Proposal to include additional cryptographic algorithms in the NTPSec implementation

Richard Laager rlaager at wiktel.com
Sat Jan 25 03:35:47 UTC 2025 

On 2025-01-24 18:30, Sarath _Msft_ via devel wrote:
> I am a software engineer with Microsoft Corporation.

I'm not a crypto expert nor am I speaking on behalf of the NTPsec 
project, so take this with an appropriately sized grain of salt. ;)


> As I understand it, the current NTPSec implementation supports only 
> the AEAD_AES_SIV_CMAC algorithms of various cipher lengths. I propose 
> including support for AEAD_AES_128_GCM, AEAD_AES_256_GCM, 
> AEAD_AES_128_CCM and AEAD_AES_256_CCM algorithms in this implementation.

My initial reaction was: doesn't NTS specify the exact algorithms, like 
TLS 1.3 does? After looking at the RFC, apparently not. But it's close. 
The RFC does specifically say that "Server implementations... MUST 
support AEAD_AES_SIV_CMAC_256." (RFC 8915, section 4.1.5).



> These specific algorithms are implemented in both OpenSSL library and 
> Microsoft's SymCrypt Library (https://github.com/microsoft/SymCrypt) , 
> whereas the AEAD_AES_SIV_CMAC algorithms are not.

You don't seem to have proposed building NTPsec against SymCrypt. So it 
seems that you are suggesting some other NTS implementation, perhaps 
written by Microsoft, will use the SymCrypt library, which does not 
support AES SIV. Are you suggesting that:


A) a /server/ implementation will exist that does not support AES SIV 
/as required by the standard/ and NTPsec should expand its algorithm 
support /as a client/ to interoperate with such a server?


B) a /client/ implementation will exist that do not support AES SIV and 
NTPsec should expand its algorithm support /as a server/ to interoperate 
with such a client?


If it's the latter, is this some specialty client, or is Microsoft 
intending to add NTS support to Windows itself (but without AES SIV)?


For this to be widely useful, presumably you are making the same 
proposal to multiple NTS implementations. Why go through all the work to 
add AES-GCM and/or AES-CCM to multiple NTS implementations rather than 
add AES-SIV to SymCrypt? Adding AES-SIV on your side would instantly 
make you compatible with every server and presumably most clients.


Also, why both GCM and CCM modes?

-- 
Richard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20250124/fe4c67d2/attachment-0001.htm>

More information about the devel mailing list