[ntp:hackers] SHA1 for symmetric keys?

Miroslav Lichvar mlichvar at redhat.com
Mon Dec 14 09:49:29 UTC 2015

On Thu, Dec 10, 2015 at 12:04:32PM -0500, Danny Mayer wrote:
> On 12/10/2015 1:55 AM, Miroslav Lichvar wrote:
> > ntpd supports SHA1 keys when it's compiled with openssl support. Keys
> > can be generated by ntp-keygen or they can be created manually, but be
> > sure they are long and random enough. These days, when GPUs can brute
> > force billions of SHA1 keys per second, a random key using only 8
> > alphanumeric characters could be found in few hours or days.
> > 
> That would require going to a different algorithm like SHA-256 or
> better.

What would require that? Wouldn't switching to SHA-256 or a better hash 
slow down the brute force attack only by a constant factor? Looking at
the GPU hashing rates, SHA-256 seems to be about three times slower
than SHA-1. That's worth less than two bits of entropy in the key.

The protocol could be modified to use the hashing function repeatedly
to significantly slow down the brute force attack, as crypt() does
with passwords for instance, but that would likely open the server to
DoS attacks.

> I would note however that if
> you do brute force attacks on the MAC, by the time you are done it's too
> late to attack the recipient of the specific packet with a fake packet.

Ok, but a MITM attacker would be looking for the key, not MAC for a
specific packet. Once the key is known, MAC can be generated for any
packet immediately.

Miroslav Lichvar

More information about the hackers mailing list