[Bug 1039420] Re: NTP security vulnerability because not using authentication by default
In response to Sami's comments on ANTP: The MUST is that if you use RSA, the key length is = 2048 bits. The protocol supports any public key encryption scheme, and ECDH is listed as an option as well. Similarly, AES-CBC+HMAC-SHA is one possible authenticated encryption scheme. The others you mention would work just fine as well. Changing the crypto algorithms wouldn't make the protocol much simpler, IMO. If you have suggestions for simplifications (while preserving ANTP's security) I'd like to hear them. Simplicity was one of our design goals, and when compared to the other options referenced in the paper, I think we succeeded. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1039420 Title: NTP security vulnerability because not using authentication by default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1039420/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1039420] Re: NTP security vulnerability because not using authentication by default
Authenticated Network Time Synchronization Benjamin Dowling and Douglas Stebila and Greg Zaverucha https://eprint.iacr.org/2015/171 http://research.microsoft.com/apps/pubs/?id=240885 Some silly MUSTs, like RSA = 2048 bits.. And instead of e.g. AES-CBC+HMAC-SHA why not NORX or something simple https://norx.io/ or chacha20-poly1305.. and of course git://github.com/agl/curve25519-donna.git ...well Microsoft can use 4096 bit RSA for all I care, but does someone want to start a Simple ANTP project? -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1039420 Title: NTP security vulnerability because not using authentication by default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1039420/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1039420] Re: NTP security vulnerability because not using authentication by default
Has Ubuntu considered using tlsdate instead of ntp? I think it's the only working secure solution right now. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1039420 Title: NTP security vulnerability because not using authentication by default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1039420/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1039420] Re: NTP security vulnerability because not using authentication by default
Unfortunately, ntp autokey is broken and insecure, it can't be used to provide any additional security. http://zero-entropy.de/autokey_analysis.pdf The only solution for the moment is for system administrators to set up their own symmetric keys with their own ntp server. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1039420 Title: NTP security vulnerability because not using authentication by default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1039420/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1039420] Re: NTP security vulnerability because not using authentication by default
So, any updates on this issue now that it has become clear it can be severely abused? See: https://www.blackhat.com/docs/eu-14/materials/eu-14-Selvi-Bypassing-HTTP-Strict-Transport-Security-wp.pdf At least crank up the importance a bit... -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1039420 Title: NTP security vulnerability because not using authentication by default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1039420/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1039420] Re: NTP security vulnerability because not using authentication by default
NTP has public and private keys. http://doc.ntp.org/4.1.0/genkeys.htm Just like SSL, gpg, etc. Of course ntp.ubuntu.com and other server owners keep their private key secure. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1039420 Title: NTP security vulnerability because not using authentication by default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1039420/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1039420] Re: NTP security vulnerability because not using authentication by default
I have some ideas ideas... There is already ntp.ubuntu.com, can you add authentication? Ubuntu has importance. Can you officially ask the NTP pool if they could add authentication? Can you publicly the problem somewhere? A blog post? I am sure some NTP server volunteers would like to add authentication, if you can provide clear instructions for them. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1039420 Title: NTP security vulnerability because not using authentication by default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1039420/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1039420] Re: NTP security vulnerability because not using authentication by default
NTP authentication only works if the MITM doesn't know the authentication key. Even if we enable authentication on ntp.ubuntu.com, you can still MITM the ntp update since presumably everybody would be using the same authentication key. The only way to fix this is to configure your own ntp server and use it with a key that only you know. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1039420 Title: NTP security vulnerability because not using authentication by default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1039420/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1039420] Re: NTP security vulnerability because not using authentication by default
After reading the thread on ubuntu-hardened and doing some research of my own, a lack of instructions does not seem to be the primary problem here. It sounds like an external infrastructure problem since the public NTP pool does not guarantee that their servers support NTP authentication. I'm marking this bug as confirmed with an importance of wishlist. If anyone has suggestions on working around the lack of NTP authentication support across the entire public NTP pool, please leave a comment. Thanks! ** Changed in: ntp (Ubuntu) Importance: Undecided = Wishlist ** Changed in: ntp (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1039420 Title: NTP security vulnerability because not using authentication by default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1039420/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1039420] Re: NTP security vulnerability because not using authentication by default
No need to keep this private. Has been publicly discussed but without proper bug report and the discussion felt into oblivion. http://ubuntu.5.n6.nabble.com/authenticated-NTP-td4486136.html -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1039420 Title: NTP security vulnerability because not using authentication by default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1039420/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs