LibreMail

John GilmoreThere is an effort underway to design and standardize improved methods of securing the NTP time-synchronization protocol. Here's an overview of the effort, plu 19/05/2019

John Gilmore <gnu@toad.com> to cryptography@metzdowd.com, gnu@toad.com 19/05/2019

There is an effort underway to design and standardize improved methods of securing the NTP time-synchronization protocol. Here's an overview of the effort, plus pointers to a published RFC that documents the requirements that they are trying to satisfy, and to the current Internet-Draft: https://www.ietfjournal.org/a-new-security-mechanism-for-the-network-time-protocol/ https://www.rfc-editor.org/rfc/rfc7384.txt http://datatracker.ietf.org/doc/draft-ietf-ntp-using-nts-for-ntp The draft protocol is being implemented now by two or more NTP implementations to begin interoperation testing. There is a long history of half-assed or broken crypto applied to various iterations of NTP (pre-shared keys, Autokey, etc). None has yet had that essential combination of ease of deployment and lack of vulnerability. Before this gets standardized and deployed, has anybody on this list analyzed the threat model and the draft mechanisms to see if they would actually accomplish the goal of cryptographically securing the worldwide accurate time distribution overlay network? John _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

Phillip Hallam-BakerOn Sun, May 19, 2019 at 5:57 PM John Gilmore wrote: > There is an effort underway to design and standardize improved methods > of securing the NTP time-synchr 19/05/2019

Phillip Hallam-Baker <phill@hallambaker.com> to John Gilmore 19/05/2019

On Sun, May 19, 2019 at 5:57 PM John Gilmore <gnu@toad.com> wrote: > There is an effort underway to design and standardize improved methods > of securing the NTP time-synchronization protocol. Here's an overview > of the effort, plus pointers to a published RFC that documents the > requirements that they are trying to satisfy, and to the current > Internet-Draft: > > > https://www.ietfjournal.org/a-new-security-mechanism-for-the-network-time-protocol/ > https://www.rfc-editor.org/rfc/rfc7384.txt > http://datatracker.ietf.org/doc/draft-ietf-ntp-using-nts-for-ntp > > The draft protocol is being implemented now by two or more NTP > implementations to begin interoperation testing. > > There is a long history of half-assed or broken crypto applied to various > iterations of NTP (pre-shared keys, Autokey, etc). None has yet had that > essential combination of ease of deployment and lack of vulnerability. > > Before this gets standardized and deployed, has anybody on this list > analyzed the threat model and the draft mechanisms to see if they would > actually accomplish the goal of cryptographically securing the > worldwide accurate time distribution overlay network? > Let us step back and ask what the actual security requirements are. I don't think they are quite the same as what secure-NTP would provide. There are three separate issues: 1) Is the current time after time t1? 2) Is the current time before t2? 3) Did event A happen before or after event B? For purposes of preventing replay attacks, use of expired credentials, etc. it is usually acceptable to have the current time correct to a few hours. For purposes of timestamping logs, etc, I would normally want the time to be correct to ten seconds or better. For purposes of performing transaction processing, I don't need time at all to decide if A happened before B, I need a transaction log. So the sort of answers I am looking at are very much more along the lines of 'blockchain without the inefficiency of proof of work, stake, etc.' Since the time is a subjective quantity, this is an area where some form of trusted party is going to be inevitable but we can use meta-notary type techniques to produce ridiculously high work factors. _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

Peter GutmannPhillip Hallam-Baker writes: >Let us step back and ask what the actual security requirements are. I don't >think they are quite the same as what secure-NTP w 19/05/2019

Peter Gutmann <pgut001@cs.auckland.ac.nz> to Phillip Hallam-Baker, John Gilmore 19/05/2019

Phillip Hallam-Baker <phill@hallambaker.com> writes: >Let us step back and ask what the actual security requirements are. I don't >think they are quite the same as what secure-NTP would provide. Read the linked requirements docs, I think they've covered things pretty well (almost unheard of for IETF security standards, they've published a comprehensive analysis and threat model before designing a solution). In particular the first ref discusses both time-critical and security-critical applications, where you need millisecond or better synchronisation and protection against possibly quite motivated attackers. Peter. _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

LibreMail

[Cryptography] Network Time Protocol security Crypto

Move Messages

Apply Labels