[ntpwg] Autokey-Protocol Analysis

[todd glassey]

On 8/2/2011 9:00 PM, Danny Mayer wrote:
> On 8/2/2011 4:11 PM, Stephen Röttger wrote:
>> Hello everyone,
>>
>> Since the discussion about the Autokey-Protocol in June ended abruptly,
> Sorry about that. It wasn't meant to leave this dragging. July tends to
> be the start of a lot of people's holidays but you weren't forgotten. In
> fact the subject was mentioned last week at the IETF Conference.
>
>> we want to inform you, that we finished our analysis of the protocol and
>> found several weaknesses, that render it completely useless.
>> Our analysis is in German, but if you are interested in it, we can
>> summarize the weaknesses for you.
> It's really important to understand what these are. So if you can send
> us a pointer to the paper even if in German and also tell us here what
> you perceive the weaknesses are we can make a start on resolving the issues.
>
>> In addition, we came up with some changes to the protocol, that mitigate
>> the vulnerabilities and would like to present you a revised
>> Autokey-protocol.
>> The changes are:
>>
>> -Use the Clients Public Key used for cookie-encryption as input to the
>> cookie calculation. For example, calculate the Cookie as
>>    C = H(PubKey, ServerSeed).
> Why do you think that it is necessary to go to all this trouble
As to why, it brings NTP into compliance as another tool using the x509 
identity control models.  This means that parties running NTP as a part 
of a larger practice can use the same identity sets for everything 
making this model more easily audited.
> and
> Where would the server get the client's public key?

As to how , there are any number of ways this can be resolved including 
a new Key Lookup Request Type fo' verifying 'right to connect' type acl 
controls.
>> -Change the length of Cookie and Server Seed from 32 to 128 bit.
>>
> Fine but what does it really buy us?
A better and larger key seed (or nonce) .
>> -Replace the Identity Schemes with a common X.509 PKI, where the Clients
>> are in possession of certificates of Trusted Authorities
>>
> Does the PKI depend on reliable timm?
It would depend on how long the cert is valid for so yes it can

>> -Let the Signature included in extension fields cover the whole NTP-packet
>>
> You need a way to signal this.
>
Agreed but its doable.
>

>> Dieter Sibold and Stephen Röttger
> _______________________________________________
> ntpwg mailing list
> ntpwg at lists.ntp.org
> http://lists.ntp.org/listinfo/ntpwg
>


-- 
Todd S. Glassey
This is from my personal email account and any materials from this account come with personal disclaimers.

Further I OPT OUT of any and all commercial emailings.