First round of my stupid questions about NTS

Gary E. Miller gem at rellim.com
Sat Jan 19 02:51:48 UTC 2019 

Yo Ian!

On Fri, 18 Jan 2019 20:36:34 -0600
Ian Bruene via devel <devel at ntpsec.org> wrote:

> You are both talking past each other.

Yup.

> There are two key sets:
> 
> The c2s/s2c pair. Generated *BY* the TLS exchange between the client
> and the NTS-KE server.

No, generated *FOR* the key TLS exchange.

> Stored inside the cookie. Used to encrypt data 
> between server and client NTPDs thereby eliminating the need for a
> TLS session between NTPD clients/servers.

Yes.  But you need the master key on the NTPD server to get the C2S/S2C.
How does the NTPD server know the ephemeral key of the TLS connection
to use as a master key to get the C2S and S2C?

How do you propose it gets there?

> Left unchanging, unless an
> NTPD sends a KOD and forces the client to re-run the key exchange
> protocol.

Which should happen about once a day.

> The Master Key. Generated by ways as yet undetermined.

Yes, but NOT by TLS since the NTPD swerver has no TLS.

> Used to
> encrypt the cookies themselves. Rotated regularly.

Yes.

> Shared between a
> NTPD server and NTS-KE server by any of several possible means.

Maybe.  Note the Proposed RFC proposes this 'sharing' need only
happen once, ever.

> There is never a TLS session between one NTPD node and another NTPD 
> node; only between a client and an NTS-KE server.

Yes.

> There is a TLS session active when c2s/s2c are generated, and the 
> session generates the keys. So TLS data is relevant to that key pair.

Relevant to transmitting the new cookie, not to generating it.

That is the bone of contention.

Since the NTPD server has no TLS connections, it can not use TLS
in generating C2s and S2C.

> It would be advisable to banish the bare word "key" from this 
> discussion, so that further confusion about which keys are which may
> be avoided.

Can't do that.

I would suggest that the bareword 'key' never be used.  But we need to
know we are using keys when we are using keys.  When we are using a key
that brings in a large amount of best practice that we must understand
and conform to.  Or else gather CVE's like grains of sand.

So "TLS master key", "master key, "C2S key" and "S2C key" are all
important, and very different concepts.  But still keys.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190118/38152aea/attachment.bin>

More information about the devel mailing list