[cifs-protocol] 600422 RE: SNTP issues

Richard Guthrie rguthrie at microsoft.com
Thu Jun 26 17:54:43 GMT 2008


Andrew,

Thank you for your review of our SNTP documentation.  We have considered your request regarding the introductory paragraph in our MS-SNTP documentation.  The purpose of the MS-SNTP document is to describe a Microsoft extension to NTP, so it would be inappropriate to make a value statement such as the one suggested. The way in which keying material is used outside of this protocol is up to an implementer. It is assumed that a person implementing a protocol that utilizes cryptographic material is skilled in the use and safety of said material.  The paragraph in question has been adjusted to make it clearer that the checksum algorithm and keying material described in MS-SNTP is relevant to Windows domains.

We have adjusted the documentation as follows MS-SNTP Introduction (2nd paragraph):
[RFC1305] Appendix C describes a mechanism similar to the authentication extensions documented here. The extensions documented here provide a strong checksum algorithm and use keying material that is readily available to Windows systems joined to a Windows domain.

The original text read:
[RFC1305] Appendix C describes a mechanism similar to the authentication extensions documented here. The extensions documented here provide for better security by using a stronger checksum algorithm, and by using keying material that is more convenient for Windows systems joined to a Windows domain.

Please let us know if you have any additional comments/questions to consider around this issue.

Richard Guthrie
Open Protocols Support Team
Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM 7100 N Hwy 161, Irving, TX - 75039 "Las Colinas - LC2"
Tel: +1 469 775 7794
E-mail: rguthrie at microsoft.com
We're hiring <http://members.microsoft.com/careers/search/details.aspx?JobID=A976CE32-B0B9-41E3-AF57-05A82B88383E&start=1&interval=10&SortCol=DatePosted>

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Tuesday, June 10, 2008 7:53 PM
To: Richard Guthrie
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: RE: SNTP issues

On Tue, 2008-06-10 at 10:28 -0700, Richard Guthrie wrote:
> Andrew,
>
> I wanted to see if you have had a chance to review the article below to see if it addresses your issue.  Let me know if it did/did not help your team.

Certainly I know that I should talk to the www.ntp.org community and the NTP working group before blindly deploying the Microsoft protocol, but what I was looking for was a better statement then the opening
paragraph:


[RFC1305] Appendix C describes a mechanism similar to the authentication extensions documented here. The extensions documented here provide for better security by using a stronger checksum algorithm, and by using keying material that is more convenient for Windows systems joined to a Windows domain.


Instead, perhaps it should be rewritten as a warning, describing the protocol as a deviation, rather than an improvement (it may not have been that way when the hacks were first added, but it is now):


[RFC1305] Appendix C describes a mechanism similar to the authentication extensions documented here. The extensions documented here provide for better security by using a stronger checksum algorithm, and by using keying material that is more convenient for Windows systems joined to a Windows domain, but should not be used outside this context.  Internet standard authentication extensions such as as proposed and documented in http://www.ietf.org/internet-drafts/draft-ietf-ntp-autokey-03.txt
provide stronger security and serve as a better basis for interoperable implementations.

Andrew Bartlett

--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.


More information about the cifs-protocol mailing list