In response to Sami's comments on ANTP:
The MUST is that if you use RSA, the key length is = 2048 bits. The
protocol supports any public key encryption scheme, and ECDH is listed
as an option as well. Similarly, AES-CBC+HMAC-SHA is one possible
authenticated encryption scheme. The others you
Authenticated Network Time Synchronization
Benjamin Dowling and Douglas Stebila and Greg Zaverucha
https://eprint.iacr.org/2015/171
http://research.microsoft.com/apps/pubs/?id=240885
Some silly MUSTs, like RSA = 2048 bits..
And instead of e.g. AES-CBC+HMAC-SHA why not NORX or something simple
Has Ubuntu considered using tlsdate instead of ntp? I think it's the
only working secure solution right now.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1039420
Title:
NTP security
Unfortunately, ntp autokey is broken and insecure, it can't be used to
provide any additional security.
http://zero-entropy.de/autokey_analysis.pdf
The only solution for the moment is for system administrators to set up
their own symmetric keys with their own ntp server.
--
You received this
So, any updates on this issue now that it has become clear it can be
severely abused?
See:
https://www.blackhat.com/docs/eu-14/materials/eu-14-Selvi-Bypassing-HTTP-Strict-Transport-Security-wp.pdf
At least crank up the importance a bit...
--
You received this bug notification because you are a
NTP has public and private keys. http://doc.ntp.org/4.1.0/genkeys.htm
Just like SSL, gpg, etc.
Of course ntp.ubuntu.com and other server owners keep their private key
secure.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to ntp in
I have some ideas ideas...
There is already ntp.ubuntu.com, can you add authentication?
Ubuntu has importance. Can you officially ask the NTP pool if they could
add authentication?
Can you publicly the problem somewhere? A blog post?
I am sure some NTP server volunteers would like to add
NTP authentication only works if the MITM doesn't know the
authentication key. Even if we enable authentication on ntp.ubuntu.com,
you can still MITM the ntp update since presumably everybody would be
using the same authentication key.
The only way to fix this is to configure your own ntp server
After reading the thread on ubuntu-hardened and doing some research of
my own, a lack of instructions does not seem to be the primary problem
here. It sounds like an external infrastructure problem since the public
NTP pool does not guarantee that their servers support NTP
authentication.
I'm
No need to keep this private. Has been publicly discussed but without
proper bug report and the discussion felt into oblivion.
http://ubuntu.5.n6.nabble.com/authenticated-NTP-td4486136.html
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed
10 matches
Mail list logo
