On Wed, Feb 28, 2018 at 11:06:36PM -0800, Hal Murray wrote: > Why is AES-CMAC more interesting than one of the digests supported by OpenSSL?
The keyed-hash construction that NTP uses is not a secure message authentication code, it is vulnerable to the classic length extension attack [1] when used with common hash functions, such as MD5, SHA-1, and the SHA-2 family of hash functions. This allows an attacker to append additional forged NTPv4 extension fields on to an authenticated NTPv4 packet. draft-ietf-ntp-mac-03 refers to this attack through its reference to the BCK paper in section 2 [2] even though it does not explicitly call out length extension attacks in the body of the draft. In current usage, this rarely poses a problem. In the NTP reference implementation extension fields are only used by Autokey. If you have Autokey disabled, it does not give an attacker any additional power. However, if NTPv4 extension fields catch on for uses other than Autokey, this will become problematic. AES-CMAC is a secure message authentication code and, therefore, is not vulnerable to this kind of attack. [1] https://en.wikipedia.org/wiki/Length_extension_attack [2] https://tools.ietf.org/html/draft-ietf-ntp-mac-03#section-2 Cheers, Matt -- Matthew Van Gundy, Technical Leader Advanced Security Initiatives Group Cisco Systems, Inc.
signature.asc
Description: PGP signature
_______________________________________________ TICTOC mailing list [email protected] https://www.ietf.org/mailman/listinfo/tictoc
