NTP Security ModelNTP security modelIntruder attack scenariosSecurity requirementsSecurity requirements (continued)NTP subnet principlesNTP secure group principlesHierarchical groups and trust inheritanceNTP secure group configuration exampleIdentity verification - outlineMultiple groupsAuthentication scheme A (Diffie-Hellman)Authentication scheme B (Kent)Authentication scheme C (RSA)Authentication scheme D (S-Key)NTP symmetric key cryptographyNTP public key cryptographyNTP AutokeyIdentification exchangeIdentity schemesIdentity schemes (continued)Future plansFurther informationJan 14, 2019 1Sir John Tenniel; Alice’s Adventures in Wonderland,Lewis CarrollNTP Security ModelDavid L. MillsUniversity of Delawarehttp://www.eecis.udel.edu/~millsmailto:[email protected] 14, 2019 2NTP security modeloNTP operates in a mixed, multi-level security environment including symmetric key cryptography, public key cryptography and unsecured.oNTP timestamps and related data are considered public values and never encrypted.oTime synchronization is maintained on a master-slave basis where synchronization flows from trusted servers to dependent clients possibly via intermediate servers operating at successively higher stratum levels.oA client is authentic if it can reliably verify the credentials of at least one server and that server messages have not been modified in transit.oA client is proventic if by induction each server on at least one path to a trusted server is authentic.Jan 14, 2019 3Intruder attack scenariosoAn intruder can intercept and archive packets forever, as well as all the public values ever generated and transmitted over the net.oAn intruder can generate packets faster than the server, network or client can process them, especially if they require expensive cryptographic computations.oIn a wiretap attack the intruder can intercept, modify and replay a packet. However, it cannot permanently prevent onward transmission of the original packet; that is, it cannot break the wire, only tell lies and congest it. It is generally assumed that the modified packet cannot arrive at the victim before the original packet.oIn a middleman or masquerade attack the intruder is positioned between the server and client, so it can intercept, modify and replay a packet and prevent onward transmission of the original packet. It is generally assumed that the middleman does not have the server private keys or identity parameters.Jan 14, 2019 4Security requirementsoThe running times for public key algorithms are relatively long and highly variable, so that the synchronization function itself must not require their use for every NTP packet.oIn some modes of operation it is not feasible for a server to retain state variables for every client. It is however feasible to regenerated them for a client upon arrival of a packet from that client.oThe lifetime of cryptographic values must be enforced, which requires a reliable system clock. However, the sources that synchronize the system clock must be cryptographically proventicated. This circular interdependence of the timekeeping and proventication functions requires special handling.Jan 14, 2019 5Security requirements (continued)oAll proventication functions must involve only public values transmitted over the net with the exception of encrypted signatures and cookies intended only to authenticate the source. Unencrypted private values must never be disclosed beyond the machine on which they were created.oPublic encryption keys and certificates must be retrievable directly from servers without requiring secured channels; however, the fundamental security of identification credentials and public values bound to those credentials must be a function of certificate authorities and/or webs of trust.oError checking must be at the enhanced paranoid level, as network terrorists may be able to craft errored packets that consume excessive cycles with needless result.Jan 14, 2019 6NTP subnet principlesoThe NTP network is a forest of hosts operating as servers and clients•Primary (stratum 1) servers are the forest roots.•Secondary (stratum > 1) servers join the trunks and branches of the forest.•Clients are secondary servers at the leaves of the forest.•Secondary servers normally use multiple redundant servers and diverse network paths to the same or next lower stratum level toward the roots.oAn NTP subnet is a subset of the NTP network.•Usually, but not necessarily, the subnet is operated by a single management entity over local networks belonging to the entity.•The set of lowest-stratum hosts represent the roots of the subnet.•The remaining subnet hosts must have at least one path to at least one of the roots.•The NTP subnet is self contained if the roots are all primary (stratum 1) servers and derivative if not.•Subnets may include branches to other subnets for primary and backup service and to create hierarchical multi-subnet structures.Jan 14, 2019 7NTP secure group principlesoA NTP secure group is a subnet using a common security model, authentication protocol and identity scheme based on symmetric key or public key cryptography.oEach group host has•Password-encrypted identity parameters and group key generated by a trusted agent.•For public key cryptography, a public/private host key pair and self-signed host certificate,oEach group has one or more trusted hosts that•Provide cryptographic redundancy and diversity.•Operate at the lowest stratum of the group.•For public key cryptography, the host certificate must have a trusted extension field.oA trusted agent acting for the group generates the current identity parameters and group key, which are distributed by secure means..Jan 14, 2019 8Hierarchical groups and trust inheritanceoA host authenticates neighbor hosts by credentials, including certificate, identity parameters, group key and identity scheme.•A certificate trail must exist from each host via intervening hosts having the same credentials to (one of) the trusted host(s) at the lowest stratum of the group. The name of each trusted host must be a pseudonym for the group.•The security protocol hikes the certificate trail to reveal the pseudonym which locates the credentials previously obtained from the trusted agent.oThis provides the framework for hierarchical group authentication.•The primary group includes multiple trusted primary (stratum 1) servers with primary group credentials.•A derivative group includes multiple