[ntpwg] Stronger symmetric NTP authentication

[David L. Mills]

Manav,

One of the principles I teach in my course on compute security is the 
necessity of transparency and layering.

As applied to NTP, this means the authentication at one layer should not 
depend on the underlying layers. Thus, the question of whether to use 
MD5 or some other digest algorithm should not depend in interpreting an 
underlying layer, in this case an extension field. It should depend only 
on the outer layer, in this case the syntactic rules that define the 
packet format.

The NTP design is carefully layered so that the integrity of the packet 
and extension fields is determined only by the packet syntax and digest 
algorithm. Then, the integrity of the authentication scheme itself is 
determined by the cryptographic protocol, in the intended case Autokey. 
Then, the integrity of the packet itself is determined by the reverse 
hashing scheme. Finally, the integrity of the packet payload is 
confirmed by the values checks, in particular the loopback test. To 
select the digest algorithm by inspecting the extension fields violates 
this model.

Dave

Bhatia, Manav (Manav) wrote:

> Dave,
>
>> 1. Your suggestion seriously compromises the intended design that the
>> extension fields must be validated by the MAC and invites a circular
>> deconstruction. The design requires that the packet be
>> validated without
>> inspection of the extension field contents.
>
>
> I think we're going in circles now.
>
> It's a trivial implementation tweak to check that if the new
> authentication scheme is employed then one of the extension fields would
> carry the authentication data. I cant seem to understand how this
> affects the core protocol design. We cant always assume that our digest
> would only be 16 octets.
>
> Cheers, Manav