First round of my stupid questions about NTS

[Hal Murray]

Gary said:
>> No, it reuses the old S2C and C2S.  (that it gets from
>> decrypting the cookie)
> Maybe, but where does the Proposed RFC say that?

It doesn't suggest making new cookies either.

Even if you made new keys, they wouldn't work without an elaborate protocol.  
How do you get them to the NTP client?  There is nothing in the protocol that 
suggests passing new keys.  If you encrypt the new keys with the old keys, 
then you have to recover from lost packets.  ...


> Worse if you keep reusing the same C2S and S2C keys then the master key
> becomes vulnberable to a "known plaintext" type of attack.  The "plaintext"
> is not known, but knowing it is unchanged, and used withj multiple master
> keys is not gonna fly. 

I don't know the right crypto term.  It's something like lifetime.  How much 
cyphertext can you expose with the same key before an attacker gets enough 
data to work with?

It's one of the few loose ends I've noticed in the draft.  The client is the 
only one who knows how much data has been used with a key.  It can get new 
keys any time it wants by using NTS-KE.

-- 
These are my opinions.  I hate spam.