NTP Working Group | D. Sibold |
Internet-Draft | K. Teichel |
Intended status: Standards Track | PTB |
Expires: July 29, 2016 | S. Röttger |
Google Inc. | |
R. Housley | |
Vigil Security | |
January 26, 2016 |
Protecting Network Time Security Messages with the Cryptographic Message Syntax (CMS)
draft-ietf-ntp-cms-for-nts-message-05
This document describes a convention for using the Cryptographic Message Syntax (CMS) to protect the messages in the Network Time Security (NTS) protocol. NTS provides authentication of time servers as well as integrity protection of time synchronization messages using Network Time Protocol (NTP) or Precision Time Protocol (PTP).
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 29, 2016.
Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
This document provides details on how to construct NTS messages in practice. NTS provides secure time synchronization with time servers using Network Time Protocol (NTP) [RFC5905] or Precision Time Protocol (PTP) [IEEE1588]. Among other things, this document describes a convention for using the Cryptographic Message Syntax (CMS) [RFC5652] to protect messages in the Network Time Security (NTS) protocol. Encryption is used to provide confidentiality of secrets, and digital signatures are used to provide authentication and integrity of content.
Sometimes CMS is used in an exclusively ASN.1 [ASN1] environment. In this case, the NTS message may use any syntax that facilitates easy implementation.
Regarding the usage of CMS, we differentiate between three archetypes according to which the NTS message types can be structured. They are presented below. Note that the NTS Message Object that is at the core of each structure does not necessarily contain all the data needed for the particular message type, but may contain only that data which needs to be secured directly with cryptographic operations using the CMS. Specific information about what is included can be found in Section 3.
+-----------------------------------------------------+ | | | NTS Message Object | | | | | +-----------------------------------------------------+
+---------------------------------------------------------+ | | | ContentInfo | | | | +-----------------------------------------------------+ | | | | | | | SignedData | | | | | | | | +-------------------------------------------------+ | | | | | | | | | | | EnvelopedData | | | | | | | | | | | | +---------------------------------------------+ | | | | | | | | | | | | | | | NTS Message Object | | | | | | | | | | | | | | | | | | | | | | | +---------------------------------------------+ | | | | | | | | | | | +-------------------------------------------------+ | | | | | | | +-----------------------------------------------------+ | | | +---------------------------------------------------------+
+---------------------------------------------------------+ | | | ContentInfo | | | | +-----------------------------------------------------+ | | | | | | | SignedData | | | | | | | | +-------------------------------------------------+ | | | | | | | | | | | NTS Message Object | | | | | | | | | | | | | | | | | +-------------------------------------------------+ | | | | | | | +-----------------------------------------------------+ | | | +---------------------------------------------------------+
Figure 2 illustrates this structure.
Figure 3 illustrates this structure.
Overall, three CMS content types are used for NTS messages by the archetypes above. Explicitly, those content types are ContentInfo, SignedData and EnvelopedData. The following is a description of how the fields of those content types are used in detail.
id-signedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs7(7) 2 }
The ContentInfo content type is used in all archetypes except NTS-Plain. The fields of the ContentInfo content type are used as follows:
id-envelopedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs7(7) 3 }.
The SignedData content type is used in the NTS-Signed and NTS-Encrypted-and-Signed archetypes, but not in the NTS-Plain archetype. The fields of the SignedData content type are used as follows:
In addition, it MAY contain the following attributes:
The EnvelopedData content type is used only in the NTS-Encrypted-and-Signed archetype. The fields of the EnvelopedData content type are used as follows:
This section presents some hints about the structures of the NTS message objects for the different message types when one wishes to implement the security mechanisms.
The following ASN.1 coded data types "NTSNonce" and "NTSVersion" are needed for other types used below for NTS messages. "NTSNonce" specifies a 128 bit nonce as required in several message types:
NTSNonce ::= OCTET STRING (SIZE(16))
"NTSVersion" specifies a version number, which is required for version negotiation.
NTSVersion ::= INTEGER (0..255)
The following ASN.1 coded data types are also necessary for other types.
