More word to nts.adoc
Achim Gratz
Stromeko at nexgo.de
Mon Jan 14 19:08:45 UTC 2019
Hal Murray via devel writes:
> You said "encrypts the rest of the data"
> I think we are authenticating rather than encrypting.
Not only, any data in encrypted extension fields that goes back to the
server is encrypted with the c2s key (from the P portion of the paylod
in section 5.6 of the RFC).
> The new cookies returned from the NTP server are encrypted. I think
> that's at a different layer.
Yes, on the client side it's just an opaque blob since it can't be
decrypted by the client.
> The AEAD stuff is setup to encrypt and the packet format has a slot
> for the cypher text, but I don't think we will use that. Please let me know
> if you find something.
The cookie placeholder sent by the client may be encrypted per section 5.7.
> Gary: A few days ago, we were discussing storing the master keys on disk so
> the NTP-S and NTS-S boxes didn't need a (network) communication channel. I
> think we want to be able to put a communication channel in there. Consider:
> One NTS server for multiple NTP clients.
> Multiple NTS servers supporting the same name for load sharing or better
> routing.
If you want to test without having an actual NTS-KE in place, just use
pre-shared keys.
Regards,
Achim.
--
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+
DIY Stuff:
http://Synth.Stromeko.net/DIY.html
More information about the devel
mailing list