[ntp:hackers] UDel security
kostecke at ntp.isc.org
Mon May 16 05:52:41 PDT 2005
"David L. Mills" said:
>Steve Kostecke wrote:
>>My IFF key request page is at https://ntp.isc.org/crypto.php
>I saw your key page. It certainly does what needs to fetch the key,
>but the key is for only one machine.
That key request page is intended to be operated by the Time Server
Operator. A CA would use a different approach.
>My hope would be to have the duly authorized server administrator
>upload the script including the key as part of name server list
>maintenance and clients be able to retrieve it as part of the
>lookup-name-select process. The client selects the password, which is
>presumably a different secret for every client.
The time server operators would have to provide both their IFFpar
file _and_ their crypto password to make it possible for us to export
the "group/client key" (IFFkey) encrypted with each client's password.
How many time server operators would be willing to entrust us with this
>All private key files, including the host key, sign key and group key,
>are stored in encrypted form using a password. Without the password
>they are of no use if stolen and used on another machine, either in or
>out of the group.
Theft of the "group/client key" is not the issue. The problem is that
because the exported "group/client key" is not bound to something such
as the users IP address, there is nothing preventing an authorized user
from giving the group key and password to someone else.
>Note that it is very likely that a client/server will have multiple
>keys for different groups.
And each ntpd will have their own crypto password. That's why we need to
be able to export "group/client keys" on-the-fly.
>I see on the primary server list that the contact person is listed for
>all primary servers except the ones I administer. I am listed on the old
>lists from here. That doesn't matter; everybody knows who those servers
That was a deliberate omission to respect your wishes regarding
unnecessary dissemination of your e-mail address.
Steve Kostecke <kostecke at ntp.isc.org>
NTP Public Services Project http://ntp.isc.org/
Public Key at http://ntp.isc.org/Users/SteveKostecke
More information about the hackers