ntpkeygen generates insecure keys
Date: Mon, 3 May 2021 11:55:53 +0200
From: Miroslav Lichvar via security <security@ntpsec.org>
To: security@ntpsec.org
Subject: [security@ntpsec.org] ntpkeygen generates insecure keys
Reply-To: Miroslav Lichvar <mlichvar@redhat.com>
Hi,
there is a bug report for the Fedora ntpsec package that among
other things points out that ntpd complains about keys generated by
ntpkeygen.
It seems it generates keys that include the '#' char, which ntpd
handles as a comment, i.e. the keys are shorter than expected and
easier to break (8 bits in the most extreme case), leading to MITM
attacks.
For short AES128 keys ntpd generates a warning that it is padding
them, but for other types there is no message as any length can be
used for the legacy MAC. I'm not sure if users can be expected to
check the log, or realize that keys must not contain '#' when they
transfer the keys between hosts.
ntpkeygen from NTP classic suppresses the '#' chars. It seems the one
in ntpsec used to do that too, but that check was lost recently in
some unrelated changes. It looks like only ntpsec-1.2.0 is impacted.
Please let me know how do you want to handle this. I can ask our
security team for help.
Thanks,
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1955859#c3
--
Miroslav Lichvar