ntp.conf changes for NTS

Gary E. Miller gem at rellim.com
Sun Feb 3 00:19:52 UTC 2019


Yo Richard!

On Sat, 2 Feb 2019 17:57:12 -0600
Richard Laager via devel <devel at ntpsec.org> wrote:

> On 2/2/19 3:29 PM, Gary E. Miller via devel wrote:
> > Nothing says that a single cookie could not be used by a farm of
> > clients to push the cookies per second into the thousands.  
> 
> The cookie, or more importantly the C2S and S2C inside of it, which is
> what we are discussing here, comes from a single NTS-KE TLS session,
> which by definition is for a single client.

Yes, but not enforceable.  So the definition is useless.  Nothing to
stop a black-, white- or gray-hat from using the same cookie over
and over on hundreds of servers.  The life limit of many current
ciphers can be reached in days if you are NSA.  Or China.

Not easy, but hackers have been very clever.

Since there are known limits, however far fetched they seem today, they
should be enforced.

The Germans and Japanese learned this the hard way way back in WWII.  Do
not repeat the known failures of the past.  This stuff is serious.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190202/8a46d1c6/attachment.bin>


More information about the devel mailing list