[ntp:questions] Re: hacking NTP autokey with / without IFF

manel_torralba at mail.com manel_torralba at mail.com
Mon Jan 10 09:08:24 UTC 2005

Hi Dave,

Em... I am dumber than you think, given your advanced answer. I am not
yet enlightened.

Basically I am trying to derive some very practical "do´s and don´ts"
from the IFF Autokey schema. But I don´t really understand it well.
The texts assume the reader has quite a bit of context....

The best phrase that comes close in your documentation is this:

"The TA generates IFF parameters and keys and distributes them by
secure means to all servers, then removes the group key and
redistributes these data to dependent clients. Without the group key a
client cannot masquerade as a legitimate server."

Say I am setting this up in host S. I run ntp-keygen -T -I and then
ntp-keygen -e > ntpkey_S_IFF_for_clients. Then I go to the client C and
run ntp-keygen, and copy over ntpkey_S_IFF_for_clients (from S). I set
up all the links and init files and I have the following files:

Server S: ntpkey_cert_S, ntpkey_host_S, ntpkey_IFF_S
Client C: ntpkey_cert_C, ntpkey_host_C, ntpkey_S_IFF_for_clients

So If I want to hack the entire community of S´s clients, and
impersonate S, what files do I need ?

- Do I need ntpkey_cert_S + ntpkey_host_S + ntpkey_IFF_S ?
- Do I need ntpkey_host S + ntpkey_IFF_S ?
- Is ntpkey_IFF_S enough ?


Manel T.

More information about the questions mailing list