On Mon, Sep 26, 2011 at 23:58, <[email protected]> wrote: > The documention states that MD5keys will be lss then or equal to 16 > characters in length, and consist of a printable ASCII characters and > be terminated by whitespace or #. Yet the output of 'ntp-keygen -M', > and the examples shown in the documentation are all 20 characters in > length. Can anyone explain the difference, and what is the correct > length for the md5 keys?
I hope Dr. Mills will respond directly, but I can tell you what the code actually does in 4.2.6/4.2.7. For quite some time, MD5 was the only digest algorithm implemented by ntpd, ntpdc, and ntpq for symmetric authentication. MD5 digests (hashes) are 16 bytes in length. Late in the 4.2.5 (ntp-dev) period, the reference implementation added support for using any digest algorithm your OpenSSL library provides, when built to use OpenSSL (as is default). Without OpenSSL, ntpd still provides MD5-only symmetric authentication. Most of these newly-available-to-ntpd digest algorithms, such as SHA1, generate 20 byte digests. The digest size is not the same as the key length, but the two are related. If there are 20 bytes of digest signing my SHA1-authenticated NTP traffic, I want at least 20 bytes of key material to make cracking my key as difficult as possible. The same goes for MD5, you should want at least 16 bytes of key material, though more is better. At the time ntpd and friends began supporting 20-byte digests, ntp-keygen was changed to generate 20-byte keys, rather than 16. ntp.keys and ntp-keygen reflect two ways of encoding key material, directly as ASCII and encoded as hex. The hex encoding can represent all 8 bits per byte, while the printable/keyable ASCII form necessarily carries less than 8 bits of information. Note that ntp.keys is used by ntpd, but not by ntpq nor ntpdc, which require symmetric authentication of some operations. When configuring symmetric authentication between ntpd instances, use the more secure hex output of ntp-keygen. When configuring keys for use by ntpq or ntpdc, the printable ASCII form should be used, as the same key (in this context, password) must be typed or pasted to ntpq/ntpdc or provided on their command line. When ntpd reads ntp.keys, the length of the provided key material determines its treatment. If it is 20 characters or less, it is treated as ASCII and used directly as the binary key material. If it is 21 characters or more, up to 40 characters are decoded from hex resulting in up to 20 bytes of binary key material. No matter the encoding, no more than 20 bytes of key material are used. Cheers, Dave Hart _______________________________________________ questions mailing list [email protected] http://lists.ntp.org/listinfo/questions
