Re: [TLS] Getting started, clock not set yet
Kyle Rose <krose@krose.org> Mon, 15 August 2022 12:54 UTC
Return-Path: <krose@krose.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 446F9C1524A5 for <tls@ietfa.amsl.com>; Mon, 15 Aug 2022 05:54:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=krose.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JDoSJOwT5miR for <tls@ietfa.amsl.com>; Mon, 15 Aug 2022 05:54:22 -0700 (PDT)
Received: from mail-ej1-x635.google.com (mail-ej1-x635.google.com [IPv6:2a00:1450:4864:20::635]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 188E2C14F73D for <tls@ietf.org>; Mon, 15 Aug 2022 05:54:21 -0700 (PDT)
Received: by mail-ej1-x635.google.com with SMTP id y13so13318562ejp.13 for <tls@ietf.org>; Mon, 15 Aug 2022 05:54:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=krose.org; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=pWnuET1xQjc4zs6sd9MXksXxin6SiyJwuhT6DQjM3xo=; b=X3i2hSdXDDfPuKVddHL3+sTlJQtJwlRqsIVWKOkJkJtZ7XjXqAb2rMiV5cUD7Tq7dj qe0eqHncw3nl4UMHDnULjjdUl0HNQPYwcx+QpGvWfGRabKPlDPyU03PhY2lA/FXZ5HwC VYB6qyM20ugJL1DbPJxxpyOYMpUkts/NYmD2I=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=pWnuET1xQjc4zs6sd9MXksXxin6SiyJwuhT6DQjM3xo=; b=HXWzYFw3ebaWQsE+6/Oh364xRyNDWSdLcAwTFtQIQdAMMWkOH+rX9Kl/uzBkmp45HD PffjThOqFQKUyibNv4+ly7RHiJZlHsEj1fYYyXLv7dk/tizXZBKo6oOfwyTMF0bsM/qZ 5UxGc8csEp6SxU02hovVkIM6y7pWKmGtLO+Opv8OR1ezr+RFNMY7LcOlAkRnBUmQf+8B 0ALK0j1ekT3DlUtBtH7z9IjWXRr0quqtSYg4Oa1ETxDHhHiicOcrFZiHopTCup3vpvNc riPG/FOk1yK24MpoQRiOSTuxJPGJvN6hQcwwUCydyC1ub2Q0sjaQuk0BTfxq0+3DVBWx cB9g==
X-Gm-Message-State: ACgBeo2CFIcEyAp0qQyNNC/JZDmKrG2LL79L7oOk1pxeebjdodQVJHKO 9pjrBQwCBIOm6q6T6ErbdReJHxnquFGh6+MzqvXFAP6hsKM=
X-Google-Smtp-Source: AA6agR42hZUPBw1RbnfbXR1C5OAq89qO5mmbwDvlqL4uahflyvHCbKjFnQ74fIapwSIqufGo5znyTIY/gdDsVJLYico=
X-Received: by 2002:a17:907:2d0f:b0:731:87d0:13aa with SMTP id gs15-20020a1709072d0f00b0073187d013aamr10931643ejc.142.1660568059327; Mon, 15 Aug 2022 05:54:19 -0700 (PDT)
MIME-Version: 1.0
References: <krose@krose.org> <CAJU8_nWC+GRZFm02trAgB_bmUfkNF9bMfUHenVRNojydzi1NNw@mail.gmail.com> <20220814212506.A6A1A28C1CA@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
In-Reply-To: <20220814212506.A6A1A28C1CA@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
From: Kyle Rose <krose@krose.org>
Date: Mon, 15 Aug 2022 08:54:08 -0400
Message-ID: <CAJU8_nUZCR3ihGBj101n8zd6e9+nqFR0NW=u6EgpqDwKX+=aUg@mail.gmail.com>
To: Hal Murray <halmurray+tls@sonic.net>
Cc: tls@ietf.org
Content-Type: multipart/alternative; boundary="0000000000004d536f05e6472187"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/bErHX2ujd29dxPphK4jPW2ZN-es>
Subject: Re: [TLS] Getting started, clock not set yet
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Aug 2022 12:54:26 -0000
On Sun, Aug 14, 2022 at 5:25 PM Hal Murray <halmurray+tls@sonic.net> wrote: > Thanks. > > > It's been a few years, but IIRC my thinking was that the degree of trust > > required in the Roughtime servers' long-term public keys is very low: > you're > > trusting them only for one server's assertion of the current time, not > for > > general web traffic; and if you ask enough servers, the likelihood of > being > > tricked into trusting a bad timestamp is very low even over long time > > periods. > > I've been assuming self-signed certificates with long lifetimes -- one per > server. > It's a testament to how certificate infrastructure has evolved that one year is now considered "long lived". :-) I was responding to an earlier hypothetical about a device sitting on a shelf for ten years, and trying to figure out how one could bootstrap the PKI after that time without explicit intervention. I'm starting to think I was trying too hard to address a (possibly contrived) edge case that really deserves a simpler solution: manual re-bootstrapping. > In other words, much of the security of the scheme is in the practical > > difficulty of mounting a successful attack even if the keys have been > > compromised. NTS doesn't even attempt to address this kind of attack > vector. > > Is there a first order difference between NTS using self signed > certificates > and Roughtime? > Miroslav's answer is probably the right one: Roughtime gives you the ability not only to detect bad timestamps but to prove it to others. Upon reflection, that doesn't seem especially useful in this context because you're already talking about devices that have appeared out of nowhere after a long period of inactivity. There have been semi-endless debates about how many NTP servers to use. (I > haven't seen one recently.) With 3 servers, 2 can outvote 1 bad guy. With > 4 > servers, you still have 3 if one is down. ... Adding security > complicates > that discussion. You have to add deliberate malfeasance to the list of > things > that can go wrong. And things can change over 10 years. > > Are there any good papers or web pages discussing the security of TLS? > Did you mean NTP here? The security of TLS has been discussed far and wide. :-) One quirk on my 10 year problem. If the boxes are sitting on a shelf, it's > at > least possible to open them up and update firmware. It would be > expensive, > but it is another branch of the cost-benefit tree. > And this was my first bit of advice to Peter: if it's out of service that long, it probably has known vulnerabilities, so you should probably upgrade the firmware before reattaching it to a network or it's likely to get pwn3d. That firmware update would come with updated CAs, and a notion of the current time (to bootstrap the first TLS handshakes, after which trusted sources can provide updated timestamps) if the device has no RTC of its own. I wish I had some more context for this area of embedded devices. For example: * Why is an RTC more expensive (along whatever axis you choose) than a NIC (wifi or ethernet)? * What classes of devices would reasonably sit on a shelf for ten years and subsequently prove useful without being updated? * If it's been sitting on a shelf for ten years, why is reattaching it to the network easy, while plugging it into an upgrade klosk first and *then* reattaching it to the network is hard? After this thread, I'm now trying to figure out why this whole endeavor isn't contrived. Kyle
- [TLS] Getting started, clock not set yet Hal Murray
- Re: [TLS] Getting started, clock not set yet Peter Gutmann
- Re: [TLS] Getting started, clock not set yet Rob Sayre
- Re: [TLS] Getting started, clock not set yet Kyle Rose
- Re: [TLS] Getting started, clock not set yet Eric Rescorla
- Re: [TLS] Getting started, clock not set yet Rob Sayre
- Re: [TLS] Getting started, clock not set yet Eric Rescorla
- Re: [TLS] Getting started, clock not set yet Rob Sayre
- Re: [TLS] Getting started, clock not set yet Eric Rescorla
- Re: [TLS] Getting started, clock not set yet Christopher Wood
- Re: [TLS] Getting started, clock not set yet Benjamin Kaduk
- Re: [TLS] Getting started, clock not set yet Eric Rescorla
- Re: [TLS] Getting started, clock not set yet Benjamin Kaduk
- Re: [TLS] Getting started, clock not set yet Peter Gutmann
- Re: [TLS] Getting started, clock not set yet Kyle Rose
- Re: [TLS] Getting started, clock not set yet Christian Huitema
- Re: [TLS] Getting started, clock not set yet Benjamin Kaduk
- Re: [TLS] Getting started, clock not set yet Robert Relyea
- Re: [TLS] Getting started, clock not set yet Christian Huitema
- Re: [TLS] Getting started, clock not set yet Hal Murray
- Re: [TLS] Getting started, clock not set yet Peter Gutmann
- Re: [TLS] Getting started, clock not set yet Kyle Rose
- Re: [TLS] Getting started, clock not set yet Hal Murray
- Re: [TLS] Getting started, clock not set yet Kyle Rose
- Re: [TLS] Getting started, clock not set yet Salz, Rich
- Re: [TLS] Getting started, clock not set yet Peter Gutmann
- Re: [TLS] Getting started, clock not set yet Peter Gutmann
- Re: [TLS] Getting started, clock not set yet Kyle Rose
- Re: [TLS] Getting started, clock not set yet Peter Gutmann
- Re: [TLS] Getting started, clock not set yet Kyle Rose
- Re: [TLS] Getting started, clock not set yet Peter Gutmann