[ntpwg] Stronger symmetric NTP authentication

David L. Mills mills at udel.edu
Tue Dec 2 13:04:46 UTC 2008 

Manav,

Will you read my messages again? I don't disagree it would be a good 
idea to implement a 20-octet digest; in fact, as I said previously, 
there are already provisions for that in the design to suppor that. 
However, in the wisdom of good engineering design and utilization of 
current resources, this is not likely to be done soon. There are lots of 
other projects of importance in the evolution of NTP and this is not one 
of urgent priority. An advocacy to implement a 20-octet digest based 
purely on he perceived hazard of possible masquerade without 
consideration of the overall security hazard is simply not a good 
engineering strategy.

If your point is that NIST says SHA is good and MD5 is bad based on 
nothing other than demonstration that it is possible so spoof a digest 
with a contrived but necessarily invalid NTP message, then I suggest 
there is something seriously wrong with the security analysis. This 
point is stressed in the course I teach on computer security.

Dave

DaeBhatia, Manav (Manav) wrote:

> Tony,
>
>> This is not applicable to most usages of HMAC-MD5 for two
>> very good reasons:
>
>
> If you read draft-ietf-ntp-ntpv4-proto-11 you will realize that NTP uses
> MD5 and not HMAC-MD5.
>
> I totally agree that the attacks may not necessarily result in direct
> vulnerabilities in MD5 as used in NTP authentication purposes, because
> the colliding message may not necessarily be a syntactically correct
> protocol packet. However, there is a need felt to move away from MD5
> towards more complex and difficult to break hash algorithms and I was
> just trying to propose an extension that does just that. One cannot
> always assume that the authentication data would *always* be just 16
> octets (unless somebody is thinking of truncating the SHA hash :))
>
> At the very least, NTP should be using the HMAC construct along with MD5
> as against plain MD5 that the spec mandates.
>
> Cheers, Manav
>
>> -----Original Message-----
>> From: Tony Li [mailto:tony.li at tony.li]
>> Sent: Tuesday, December 02, 2008 8.26 AM
>> To: Bhatia, Manav (Manav); 'David L. Mills'
>> Cc: ntpwg at lists.ntp.org
>> Subject: RE: [ntpwg] Stronger symmetric NTP authentication
>>
>>
>>
>> Hi all,
>>
>>
>> |Current NTP specs provide provision for only MD5 digests (16 octets).
>> |This is not good enough, as there have been attacks found against MD5
>> |and the IETF community is moving away from this towards stronger hash
>> |algorithms (HMAC-SHA-1, HMAC-SHA-224, etc).
>>
>>
>> This is vastly misleading. The literature documents the
>> ability to find
>> collisions against straight MD5 hashing. Thus, given a
>> plaintext block and
>> a hash result, it is possible to compute a specific alternate
>> plaintext
>> block that would produce the same hash result.
>>
>> This is not applicable to most usages of HMAC-MD5 for two
>> very good reasons:
>> first, there is typically a password or other key material
>> concatenated with
>> the plaintext block before hashing. The password is presumably not
>> available to the attacker. [If it is, the algorithm is
>> irrelevant. ;-)]
>> No one has demonstrated a technique for determining a
>> collision to a fixed
>> plaintext block modification that is also hashed by key
>> material. Thus,
>> given a valid packet, there is still no documented way to
>> tweak that packet
>> and have it pass authentication.
>>
>> Second, no one has demonstrated the ability to generate valid
>> hashes of
>> plaintext blocks and key material without the actual access to the key
>> material. Instead, the alternate blocks that are generated
>> are unlikely to
>> be valid protocol structures in the first place, result in
>> parsing errors in
>> the protocol. Thus, there is no way to wholly forge a packet
>> and generate
>> correct authentication for it without the key.
>>
>> That said, as always with security, there is no such thing as
>> a perfect
>> algorithm and increasing the available algorithms is always a
>> good thing.
>> However, it is a vast misrepresentation to suggest that this
>> is a practical
>> necessity today. There is one single (tho large ;-) customer
>> that truly
>> requires SHA algorithms today. BTW, HMAC-SHA-1 has been
>> broken and the
>> customer is interested in the larger values.
>>
>> Tony
>>
>> P.s. This same scare tactic has been used in other IETF WG's.
>>
>>
> _______________________________________________
> ntpwg mailing list
> ntpwg at lists.ntp.org
> https://lists.ntp.org/mailman/listinfo/ntpwg

More information about the ntpwg mailing list