Authenticated Network Time Synchronization

The Network Time Protocol (NTP) is used by many network-connected devices to synchronize device time with remote servers. Many security features depend on the device knowing the current time, for example in deciding whether a certificate is still valid. Currently, most services implement NTP without authentication, and the authentication mechanisms available in the standard have not been formally analyzed, require a pre-shared key, or are known to have cryptographic weaknesses. In this paper we present an authenticated version of NTP, called ANTP, to protect against desynchronization attacks. To make ANTP suitable for large-scale deployments, it is designed to minimize server-side public-key operations by infrequently performing a key exchange using public key cryptography, then relying solely on symmetric cryptography for subsequent time synchronization requests; moreover, it does so without requiring server-side per-connection state. Additionally, ANTP ensures that authentication does not degrade accuracy of time synchronization. We measured the performance of ANTP by implementing it in OpenNTPD using OpenSSL. Compared to plain NTP, ANTP’s symmetric crypto reduces the server throughput (connections/second) for time synchronization requests by a factor of only 1.6. We analyzed the security of ANTP using a novel provable security framework that involves adversary control of time, and show that ANTP achieves secure time synchronization under standard cryptographic assumptions; our framework may also be used to analyze other candidates for securing NTP.

[1]  David L. Mills Network Time Protocol (version 2) specification and implementation , 1989, RFC.

[2]  V. Shoup,et al.  Information technology-Security techniques-Encryption algorithms-Part 2 : Asymmetric Ciphers , 2004 .

[3]  Lidong Chen,et al.  Recommendation for Key Derivation Using Pseudorandom Functions (Revised) , 2009 .

[4]  Jorge Luis Villar,et al.  Evaluating elliptic curve based KEMs in the light of pairings , 2004, IACR Cryptol. ePrint Arch..

[5]  Carlisle M. Adams,et al.  X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP , 1999, RFC.

[6]  C. P. Schnorr,et al.  Efficient Identification and Signatures for Smart Cards (Abstract) , 1989, EUROCRYPT.

[7]  Stephen E. Deering,et al.  Path MTU Discovery for IP version 6 , 1996, RFC.

[8]  Jörg Schwenk Modelling Time, or A Step Towards Reduction-based Security Proofs for OTP and Kerberos , 2013, IACR Cryptol. ePrint Arch..

[9]  Kristof Teichel,et al.  Network Time Security , 2016 .

[10]  David L. Mills,et al.  Network Time Protocol (NTP) , 1985, RFC.

[11]  Jörg Schwenk,et al.  Multi-Ciphersuite Security of the Secure Shell (SSH) Protocol , 2014, CCS.

[12]  Tal Mizrahi,et al.  Security Requirements of Time Protocols in Packet Switched Networks , 2014, RFC.

[13]  John Foley,et al.  Authenticated Encryption with AES-CBC and HMAC-SHA , 2009 .

[14]  Chris Palmer,et al.  Public Key Pinning Extension for HTTP , 2015, RFC.

[15]  David L. Mills,et al.  Network Time Protocol (Version 3) Specification, Implementation and Analysis , 1992, RFC.

[16]  Tibor Jager,et al.  On the Security of TLS-DHE in the Standard Model , 2012, CRYPTO.

[17]  Jeff Hodges,et al.  HTTP Strict Transport Security (HSTS) , 2012, RFC.

[18]  Dawn Song,et al.  The TESLA Broadcast Authentication Protocol , 2002 .

[19]  Eric Rescorla,et al.  Datagram Transport Layer Security , 2006, RFC.

[20]  Russ Housley,et al.  Counter with CBC-MAC (CCM) , 2003, RFC.

[21]  Kenneth G. Paterson,et al.  Tag Size Does Matter: Attacks and Proofs for the TLS Record Protocol , 2011, ASIACRYPT.

[22]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[23]  Matthew Green,et al.  Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice , 2015, CCS.

[24]  Morris J. Dworkin,et al.  SP 800-38D. Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC , 2007 .

[25]  Hao Zhou,et al.  Transport Layer Security (TLS) Session Resumption without Server-Side State , 2008, RFC.

[26]  Joyce K. Reynolds Request for Comments Summary Notes: 1100-1199 , 1991, RFC.

[27]  Stefan Milius,et al.  An Attack Possibility on Time Synchronization Protocols Secured with TESLA-Like Mechanisms , 2016, ICISS.

[28]  Sharon Goldberg,et al.  Attacking the Network Time Protocol , 2016, NDSS.

[29]  Stephen E. Deering,et al.  Path MTU discovery , 1990, RFC.

[30]  David L. Mills,et al.  Internet Engineering Task Force (ietf) Network Time Protocol Version 4: Protocol and Algorithms Specification , 2010 .

[31]  Srdjan Capkun,et al.  Formal Reasoning about Physical Properties of Security Protocols , 2011, TSEC.

[32]  David L. Mills,et al.  On the Accuracy and Stablility of Clocks Synchronized by the Network Time Protocol in the Internet System , 1989, CCRV.

[33]  Stefan Milius,et al.  First Results of a Formal Analysis of the Network Time Security Specification , 2015, SSR.

[34]  Hugo Krawczyk,et al.  Cryptographic Extraction and Key Derivation: The HKDF Scheme , 2010, IACR Cryptol. ePrint Arch..

[35]  Kenneth G. Paterson,et al.  On the Security of the TLS Protocol: A Systematic Analysis , 2013, IACR Cryptol. ePrint Arch..

[36]  Jörg Schwenk,et al.  Modelling Time for Authenticated Key Exchange Protocols , 2014, ESORICS.

[37]  Carl Eklund,et al.  National Institute for Standards and Technology , 2009, Encyclopedia of Biometrics.

[38]  Charles L. Hedrick,et al.  Routing Information Protocol , 1988, RFC.

[39]  Douglas Stebila,et al.  ANTP: Authenticated NTP Implementation Specification , 2015 .

[40]  David L. Mills,et al.  Network Time Protocol Version 4: Autokey Specification , 2010, RFC.