C2S/S2C lifetime

[Gary E. Miller]

Yo Hal!

On Sat, 02 Feb 2019 16:15:49 -0800
Hal Murray <hmurray at megapathdsl.net> wrote:

> Gary said:
> > Nothing says that a single cookie could not be used by a farm of
> > clients to push the cookies per second into the thousands.  
> 
> > Then add that this is millions of know plaintext and known
> > ciphertext pairs That is not what the key reuse calculations
> > assume.   
> 
> I'm missing a step.  How are you getting known plaintext/cyphertext
> pairs?

The whole point is that the client knows the C2S and S2C.  Otherwise
he can not key a session to the NTPD server.  That is the plaintext.
And he has the cookie, with the algorithm use to make it.  That is
the ciphertext.

> If an idiot gets a C2S/S2C pair and then sends zillions of packets,
> he exposes lots of traffic for his keys.  Don't do that.

What if it is NSA and not an idiot?  What if you are running the NIST
servers and you got lots of idiots around to provide cover?

> If an attacker captures a cookie by spying on the wire, what can he
> do with it?

You missed my argument.  The attacker is the client.

>  He doesn't know the C2S so he can't use that cookie in
> new packets.

So he has the C2S and S2S.

>  He can replay the whole packet.  That will generate new
> cookies/cyphertext but doesn't get any plaintext.

Agree.  Irrelevant to a hacker that is a 'legit' looking client.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190202/69b830d3/attachment.bin>