[Cryptography] Network Time Protocol security

Phillip Hallam-Baker phill at hallambaker.com
Sun May 19 18:47:23 EDT 2019

On Sun, May 19, 2019 at 5:57 PM John Gilmore <gnu at toad.com> wrote:

> There is an effort underway to design and standardize improved methods
> of securing the NTP time-synchronization protocol.  Here's an overview
> of the effort, plus pointers to a published RFC that documents the
> requirements that they are trying to satisfy, and to the current
> Internet-Draft:
> https://www.ietfjournal.org/a-new-security-mechanism-for-the-network-time-protocol/
>   https://www.rfc-editor.org/rfc/rfc7384.txt
>   http://datatracker.ietf.org/doc/draft-ietf-ntp-using-nts-for-ntp
> The draft protocol is being implemented now by two or more NTP
> implementations to begin interoperation testing.
> There is a long history of half-assed or broken crypto applied to various
> iterations of NTP (pre-shared keys, Autokey, etc).  None has yet had that
> essential combination of ease of deployment and lack of vulnerability.
> Before this gets standardized and deployed, has anybody on this list
> analyzed the threat model and the draft mechanisms to see if they would
> actually accomplish the goal of cryptographically securing the
> worldwide accurate time distribution overlay network?

Let us step back and ask what the actual security requirements are. I don't
think they are quite the same as what secure-NTP would provide.

There are three separate issues:

1) Is the current time after time t1?
2) Is the current time before t2?
3) Did event A happen before or after event B?

For purposes of preventing replay attacks, use of expired credentials, etc.
it is usually acceptable to have the current time correct to a few hours.

For purposes of timestamping logs, etc, I would normally want the time to
be correct to ten seconds or better.

For purposes of performing transaction processing, I don't need time at all
to decide if A happened before B, I need a transaction log.

So the sort of answers I am looking at are very much more along the lines
of 'blockchain without the inefficiency of proof of work, stake, etc.'

Since the time is a subjective quantity, this is an area where some form of
trusted party is going to be inevitable but we can use meta-notary type
techniques to produce ridiculously high work factors.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20190519/b5476bfd/attachment.html>

More information about the cryptography mailing list