What's up with our MAC support?

Eric S. Raymond esr at thyrsus.com
Sat Feb 2 10:46:45 UTC 2019 

Hal Murray <hmurray at megapathdsl.net>:
> 
> Eric said:
> > The docs still talk about MD5 and SHA-1, but the comments in ntpkeygen
> > reference something called AES-128 which doesn't seem to be referenced at all
> > in the docs or the NTP RFCs. 
> 
> AES-128 is the replacement for SHA1.  If there isn't an RFC, there is a 
> ready-to-publish draft.  It's mentioned in NEWS for 1.1.2 which says:
>   Support AES-128-CMAC for authentication
>     https://datatracker.ietf.org/doc/draft-ietf-ntp-mac/

OK, I'll add this to our list of supported standards and drafts.

> I "fixed" ntpkeygen to generate AES-128 keys rather than the mix of MD5 and 
> SHA1 it used to make.  Apologies if I didn't fix the documentation.

docs/includes/ntpkeygen-man.adoc and docs/authentication.adoc both need
updating.  

> > Have we broken compatibility with other NTPv4 implementations using MD5 and
> > SHA-1 MACs?
> 
> No.
> 
> The actual code will use any algorithm your libcrypto supports.

I believe we're going to be OK with AES-128 because it's the same
length as MD5. But IIRC there's a funky interaction between extension
fields and some MAC lengths.  Let's see if I can find it....

...ahh, here it is from libntp/packet.py:

        # Parse the extension field if present. We figure out whether
        # an extension field is present by measuring the MAC size. If
        # the number of 4-octet words following the packet header is
        # 0, no MAC is present and the packet is not authenticated. If
        # 1, the packet is a crypto-NAK; if 3, the packet is
        # authenticated with DES; if 5, the packet is authenticated
        # with MD5; if 6, the packet is authenticated with SHA1. If 2
        # or 4, the packet is a runt and discarded forthwith. If
        # greater than 6, an extension field is present, so we
        # subtract the length of the field and go around again.

I think that was originally from RFC5905.  Looks like we're only
really safe with 128-bit or 160-bit MACs.  I don't know how that
relates to the set of MAC lengths implied by libcrypto's support list.
I didn;t find good search hits for that.

> Your distro may drop support for old crufty algorithms, but MD5 and SHA1 are 
> so widely used that I'd be surprised if anybody drops them.

I'd be surprised too.
-- 
		<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>

My work is funded by the Internet Civil Engineering Institute: https://icei.org
Please visit their site and donate: the civilization you save might be your own.

More information about the devel mailing list