On 2014-01-22, ardi <[email protected]> wrote: > Is it possible to generate and use all types of authentication keys > (IFF,GQ,MV) at the same time on ntp server and client ? Will usage of > all these keys give more secure protection than usage of only one type > of them?
tl,dr: no. Autokey is an NTP authentication system which allows an ntpd to verify the identify of the ntpd answering its polls. To put it another way, Autokey authenticates the server to the client. >From http://www.eecis.udel.edu/~mills/autokey.html "The Autokey security model is based on multiple overlapping security compartments or groups. Each group is assigned a group key by a trusted authority and is then deployed to all group members by secure means. Autokey uses conventional IPSEC certificate trails to provide secure host authentication, but this does not provide protection against masquerade, unless the host identity is verified by other means. Autokey includes a suite of identity verification schemes based in part on zero-knowledge proofs. There are five schemes now implemented to prove identity: (1) private certificates (PC), (2) trusted certificates (TC), (3) a modified Schnorr algorithm (IFF aka Identify Friendly or Foe), (4) a modified Guillou-Quisquater algorithm (GQ), and (5) a modified Mu-Varadharajan algorithm (MV). These are described on the Identity Schemes page." >From http://www.eecis.udel.edu/~mills/ident.html "Each of the five schemes is intended for specific use." "The PC scheme is intended for one-way broadcast configurations where clients cannot run a duplex protocol." "The IFF scheme is intended for servers operated by national laboratories." "The GQ scheme is intended for exceptionally hostile scenarios where it is necessary to change the client key at relatively frequent intervals." "The MV scheme is intended for the most challenging scenarios where it is neccesary to protect against both server and client masquerade." More at the above URLs and: http://www.eecis.udel.edu/~mills/database/reports/stime/stime.pdf -- Steve Kostecke <[email protected]> NTP Public Services Project - http://support.ntp.org/ _______________________________________________ questions mailing list [email protected] http://lists.ntp.org/listinfo/questions
