First round of my stupid questions about NTS
Ian Bruene
ianbruene at gmail.com
Sat Jan 19 02:36:34 UTC 2019
*Ahem* REEEEEEEE.......
You are both talking past each other.
There are two key sets:
The c2s/s2c pair. Generated *BY* the TLS exchange between the client and
the NTS-KE server. Stored inside the cookie. Used to encrypt data
between server and client NTPDs thereby eliminating the need for a TLS
session between NTPD clients/servers. Left unchanging, unless an NTPD
sends a KOD and forces the client to re-run the key exchange protocol.
The Master Key. Generated by ways as yet undetermined. Used to encrypt
the cookies themselves. Rotated regularly. Shared between a NTPD server
and NTS-KE server by any of several possible means.
There is never a TLS session between one NTPD node and another NTPD
node; only between a client and an NTS-KE server.
*HOWEVER*
There is a TLS session active when c2s/s2c are generated, and the
session generates the keys. So TLS data is relevant to that key pair.
It would be advisable to banish the bare word "key" from this
discussion, so that further confusion about which keys are which may be
avoided.
--
/"In the end; what separates a Man, from a Slave? Money? Power? No. A
Man Chooses, a Slave Obeys."/ -- Andrew Ryan
/"Utopia cannot precede the Utopian. It will exist the moment we are fit
to occupy it."/ -- Sophia Lamb
I work for the Internet Civil Engineering Institute <https://icei.org/>,
help us save the Internet from Entropy!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190118/c39acfca/attachment.html>
More information about the devel
mailing list