[time-nuts] can of worms: time-of-day in a community radio station
Hal Murray
hmurray at megapathdsl.net
Tue Nov 5 07:22:18 UTC 2019
stevesommarsntp at gmail.com said:
> If the bad guys can intercept NTP traffic timestamps can be altered, unless
> NTP authentication is used. [This rarely happens.]
For those not familiar with this area...
There are 2 ways to authenticate NTP packets.
You can setup a shared key. This requires getting the key from one site to
the other via some out-of-band method. The main disadvantage of this approach
is that it requires manual interventation at the server end to enter the new
key. That doesn't scale.
NIST offers this. They send you the key via snail mail.
<https://www.nist.gov/pml/time-and-frequency-division/time-services/nist-authen
ticated-ntp-service>
There is a new approach: NTS, Network Time Security. The RFC isn't final yet,
but I don't expect significant changes. There is running code.
https://datatracker.ietf.org/doc/draft-ietf-ntp-using-nts-for-ntp/
The basic idea is that the client uses TCP to setup a TLS connection to a
NTS-KE (key exchange) server. The client gets client-server keys and cookies.
There is a pair of keys for each client-server. There is no per-client state
on the server. Each cookie contains the keys encrypted with a cookie-key
known only to the server.
The client sends a cookie with each request, authenticating with a key. The
server decrypts the cookie to get the authentication key for this client, then
uses that key to authenticate the request ... and sends back a new cookie
with the NTP response.
Cloudflare and Netnod have announced public servers.
https://developers.cloudflare.com/time-services/nts/usage/
https://www.netnod.se/time-and-frequency/netnod-launch-one-of-the-first-nts-e
nabled-time-services-in-the-world
--
These are my opinions. I hate spam.
More information about the Time-nuts_lists.febo.com
mailing list