NTS keys as I understand them
Hal Murray
hmurray at megapathdsl.net
Fri Jan 11 03:49:33 UTC 2019
Gary said:
> The client does not update his cookie(s), he just asks the NTS-KE for new
> ones when the NTPD NAKs the one he has been using.
Not quite. An important idea is that cookies are only used once. That
prevents bad guys from tracking you.
In the normal case, the client sends a cookie and gets back an encrypted
cookie.
The client starts with 8 cookies. If a packet gets lost, the next request
includes a single cookie-please slot. The server returns an extra cookie so
the client is back to 8. The cookie-please slot has the same length as a
cookie slot so you can't use cookie-please as an amplifier. If more then 1
packet has been lost, more then one cookie-please slots can be sent.
If 8 packets are lost, the client has to go through NTS-KE again.
--
These are my opinions. I hate spam.
More information about the devel
mailing list