KeyEncryptionAlgorithmIdentifiers ::= SET OF KeyEncryptionAlgorithmIdentifier
ContentEncryptionAlgorithmIdentifiers ::= SET OF ContentEncryptionAlgorithmIdentifier
This message is structured according to the NTS-Plain archetype. There is no data necessary besides that which is transported in the NTS message object, which is an ASN.1 object of type "ClientAssocData" and structured as follows:
ClientAssocData ::= SEQUENCE { nonce NTSNonce, minVersion NTSVersion, clientId SubjectKeyIdentifier, hmacHashAlgos DigestAlgorithmIdentifiers, keyEncAlgos KeyEncryptionAlgorithmIdentifiers, contentEncAlgos ContentEncryptionAlgorithmIdentifiers }
It is identified by the following object identifier (fictional values):
id-ct-nts-clientAssoc OBJECT IDENTIFIER ::= TBD1
This message is structured according to the NTS-Signed archetype. It requires additional data besides that which is transported in the NTS message object, namely the signature and certificate chain are included in the appropriate fields of the "SignedData" CMS structure that the NTS message object is wrapped in. The NTS message object itself is an ASN.1 object of type "ServerAssocData" and structured as follows:
ServerAssocData ::= SEQUENCE { nonce NTSNonce, proposedVersion NTSVersion, clientId SubjectKeyIdentifier, hmacHashAlgos DigestAlgorithmIdentifiers, choiceHmacHashAlgo DigestAlgorithmIdentifier, keyEncAlgos KeyEncryptionAlgorithmIdentifiers, choiceKeyEncAlgo KeyEncryptionAlgorithmIdentifier, contentEncAlgos ContentEncryptionAlgorithmIdentifiers, choiceContentEncAlgo ContentEncryptionAlgorithmIdentifier }
It is identified by the following object identifier (fictional values):
id-ct-nts-serverAssoc OBJECT IDENTIFIER ::= TBD2
This message is structured according to the NTS-Plain archetype. It requires no additional data besides that which is transported in the NTS message object. The NTS message object itself is an ASN.1 object of type "ClientCookieData" and structured as follows:
ClientCookieData ::= SEQUENCE { nonce NTSNonce, signAlgo SignatureAlgorithmIdentifier, hmacHashAlgo DigestAlgorithmIdentifier, encAlgo ContentEncryptionAlgorithmIdentifier, keyEncAlgo KeyEncryptionAlgorithmIdentifier, certificates CertificateSet }
It is identified by the following object identifier (fictional values):
id-ct-nts-clientCookie OBJECT IDENTIFIER ::= TBD3
This message is structured according to the "NTS-Encrypted-and-Signed" archetype. It requires additional data besides that which is transported in the NTS message object, namely the signature is included in the appropriate field of the "SignedData" CMS structure that the NTS message object is wrapped in. The NTS message object itself is an ASN.1 sequence of type "ServerCookieData" and structured as follows:
ServerCookieData ::= SEQUENCE { nonce NTSNonce, cookie OCTET STRING (SIZE(16)) }
It is identified by the following object identifier (fictional values):
id-ct-nts-serverCookie OBJECT IDENTIFIER ::= TBD4
This message is structured according to the "NTS-Plain" archetype.
This message type requires additional data to that which is included in the NTS message object, namely it requires regular time synchronization data, as an unsecured packet from a client to a server would contain. Optionally, it requires the Message Authentication Code (MAC) to be generated over the whole rest of the packet (including the NTS message object) and transported in some way. The NTS message object itself is an ASN.1 object of type "TimeRequestSecurityData", whose structure is as follows:
TimeRequestSecurityData ::= SEQUENCE { nonce NTSNonce, hmacHashAlgo DigestAlgorithmIdentifier, keyInputValue OCTET STRING (SIZE(16)) }
It is identified by the following object identifier (fictional values):
id-ct-nts-securityDataReq OBJECT IDENTIFIER ::= TBD5
This message is structured according to the "NTS-Plain" archetype.
It requires two items of data in addition to that which is transported in the NTS message object. Like "time_request", it requires regular time synchronization data. Furthermore, it requires the Message Authentication Code (MAC) to be generated over the whole rest of the packet (including the NTS message object) and transported in some way. The NTS message object itself is an ASN.1 object of type "TimeResponseSecurityData", with the following structure:
TimeResponseSecurityData ::= SEQUENCE { nonce NTSNonce, }
It is identified by the following object identifier (fictional values):
id-ct-nts-securityDataResp OBJECT IDENTIFIER ::= TBD6
This first broadcast message is structured according to the NTS-Plain archetype. There is no data necessary besides that which is transported in the NTS message object, which is an ASN.1 object of type "BroadcastParameterRequest" and structured as follows:
BroadcastParameterRequest ::= SEQUENCE { nonce NTSNonce, clientId SubjectKeyIdentifier }
It is identified by the following object identifier (fictional values):
id-ct-nts-broadcastParamReq OBJECT IDENTIFIER ::= TBD7
This message is structured according to "NTS-Signed". It requires additional data besides that which is transported in the NTS message object, namely the signature is included in the appropriate field of the "SignedData" CMS structure that the NTS message object is wrapped in. The NTS message object itself is an ASN.1 object of type "BroadcastParameterResponse" and structured as follows:
BroadcastParameterResponse ::= SEQUENCE { nonce NTSNonce, oneWayAlgo1 DigestAlgorithmIdentifier, oneWayAlgo2 DigestAlgorithmIdentifier, lastKey OCTET STRING (SIZE (16)), intervalDuration BIT STRING, disclosureDelay INTEGER, nextIntervalTime BIT STRING, nextIntervalIndex INTEGER }
