On Fri, Jan 17, 2014 at 06:15:16PM +0100, Håkan Johansson wrote:
With the information collection problem for an attacker above, it is
probably so that also a much cheaper pseudo-random number generator
could be used instead of MD5. Say that one uses 8 secret numbers as
seeds, each together with a piece of the apparent client IP creating
8 new numbers. From each of which one uses a few bits to make the
nonce. E.g. xorshift is really cheap. This way, it should also not
be possible to make a denial-of-service attack on the chronyd server
from the extra computations it has to do for junk requests.
I'm not sure I follow here. The attacker can surely have more than one
address to query chronyd and get multiple nonces. Wouldn't it be easy
to find the secret numbers by reversing the algorithm and solving with
collected nonces? To me it looks like a crypto hash is critical here.