On Thursday, January 23, 2014 5:13:42 AM UTC+1, Steve Kostecke wrote: > On 2014-01-22, ardi <[email protected]> wrote: > > > > > Is it possible to generate and use all types of authentication keys > > > (IFF,GQ,MV) at the same time on ntp server and client ? Will usage of > > > all these keys give more secure protection than usage of only one type > > > of them? > > > > tl,dr: no. > > > > Autokey is an NTP authentication system which allows an ntpd to verify > > the identify of the ntpd answering its polls. To put it another way, > > Autokey authenticates the server to the client. > > > > From http://www.eecis.udel.edu/~mills/autokey.html > > > > "The Autokey security model is based on multiple overlapping security > > compartments or groups. Each group is assigned a group key by a trusted > > authority and is then deployed to all group members by secure means. > > Autokey uses conventional IPSEC certificate trails to provide secure > > host authentication, but this does not provide protection against > > masquerade, unless the host identity is verified by other means. Autokey > > includes a suite of identity verification schemes based in part on > > zero-knowledge proofs. There are five schemes now implemented to prove > > identity: (1) private certificates (PC), (2) trusted certificates (TC), > > (3) a modified Schnorr algorithm (IFF aka Identify Friendly or Foe), (4) > > a modified Guillou-Quisquater algorithm (GQ), and (5) a modified > > Mu-Varadharajan algorithm (MV). These are described on the Identity > > Schemes page." > > > > From http://www.eecis.udel.edu/~mills/ident.html > > > > "Each of the five schemes is intended for specific use." > > > > "The PC scheme is intended for one-way broadcast configurations where > > clients cannot run a duplex protocol." > > > > "The IFF scheme is intended for servers operated by national > > laboratories." > > > > "The GQ scheme is intended for exceptionally hostile scenarios where it > > is necessary to change the client key at relatively frequent intervals." > > > > "The MV scheme is intended for the most challenging scenarios where it > > is neccesary to protect against both server and client masquerade." > > > > More at the above URLs and: > > > > http://www.eecis.udel.edu/~mills/database/reports/stime/stime.pdf > > > > -- > > Steve Kostecke <[email protected]> > > NTP Public Services Project - http://support.ntp.org/
Thanks for the replies to all of you. I am going to post questions for the most similar cases first to understand the behaviour of ntp server-client. Peter _______________________________________________ questions mailing list [email protected] http://lists.ntp.org/listinfo/questions
