More word to nts.adoc

Achim Gratz Stromeko at nexgo.de
Mon Jan 14 19:08:45 UTC 2019


Hal Murray via devel writes:
> You said "encrypts the rest of the data"
> I think we are authenticating rather than encrypting.

Not only, any data in encrypted extension fields that goes back to the
server is encrypted with the c2s key (from the P portion of the paylod
in section 5.6 of the RFC).

> The new cookies returned from the NTP server are encrypted.  I think
> that's at a different layer.

Yes, on the client side it's just an opaque blob since it can't be
decrypted by the client.

> The AEAD stuff is setup to encrypt and the packet format has a slot 
> for the cypher text, but I don't think we will use that.  Please let me know 
> if you find something.

The cookie placeholder sent by the client may be encrypted per section 5.7.

> Gary: A few days ago, we were discussing storing the master keys on disk so 
> the NTP-S and NTS-S boxes didn't need a (network) communication channel.  I 
> think we want to be able to put a communication channel in there.  Consider:
>   One NTS server for multiple NTP clients.
>   Multiple NTS servers supporting the same name for load sharing or better 
> routing.

If you want to test without having an actual NTS-KE in place, just use
pre-shared keys.


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

DIY Stuff:
http://Synth.Stromeko.net/DIY.html



More information about the devel mailing list