On 2/3/19 9:50 AM, Richard Laager wrote:
> On 2/3/19 12:34 AM, Richard Laager wrote:
> So, given the current design of the NTS cookie replacement algorithm,
> it's not going to be possible to _statelessly_ (which is a hard
> requirement) maintain a counter-based nonce.
I gave this some more thought
On 2/3/19 12:34 AM, Richard Laager wrote:
> For the server to client direction, we would have to store the counter
> state in the cookie. Given that cookies are preallocated, this would
> take _two_ numbers: the current counter value to use with that cookie
> and the maximum counter valued issued.
Hal, does Daniel have any comment on the suitability of the new
AES-GCM-SIV for cookies and/or NTP packets?
Upon further research, even setting aside the message count topic,
AES-GCM is probably inappropriate for the cookie encryption.
The AES-GCM RFC (RFC 5116) says (page 13):
The inad
On 2/2/19 9:09 PM, Gary E. Miller via devel wrote:
>> In the context of
>> attacks on C2S/S2C, if the client willingly shares C2S/S2C in
>> plaintext with someone else (other than the server), the client has
>> already compromised C2S/S2C by its own actions. There is nothing in
>> the protocol whic
Yo Richard!
On Sat, 2 Feb 2019 20:50:15 -0600
Richard Laager via devel wrote:
> [I have re-ordered the quoted text to fit my response ordering.]
>
> On 2/2/19 7:13 PM, Gary E. Miller via devel wrote:
> >> Hal's comments and the quote from Daniel are about whether it is
> >> necessary to require
[I have re-ordered the quoted text to fit my response ordering.]
On 2/2/19 7:13 PM, Gary E. Miller via devel wrote:
>> Hal's comments and the quote from Daniel are about whether it is
>> necessary to require rotation of C2S/S2C, not K.
>
> Yes.
This discussion was originally about why it is not
Yo Hal!
On Sat, 02 Feb 2019 17:00:46 -0800
Hal Murray via devel wrote:
> Gary said:
> > The whole point is that the client knows the C2S and S2C.
> > Otherwise he can not key a session to the NTPD server. That is the
> > plaintext. And he has the cookie, with the algorithm use to make
> > it.
Yo Richard!
On Sat, 2 Feb 2019 18:42:52 -0600
Richard Laager via devel wrote:
> On 2/2/19 6:25 PM, Gary E. Miller via devel wrote:
> > On Sat, 02 Feb 2019 16:15:49 -0800
> > Hal Murray wrote:
> >
> >> Gary said:
> >>> Nothing says that a single cookie could not be used by a farm of
> >>> c
Gary said:
> The whole point is that the client knows the C2S and S2C. Otherwise he can
> not key a session to the NTPD server. That is the plaintext. And he has the
> cookie, with the algorithm use to make it. That is the ciphertext.
So if the client knows the C2S and S2C, what is he trying
On 2/2/19 6:25 PM, Gary E. Miller via devel wrote:
> On Sat, 02 Feb 2019 16:15:49 -0800
> Hal Murray wrote:
>
>> Gary said:
>>> Nothing says that a single cookie could not be used by a farm of
>>> clients to push the cookies per second into the thousands.
>>
>>> Then add that this is millions o
Yo Hal!
On Sat, 02 Feb 2019 16:15:49 -0800
Hal Murray wrote:
> Gary said:
> > Nothing says that a single cookie could not be used by a farm of
> > clients to push the cookies per second into the thousands.
>
> > Then add that this is millions of know plaintext and known
> > ciphertext pairs T
Gary said:
> Nothing says that a single cookie could not be used by a farm of clients to
> push the cookies per second into the thousands.
> Then add that this is millions of know plaintext and known ciphertext pairs
> That is not what the key reuse calculations assume.
I'm missing a step. Ho
12 matches
Mail list logo
