Hi Kristof, Thanks for your mail.
> > I wanted to ask whether you and your team already had a chance to look at > the parts of the NTS specification other than the KE protocol. > No, not yet. > Specifically: > - We have specified requirements for the cookie exchange (for which our > proposed KE protocol is but one way to solve them). Do you think that if > the requirements are met, the rest of NTS' unicast part is solid? We can try to look at that in the next short while. > - Also, have you had a chance to look at the broadcast part of the > specification? > Actually we are very interested in broadcast, we even had a few related recent CVEs. Here is our work describing these CVEs and some suggestions, I hope you will have some time to read it: http://www.cs.bu.edu/~goldbe/papers/NTPbroadcast.html One specific suggestion we had was that NTS NOT demobilize ephemeral associations based on crypto errors. Please read the paper to see why this creates a DoS vulnerability. But beyond this, broadcast crypto for NTP is super complex problem. We have not had time to review this part of the draft, but hope to do so in the future. Doing this properly, however, will take some time, and we wanted to focus on the KE for now. Note that by "properly" I mean with formal proof of security. So, one thing we think is needed, and could do, is a formal proof of security for NTS's KE. Using for instance the Canetti Krawcyzk model [1]. We would not feel comfortable claiming that we had reviewed the KE protocol (or the broadcast protocol) until we had done such a proof. See [2] [3] for examples of what I mean. But, before we started on this proof, which would take some time, we wanted to understand all the requirements. Hence all the questions. Thanks for answering them! Sharon [1] http://link.springer.com/chapter/10.1007/3-540-44987-6_28#page-1 [2] https://eprint.iacr.org/2015/914.pdf [3] http://eprint.iacr.org/2015/978.pdf -- Sharon Goldberg Computer Science, Boston University http://www.cs.bu.edu/~goldbe
_______________________________________________ TICTOC mailing list [email protected] https://www.ietf.org/mailman/listinfo/tictoc
