[ntp:hackers] SHA1 for symmetric keys?

Danny Mayer mayer at ntp.org
Mon Dec 14 17:42:23 UTC 2015

On 12/14/2015 4:49 AM, Miroslav Lichvar wrote:
> On Thu, Dec 10, 2015 at 12:04:32PM -0500, Danny Mayer wrote:
>> On 12/10/2015 1:55 AM, Miroslav Lichvar wrote:
>>> ntpd supports SHA1 keys when it's compiled with openssl support. Keys
>>> can be generated by ntp-keygen or they can be created manually, but be
>>> sure they are long and random enough. These days, when GPUs can brute
>>> force billions of SHA1 keys per second, a random key using only 8
>>> alphanumeric characters could be found in few hours or days.
>> That would require going to a different algorithm like SHA-256 or
>> better.
> What would require that? Wouldn't switching to SHA-256 or a better hash 
> slow down the brute force attack only by a constant factor? Looking at
> the GPU hashing rates, SHA-256 seems to be about three times slower
> than SHA-1. That's worth less than two bits of entropy in the key.
There's limited usage for the MAC and is good enough for most situations
but a determined attacker cannot be so easily deterred.

> The protocol could be modified to use the hashing function repeatedly
> to significantly slow down the brute force attack, as crypt() does
> with passwords for instance, but that would likely open the server to
> DoS attacks.

Sure but it requires a change to how to create MAC and that's not so
simple as it requires backward compatibility.

>> I would note however that if
>> you do brute force attacks on the MAC, by the time you are done it's too
>> late to attack the recipient of the specific packet with a fake packet.
> Ok, but a MITM attacker would be looking for the key, not MAC for a
> specific packet. Once the key is known, MAC can be generated for any
> packet immediately.



More information about the hackers mailing list