First round of my stupid questions about NTS

Gary E. Miller gem at rellim.com
Sat Jan 19 03:17:09 UTC 2019


Yo Hal!

On Fri, 18 Jan 2019 19:07:58 -0800
Hal Murray via devel <devel at ntpsec.org> wrote:

> Gary said:
> > Once again: there is no TLS session between NTPD client and NTPD
> > server. Once again: the NTPD server must generate new keys withour
> > TLS.   
> 
> No, it reuses the old S2C and C2S.  (that it gets from decrypting the
> cookie)

Maybe, but where does the Proposed RFC say that?

Worse if you keep reusing the same C2S and S2C keys then the master
key becomes vulnberable to a "known plaintext" type of attack.  The
"plaintext" is not known, but knowing it is unchanged, and used withj
multiple master keys is not gonna fly.

> > We use the algorithm of RFC 5705, but in a context with no TLS.  
> 
> That doesn't make sense.  RFC 5705 assumes there is a TLS session.

And, yet, there is no TLS connection between the NTPD client and NTPD
server!

So, how do you resolve that contradiction?  Knowing that you can not
reuse the C2S and S2C.

I simple replace "TLS master key" with "NTPD master key" and the
problems go away.

And how does the NTPD server know the ephemeral TLS master key that
you used betweeen the NTS-KE and NTPD client?  The NTPD server needs
it to decrypt the cookie to get to the C2S and S2C.

Stop looking at the one tree, figure out how the forest works.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190118/3837f26c/attachment.bin>


More information about the devel mailing list