I believe we already agree that NTS-KE generates cookies and that generation process requires C2S and S2C. The question is where to C2S and S2C come from.
On 1/18/19 7:26 PM, Gary E. Miller via devel wrote: > Yes, just for THAT session. And only for NTS-KE connections. No > NTPD client to NTPD server TLS session ever exists. The client connects to the NTS-KE server over TLS. The TLS session master_secret, client_random, and server_random are used (through the TLS session's PRF) by client and server to derive C2S and S2C as previously described, using the RFC 5705 algorithm. From section 1.2 of draft-ietf-ntp-using-nts-for-ntp-15: "The typical protocol flow is as follows: The client connects to an NTS-KE server on the NTS TCP port and the two parties perform a TLS handshake. Via the TLS channel, the parties negotiate some additional protocol parameters and the server sends the client a supply of cookies along with a list of one or more IP addresses to NTP servers for which the cookies are valid. The parties use TLS key export [RFC5705] to extract key material which will be used in the next phase of the protocol. This negotiation takes only a single round trip, after which the server closes the connection and discards all associated state. At this point the NTS-KE phase of the protocol is complete. Ideally, the client never needs to connect to the NTS- KE server again." -- Richard
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list [email protected] http://lists.ntpsec.org/mailman/listinfo/devel