It is identified by the following object identifier (fictional values):
id-ct-nts-broadcastParamResp OBJECT IDENTIFIER ::= TBD8
This message is structured according to the "NTS-Plain" archetype. It requires regular broadcast time synchronization data in addition to that which is carried in the NTS message object. Like "time_response", this message type also requires a MAC, generated over all other data, to be transported within the packet. The NTS message object itself is an ASN.1 object of type "BroadcastTime". It has the following structure:
BroadcastTime ::= SEQUENCE { thisIntervalIndex INTEGER, disclosedKey OCTET STRING (SIZE (16)), }
It is identified by the following object identifier (fictional values):
id-ct-nts-broadcastTime OBJECT IDENTIFIER ::= TBD9
This message is structured according to the "NTS-Plain" archetype. There is no data necessary besides that which is transported in the NTS message object, which is an ASN.1 object of type "ClientKeyCheckSecurityData" and structured as follows:
ClientKeyCheckSecurityData ::= SEQUENCE { nonce_k NTSNonce, interval_number INTEGER, hmacHashAlgo DigestAlgorithmIdentifier, keyInputValue OCTET STRING (SIZE(16)) }
It is identified by the following object identifier (fictional values):
id-ct-nts-clientKeyCheck OBJECT IDENTIFIER ::= TBD10
This message is also structured according to "NTS-Plain". It requires only a MAC, generated over the NTS message object, to be included in the packet in addition to what the NTS message object itself contains. The latter is an ASN.1 object of type "ServerKeyCheckSecurityData", which is structured as follows:
ServerKeyCheckSecurityData ::= SEQUENCE { nonce NTSNonce, interval_number INTEGER }
It is identified by the following object identifier:
id-ct-nts-serverKeyCheck OBJECT IDENTIFIER ::= TBD11
The syntax and processing rules for certificates are specified in [RFC5280]. In the NTS protocol, the server certificate MUST contain the following extensions:
For a certificate issued to a time server, the Extended Key Usage extension MAY include the id-kp-ntsServerAuth object identifier. When a certificate issuer includes this object identifier in the extended key usage extension, it provides an attestation that the certificate subject is a time server that supports the NTS protocol. The extension MAY also include the id-kp-ntsServerAuthz object identifier. When a certificate issuer includes this object identifier in the extended key usage extension, it provides an attestation that the certificate subject is a time server which the issuer believes to be willing and able to disseminate correct time (for example, this can be used to signal a server's authorization to disseminate legal time).
For a certificate issued to a time client, the Extended Key Usage extension MAY include the id-kp-ntsClientAuthz object identifier. When a certificate issuer includes this object identifier in the extended key usage extension, it provides an attestation that the certificate subject is a time client who has authorization from the issuer to access secured time synchronization (for example, this can be used to provide access in the case of a paid service for secure time synchronization).
Within the "SMI Security for S/MIME Module Identifier (1.2.840.113549.1.9.16.0)" table, add one module identifier:
Decimal Description References ------- -------------------------------------- ---------- TBD0 id-networkTimeSecurity-2015 [this doc]
Within the "SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1)" table, add eleven content type identifiers:
Decimal Description References ------- -------------------------------------- ---------- TBD1 id-ct-nts-clientAssoc [this doc] TBD2 id-ct-nts-serverAssoc [this doc] TBD3 id-ct-nts-clientCookie [this doc] TBD4 id-ct-nts-serverCookie [this doc] TBD5 id-ct-nts-securityDataReq [this doc] TBD6 id-ct-nts-securityDataResp [this doc] TBD7 id-ct-nts-broadcastParamReq [this doc] TBD8 id-ct-nts-broadcastParamResp [this doc] TBD9 id-ct-nts-broadcastTime [this doc] TBD10 id-ct-nts-clientKeyCheck [this doc] TBD11 id-ct-nts-serverKeyCheck [this doc]
Within the "SMI Security for PKIX Extended Key Purpose Identifiers (1.3.6.1.5.5.7.3)" table, add three key purpose identifiers:
Decimal Description References ------- -------------------------------------- ---------- TBD12 id-kp-ntsServerAuth [this doc] TBD13 id-kp-ntsServerAuthz [this doc] TBD14 id-kp-ntsClientAuthz [this doc]
To be written.
[ASN1] | International Telecommunication Union, "Abstract Syntax Notation One (ASN.1): Specification of basic notation", ITU-T Recommendation X.680, November 2008. |
[RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997. |
[RFC5280] | Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R. and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008. |
[RFC5652] | Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, RFC 5652, DOI 10.17487/RFC5652, September 2009. |
[I-D.ietf-ntp-network-time-security] | Sibold, D., Roettger, S. and K. Teichel, "Network Time Security", Internet-Draft draft-ietf-ntp-network-time-security-12, December 2015. |
[IEEE1588] | IEEE Instrumentation and Measurement Society. TC-9 Sensor Technology, "IEEE standard for a precision clock synchronization protocol for networked measurement and control systems", 2008. |
[RFC5905] | Mills, D., Martin, J., Burbank, J. and W. Kasch, "Network Time Protocol Version 4: Protocol and Algorithms Specification", RFC 5905, DOI 10.17487/RFC5905, June 2010. |
The ASN.1 module contained in this appendix defines the id-kp- NTSserver object identifier.
NTSserverKeyPurpose { TBD } DEFINITIONS IMPLICIT TAGS ::= BEGIN id-kp-NTSserver OBJECT IDENTIFIER ::= { TBD } END