> We believe the NTS KE can be modified to authenticate timing messages
> > sent in parallel with the KE. Note that this must be done *without* > > requiring these initial timing messages to be MAC'd, since before the > > KE completes, the client and server will not have a shared symmetric > > key. > > If the two sides already have an ntp.keys file then this key can be used > for a MAC, correct? > > This sounds a lot like the TLS PSK (Pre-Shared Key) mode [3][4]. In TLS PSK there is still a key establishment handshake, to allow the two sides to agree to use the PSK. Also, the PSK is usually just used to authenticate the key exchange, not the actual traffic. Harlan you are suggesting MACing the actual traffic with PSK right away before the KE completes? I don't think this works since you will, just like TLS, still need a key exchange to agree you need a PSK. Moreover, adding a PSK mode to NTS adds additional complexity. Do we really want to introduce this additional complexity? I am very wary of this, as recent attacks on TLS and IPsec have shown that the proliferation of modes and complexity in these protocols can be exploited by attackers [1],[2]. Sharon [1] https://nohats.ca/wordpress/blog/2014/12/29/dont-stop-using-ipsec-just-yet/ [2] https://weakdh.org/ [3] https://eprint.iacr.org/2014/037.pdf [4] https://tools.ietf.org/html/rfc4279
_______________________________________________ TICTOC mailing list [email protected] https://www.ietf.org/mailman/listinfo/tictoc
