[ntpwg] Autokey-Protocol Analysis

Danny Mayer mayer at ntp.org
Wed Aug 3 04:00:50 UTC 2011 

On 8/2/2011 4:11 PM, Stephen Röttger wrote:
> Hello everyone,
> 
> Since the discussion about the Autokey-Protocol in June ended abruptly,

Sorry about that. It wasn't meant to leave this dragging. July tends to
be the start of a lot of people's holidays but you weren't forgotten. In
fact the subject was mentioned last week at the IETF Conference.

> we want to inform you, that we finished our analysis of the protocol and
> found several weaknesses, that render it completely useless.
> Our analysis is in German, but if you are interested in it, we can
> summarize the weaknesses for you.

It's really important to understand what these are. So if you can send
us a pointer to the paper even if in German and also tell us here what
you perceive the weaknesses are we can make a start on resolving the issues.

> 
> In addition, we came up with some changes to the protocol, that mitigate
> the vulnerabilities and would like to present you a revised
> Autokey-protocol.
> The changes are:
> 
> -Use the Clients Public Key used for cookie-encryption as input to the
> cookie calculation. For example, calculate the Cookie as
>   C = H(PubKey, ServerSeed).

Why do you think that it is necessary to go to all this trouble and
Where would the server get the client's public key?

> 
> -Change the length of Cookie and Server Seed from 32 to 128 bit.
> 
Fine but what does it really buy us?

> -Replace the Identity Schemes with a common X.509 PKI, where the Clients
> are in possession of certificates of Trusted Authorities
> 

Does the PKI depend on reliable timm?

> -Let the Signature included in extension fields cover the whole NTP-packet
> 

You need a way to signal this.

> -(optional) use HMAC for MAC-calculation and switch the used
> Hash-Algorithms to SHA-256

This has already been raised as an issue. We believe it's just a minor
issue in the reference implementation and the protocol already supports
this. We don't believe that it is necessary to change the protocool for
this.

Danny
> 
> Regards,
> Dieter Sibold and Stephen Röttger

More information about the ntpwg mailing list