that there can be no man
in the middle attack.  And the server doesn't need to keep
state since it can calculate it again based on what the client
sends him.

> In the current Autokey design, the MAC computation covers the header
> and all extension fields.  However, the key used for the MAC
> computation in packets with extension fields is not private.
> Therefore, in a cut-and-paste attack, an intruder could mix and
> match extension fields and simply recalculate the MAC.

If the key is not private, by adding extentions to a packet an
attacker can just generate anything he wants?

> RFC 5906 defines the extension field including the filestamp and
> timestamp.  The filestamp was designed to reliably associate the
> cryptographic media with the current version, as it can be
> frequently changed.  This might not be useful in current designs.
> The timestamp field was designed to detect replays requiring
> expensive cryptographic computations which could take up to a
> second.  However, the "call gap" (minimum headway) provisions nicely
> deflect such attacks, so the timestamp field might not be useful in
> current designs.   Lastly, in the current design, each extension
> field is separately signed  at the time the data were constructed.
> In current designs the signature might be computed at the time of

I'm not sure I understand what you're trying to say.

I'm not sure what the filestamps are used for.  But I assume
that for instance for the leap seconds you send when it was
last updates.  I guess you can sign this once and always send
this signed in an extension, even when you're otherwise not
using any encryption.  Since you already signed it, the overhead
of adding that extension is small.

The problem I see with only sending the MAC over the ntp headers
and not over the extensions is that the extensions can be removed
or added and the client can't tell.  So it could for instance
be replaced with an old version of the extension. I think it's
important that the MAC covers everything.


Kurt

v2.23.0 | Report a Bug | By Email