[ntpwg] Stronger symmetric NTP authentication
Danny Mayer
mayer at ntp.org
Tue Dec 30 05:15:24 UTC 2008
Bhatia, Manav (Manav) wrote:
> Tony,
>
>> This is not applicable to most usages of HMAC-MD5 for two
>> very good reasons:
>
> If you read draft-ietf-ntp-ntpv4-proto-11 you will realize that NTP uses
> MD5 and not HMAC-MD5.
>
> I totally agree that the attacks may not necessarily result in direct
> vulnerabilities in MD5 as used in NTP authentication purposes, because
> the colliding message may not necessarily be a syntactically correct
> protocol packet. However, there is a need felt to move away from MD5
> towards more complex and difficult to break hash algorithms and I was
> just trying to propose an extension that does just that. One cannot
> always assume that the authentication data would *always* be just 16
> octets (unless somebody is thinking of truncating the SHA hash :))
>
> At the very least, NTP should be using the HMAC construct along with MD5
> as against plain MD5 that the spec mandates.
>
> Cheers, Manav
The basic flaw in this argument is the assumption that MD5 is being used
for authentication. It isn't. It is only used to verify that the packet,
including the autokey information has not been modified in transit (or
spoofed). In many ways this is no different from a checksum. MD5 is only
being used as a digest, not an authentication mechanism. There are
enough bits in the packet to make the nonce effectively unspoofable. NTP
will drop a packet that does not meet the series of tests that ensure
that the packet is valid. You are endowing the MAC with attributes that
don't actually exist.
Danny
More information about the ntpwg
mailing list