On Thu, Mar 01, 2018 at 06:40:45PM -0500, Matthew Van Gundy wrote: > On Wed, Feb 28, 2018 at 11:06:36PM -0800, Hal Murray wrote: > > Why is AES-CMAC more interesting than one of the digests supported by > > OpenSSL? > > The keyed-hash construction that NTP uses is not a secure message > authentication code, it is vulnerable to the classic length extension > attack  when used with common hash functions, such as MD5, SHA-1, > and the SHA-2 family of hash functions. This allows an attacker to > append additional forged NTPv4 extension fields on to an authenticated > NTPv4 packet.
Does this actually apply to NTPv4? Do you have any examples how could an attacker append a valid extension field to an NTPv4 packet? My understanding is that the NTPv4 packet format (with or without RFC7822) prevents the length-extension attack as extension fields cannot have a length of zero, which would come from the padding (always starting with 0x80000000). Even if the length field could be zero, there is no EF type 0x8000 assigned yet and it could be avoided in future in case people are for some reason still using the old MAC. -- Miroslav Lichvar _______________________________________________ TICTOC mailing list TICTOC@ietf.org https://www.ietf.org/mailman/listinfo/tictoc