NTP Security AlgorithmsSymmetric key and public key cryptographyMessage propagation time budgetMD5 message digest computationsMD5/RSA digital signature computationsCertificatesSignature operationsIdentification exchangePrivate certificate (PC) identity schemeTrusted certificate (TC) identity schemeSchnorr (IFF) identity schemeSlide 12Guillou-Quisquater (GQ) schemeGuillou-Quisquater (GQ) identity scheme operationsMu-Varadharajan (MV) identity scheme – setup IMu-Varadharajan (MV) identity scheme – setup IIMu-Varadharajan (MV) schemeMu-Varadharajan (MV) identity scheme operationsKey generationKey managementFurther informationJan 14, 2019 1Sir John Tenniel; Alice’s Adventures in Wonderland,Lewis CarrollNTP Security AlgorithmsDavid L. MillsUniversity of Delawarehttp://www.eecis.udel.edu/~millsmailto:[email protected] 14, 2019 2Symmetric key and public key cryptographyoPublic key cryptography•Encryption/decryption algorithms are relatively slow with highly variable running times depending on key and data•All keys are random; private keys are never divulged•Certificates reliably bind server identification and public key•Server identification established by challenge/response protocol•Well suited to multicast paradigmoSymmetric key cryptography•Encryption/decryption algorithms are relatively fast with constant running times independent of key and data•Fixed private keys must be distributed in advance•Key agreement (Diffie-Hellman) is required for private random keys•Per-association state must be maintained for all clients•Not well suited to multicast paradigmJan 14, 2019 3Message propagation time budgetoWe want T3 and T4 timestamps for accurate network calibration•If output wait is small, T3a is good approximation to T3•T3a can’t be included in message after cryptosum is calculated, but can be sent in next message; use T3b as best approximation to T3•T4 captured by most network drivers at interrupt time; if not, use T4a as best approximation to T4oLargest error is usually output cryptosum•Private-key algorithms (MD5, DES-CBC) running times range from 10 s to 1 ms, depending on architecture, but can be predicted fairly well•Public-key algorithms (RSA) running times range up to 100 ms, depending on architecture, but are highly variable and depend on message contentCryptosumT3bTimestampNetworkT3aTimestampT4TimestampInput WaitT4aTimestampCryptosumand ProtocolProcessingTimeOutput WaitT3TimestampJan 14, 2019 4MD5 message digest computationsoMeasured times to construct 128-bit hash of 48-octet NTP header using MD5 algorithm in RSAREF050100150200250300HP 9000/735SPARC20Alpha 3000/600Alpha 3000/400SPARC IPCDEC 5000/240SPARC1+Time (us)Jan 14, 2019 5MD5/RSA digital signature computationsoMeasured times (s) to construct digital signature using RSAREFoMessage authentication code constructed from 48-octet NTP header hashed with MD5, then encrypted with RSA 512-bit private key0.00.20.40.60.81.01.21.41.61.82.0Alpha 250-4/266SGI R4600 133Pentium 133Alpha 3000/600HP 9000/735SPARC 10/71DEC 5000/240SPARC 2SPARC IPXSPARC IPCSPARC 1+SPARC 1Time (s)MaxAvgJan 14, 2019 6CertificatesoA private/public key pair and self signed host certificate are required for each host.•Certificates are in X509 version 3 format valid for one year.•The serial number is the NTP seconds of generation to insure uniqueness.oExtension fields are used to convey identity parameters and whether the certificate is private or trusted.•The required Basic Constraints field contains the string “critical,CA:TRUE”, indicating the host can act as a certificate authority. •The required Key Usage field contains the string “digitalSignature,keyCertSign”, indicating the certificate is valid for digital signatures and to sign other certificates.•The optional Extended Key Usage field contains the string “private” indicating a private certificate (PC identity scheme) or the string “trustRoot” indicating a trusted certificate. By definition, private certificates are trusted.•The optional Subject Key Identifier field contains the public key for the GQ identity scheme.Jan 14, 2019 7Signature operationsoPublic keys, certificates and leapseconds files can be read from local files or sent over the net using the Autokey protocol.oCryptographic values are signed only when the host is synchronized.•Filestamps record the NTP seconds when the file was created. These are proventic data and provide a reliable total ordering of creation epoches.•Timestamps record the NTP seconds when the data were last signed. These are proventic data only when the sender is synchronized and provide only a partial ordering of signing epoches.oCryptographic values derived from files and received over the net are signed only when they are created or changed and in addition at refresh intervals of about one day. oAutokey values are signed when the key list is regenerated, about once per hour.oCookie values are signed when sent.oIdentity values are signed when sent.Jan 14, 2019 8Identification exchangeClient ServerVerify hash response and signatureChallenge ResponseChallenge RequestSend response and signatureCompute nonce1 and send Compute nonce2 and responseoThis is a challenge-response scheme•Client Alice and server Bob share a common set of parameters and a private group key b.•Alice rolls random nonce r and sends to Bob.•Bob rolls random nonce k, computes a one-way function f(r, k, b) and sends to Alice.•Alice computes some function g(f, b) to verify that Bob knows b.oThe signature prevents message modification and binds the response to Bob’s private key.oAn interceptor can see the challenge and response, but cannot determine k or b or how to construct a response acceptable to Alice.Jan 14, 2019 9Private certificate (PC) identity schemeoTA generates a certificate marked private and transmits it by secure means to all servers and clients.oThe certificate is never divulged outside the group and never presented for signature.oAn identity exchange is not necessary.oRefreshing certificates is a major problemTrustedAuthorityCertificateServerCertificateClientCertificateSecureSecureJan 14, 2019 10Trusted certificate (TC) identity schemeoEach certificate is signed by the issuer, which is one step closer on the trail to the trusted host.oThe trusted host certificate is self-signed and self-validated.oThis scheme is vulnerable to a middleman masquerade, unless an identity scheme is used.oThe identity scheme,