> Am 24.03.2016 um 22:48 schrieb Sharon Goldberg <[email protected]>: > > Hi Kristof, > > Thanks for your mail. > > I wanted to ask whether you and your team already had a chance to look at the > parts of the NTS specification other than the KE protocol. > > No, not yet. > > Specifically: > - We have specified requirements for the cookie exchange (for which our > proposed KE protocol is but one way to solve them). Do you think that if the > requirements are met, the rest of NTS' unicast part is solid? > > We can try to look at that in the next short while. That would be great. Thanks.
> > - Also, have you had a chance to look at the broadcast part of the > specification? > > Actually we are very interested in broadcast, we even had a few related > recent CVEs. Here is our work describing these CVEs and some suggestions, I > hope you will have some time to read it: > > http://www.cs.bu.edu/~goldbe/papers/NTPbroadcast.html > <http://www.cs.bu.edu/~goldbe/papers/NTPbroadcast.html> > > One specific suggestion we had was that NTS NOT demobilize ephemeral > associations based on crypto errors. Please read the paper to see why this > creates a DoS vulnerability. > > But beyond this, broadcast crypto for NTP is super complex problem. We have > not had time to review this part of the draft, but hope to do so in the > future. > > Doing this properly, however, will take some time, and we wanted to focus on > the KE for now. Note that by "properly" I mean with formal proof of security. > > So, one thing we think is needed, and could do, is a formal proof of security > for NTS's KE. Using for instance the Canetti Krawcyzk model [1]. We would not > feel comfortable claiming that we had reviewed the KE protocol (or the > broadcast protocol) until we had done such a proof. See [2] [3] for examples > of what I mean. Please not that Kristof did an formal analysis of the NTS unicast mode. You will find it in [1]. I will send you the paper offline. [1] K. Teichel, D. Sibold, and S. Milius, "First Results of a Formal Analysis of the Network Time Security Specification," presented at the Security Standardisation Research: Second International Conference, SSR 2015, Tokyo, Japan, 2015. > > But, before we started on this proof, which would take some time, we wanted > to understand all the requirements. Hence all the questions. Thanks for > answering them! > > Sharon > > [1] http://link.springer.com/chapter/10.1007/3-540-44987-6_28#page-1 > <http://link.springer.com/chapter/10.1007/3-540-44987-6_28#page-1> > [2] https://eprint.iacr.org/2015/914.pdf > <https://eprint.iacr.org/2015/914.pdf> > [3] http://eprint.iacr.org/2015/978.pdf <http://eprint.iacr.org/2015/978.pdf> > > > > -- > Sharon Goldberg > Computer Science, Boston University > http://www.cs.bu.edu/~goldbe > <http://www.cs.bu.edu/~goldbe>_______________________________________________ > ntpwg mailing list > [email protected] > http://lists.ntp.org/listinfo/ntpwg
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ TICTOC mailing list [email protected] https://www.ietf.org/mailman/listinfo/tictoc
