doc: warn about MD5 keys not protecting extension fields
Add a warning to the chrony.conf man page that MD5 keys cannot protect NTP extension fields due to the length extension attack.
This commit is contained in:
Miroslav Lichvar
parent
b9f5278846
commit
cd65e32cf0
1 changed files with 5 additions and 1 deletions
|
|
@ -2821,7 +2821,11 @@ source is specified in the configuration file with a key shorter than 80 bits.
|
||||||
+
|
+
|
||||||
The recommended key types are AES ciphers and SHA3 hash functions. MD5 should
|
The recommended key types are AES ciphers and SHA3 hash functions. MD5 should
|
||||||
be avoided unless no other type is supported on the server and client, or
|
be avoided unless no other type is supported on the server and client, or
|
||||||
peers.
|
peers. A major weakness of MD5 for the NTP MAC is a length extension attack,
|
||||||
|
where a man-in-the-middle attacker can add arbitrary extension fields to the
|
||||||
|
NTP message and update the MAC to pass the verification of the extended
|
||||||
|
message. The *extfield* option (enabling processing of the specified extension
|
||||||
|
field) should not be used for NTP sources authenticated with an MD5 key.
|
||||||
+
|
+
|
||||||
The <<chronyc.adoc#keygen,*keygen*>> command of *chronyc* can be used to
|
The <<chronyc.adoc#keygen,*keygen*>> command of *chronyc* can be used to
|
||||||
generate random keys for the key file. By default, it generates 160-bit MD5 or
|
generate random keys for the key file. By default, it generates 160-bit MD5 or
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue