Yo Hal! On Wed, 20 Mar 2019 16:00:55 -0700 Hal Murray via devel <[email protected]> wrote:
> Gary said:
> >>> Only if you figure out how to not have a huge daily rush to
> >>> rekey.
> >> Under normal conditions, there is never any need to rekey.
> > We've gone around on that many times before. We disagree.
> > Using the same master key (with a ratchet) will eventually give the
> > attacker enought data to crack it. Maybe a long, long, time, but
> > in crypto a long, long, time always cmoes much sooner than
> > expected.
>
> We've got word troubles here. I was using "rekey" in the sense of
> using NTS-KE to get new cookies since that seemed to be what you used
> it for.
But the NTS-KE master key (K) has to match the NTPD master key (K).
So they are one and the same effect.
So we likely need a lexicon, an issue brought up before...
> If you want to have a discussion about ratchet, we can do that.
> Please start a new thread. The crypto details are above my pay
> grade. The current code uses random, but I think the code is setup
> so it would be easy to switch to ratchet.
Not gonna open that can of worms as long as you use random keys
changed "often".
> > So no ratchet? That would then be a rekey. A rekey not needing
> > the NTS-KE.
>
> The client doesn't know anything about ratchet or anything else about
> the cookies.
Yup.
> As long as the old cookies on the client are used in NTP packets soon
> enough and hence traded in for new cookies, there is no need for a
> NTS-KE type rekey.
Yeah, I had missed that. So I agree your concept looks good so far.
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
[email protected] Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can’t measure it, you can’t improve it." - Lord Kelvin
pgpVWLAQEAw8j.pgp
Description: OpenPGP digital signature
_______________________________________________ devel mailing list [email protected] http://lists.ntpsec.org/mailman/listinfo/devel
