[Bug 1039420] Re: NTP security vulnerability because not using authentication by default
Greg Zaverucha
1039420 at bugs.launchpad.net
Thu Mar 26 00:28:34 UTC 2015
In response to Sami's comments on ANTP:
The MUST is that if you use RSA, the key length is >= 2048 bits. The
protocol supports any public key encryption scheme, and ECDH is listed
as an option as well. Similarly, AES-CBC+HMAC-SHA is one possible
authenticated encryption scheme. The others you mention would work just
fine as well.
Changing the crypto algorithms wouldn't make the protocol much simpler,
IMO. If you have suggestions for simplifications (while preserving
ANTP's security) I'd like to hear them. Simplicity was one of our
design goals, and when compared to the other options referenced in the
paper, I think we succeeded.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1039420
Title:
NTP security vulnerability because not using authentication by default
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1039420/+subscriptions
More information about the Ubuntu-server-bugs
mailing list