NTP Working Group | D. Sibold |
Internet-Draft | PTB |
Intended status: Standards Track | S. Röttger |
Expires: June 23, 2016 | Google Inc |
K. Teichel | |
PTB | |
December 21, 2015 |
Using the Network Time Security Specification to Secure the Network Time Protocol
draft-ietf-ntp-using-nts-for-ntp-03
This document describes how to use the measures described in the Network Time Security (NTS) specification to secure time synchronization with servers using the Network Time Protocol (NTP).
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 23, 2016.
Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
One of the most popular time synchronization protocols, the Network Time Protocol (NTP) [RFC5905], currently does not provide adequate intrinsic security precautions. The Network Time Security draft [I-D.ietf-ntp-network-time-security] specifies security measures which can be used to enable time synchronization protocols to verify authenticity of the time server and integrity of the time synchronization protocol packets.
This document provides detail on how to specifically use those measures to secure time synchronization between NTP clients and servers.
The objectives of the NTS specification are as follows:
The server does not keep a state of the client. NTS initially verifies the authenticity of the time server and exchanges a symmetric key, the so-called cookie and a key input value (KIV). The "association" and "cookie" message exchanges described in [I-D.ietf-ntp-network-time-security], Appendix B., can be utilized for the exchange of the cookie and KIV. An implementation MUST support the use of these exchanges. It MAY additionally support the use of any alternative secure communication for this purpose, as long as it fulfills the preconditions given in [I-D.ietf-ntp-network-time-security], Section 6.1.1.
After the cookie and KIV are exchanged, the participants then use them to protect the authenticity and the integrity of subsequent unicast-type time synchronization packets. In order to do this, the server attaches a Message Authentication Code (MAC) to each time synchronization packet. The calculation of the MAC includes the whole time synchronization packet and the cookie which is shared between client and server. Therefore, the client can perform a validity check for this MAC on reception of a time synchronization packet.
After the client has accomplished the necessary initial time synchronization via client-server mode, the necessary broadcast parameters are communicated from the server to the client. The "broadcast parameter" message exchange described in [I-D.ietf-ntp-network-time-security], Appendix B., can be utilized for this communication. An implementation MUST support the use of this exchange. It MAY additionally support the use of any alternative secure communication for this purpose, as long as it fulfills the necessary security goals (given in [I-D.ietf-ntp-network-time-security], Section 6.2.1.).
After the client has received the necessry broadcast parameters, "broadcast time synchronization" message exchanges are utilized in combination with optional "broadcast keycheck" exchanges to protect authenticity and integrity of NTP broadcast time synchronization packets. As in the case of unicast time synchronization messages, this is also achieved by MACs.
Throughout this section, the server seed, the nonces, cookies and MACs mentioned have bit lengths of B_seed, B_nonce, B_cookie and B_mac, respectively. These bit lengths are defined in Appendix B [appendix_bit_lengths].
Note for clarification that different message exchanges use different nonces. A nonce is always generated by the client for a request message, and then used by the server in its response. After this, it is not to be used again.
For a unicast run, the client performs the following steps: Figure 1.
If one of the checks fails, the client MUST abort the run.
If one of those checks fails, the client MUST abort the run.
If at least one of the first three checks fails (i.e. if the version number does not match, if the client has never used the nonce transmitted in the time_response message, or if it has used the nonce with initial time synchronization data different from that in the response), then the client MUST ignore this time_response message. If the MAC is invalid, the client MUST do one of the following: abort the run or go back to step 3 (because the cookie might have changed due to a server seed refresh). If both checks are successful, the client SHOULD continue time synchronization by repeating the exchange of time_request and time_response messages.
The client's behavior in unicast mode is also expressed in
To establish a secure broadcast association with a broadcast server, the client MUST initially authenticate the broadcast server and securely synchronize its time with it up to an upper bound for its time offset in unicast mode. After that, the client performs the following steps: [I-D.ietf-ntp-network-time-security]) if the one-way key chain expires.
If any information is missing or if the server's signature cannot be verified, the client MUST abort the broadcast run. If all checks are successful, the client MUST remember all the broadcast parameters received for later checks.
See
RFC 4082 [RFC4082] for a detailed description of the packet verification process.The client MUST restart the broadcast sequence with a client_bpar message (
The client's behavior in broadcast mode can also be seen in Figure 2.
To support unicast mode, the server MUST be ready to perform the following actions: [I-D.ietf-ntp-network-time-security]).
The server MUST refresh its server seed periodically (see
In addition to the server MAY be ready to perform the following action:
A broadcast server MUST also support unicast mode in order to provide the initial time synchronization, which is a precondition for any broadcast association. To support NTS broadcast, the server MUST additionally be ready to perform the following actions:
The server is responsible to watch for the expiration date of the one-way key chain and generate a new key chain accordingly.
In addition to the items above, the server MAY be ready to perform the following action:
This section presents some hints about the structures of the communication packets for the different message types when one wishes to implement NTS for NTP. See document [I-D.ietf-ntp-cms-for-nts-message] for descriptions of the archetypes for CMS structures as well as for the ASN.1 structures that are referenced here.
All extension fields mentioned in the following list are notified by a field type value signalling content related to NTS version 1.0.
This message is realized as an NTP packet with an extension field which holds an "NTS-Plain" archetype structure. This structure consists only of an NTS message object of the type "ClientAssocData", which holds all the data necessary for the NTS security mechanisms.
Like "client_assoc", this message is realized as an NTP packet with an extension field which holds an "NTS-Plain" archetype structure, i.e. just an NTS message object of the type "ServerAssocData". The latter holds all the data necessary for NTS.
This message type is realized as an NTP packet with an extension field which holds a CMS structure of archetype "NTS-Plain", containing in its core an NTS message object of the type "ClientCookieData". The latter holds all the data necessary for the NTS security mechanisms.
This message type is realized as an NTP packet with an extension field containing a CMS structure of archetype "NTS-Encrypted-and-Signed". The NTS message object in that structure is a "ServerCookieData" object, which holds all data required by NTS for this message type.
This message type is realized as an NTP packet with regular NTP time synchronization data. Furthermore, the packet has an extension field which contains an ASN.1 object of type "TimeRequestSecurityData" (packed in a CMS structure of archetype "NTS-Plain"). Finally, this NTP packet has another extension field which contains a Message Authentication Code generated over the whole packet (including the extension field).
This message is also realized as an NTP packet with regular NTP time synchronization data. The packet also has an extension field which contains an ASN.1 object of type "TimeResponseSecurityData". Finally, this NTP packet has another extension field which contains a Message Authentication Code generated over the whole packet (including the extension field).
This first broadcast message is realized as an NTP packet which is empty except for an extension field which contains an ASN.1 object of type "BroadcastParameterRequest" (packed in a CMS structure of archetype "NTS-Plain"). This is sufficient to transport all data specified by NTS.
This message type is realized as an NTP packet whose extension field carries the necessary CMS structure (archetype: "NTS-Signed"). The NTS message object in this case is an ASN.1 object of type "BroadcastParameterResponse".
This message's realization works via an NTP packet which carries regular NTP broadcast time data as well as an extension field, which contains an ASN.1 object of type "BroadcastTime" (packed in a CMS structure with archetype "NTS-Plain"). In addition to all this, this packet has another extension field which contains a Message Authentication Code generated over the whole packet (including the extension field).
This message is realized as an NTP packet with an extension field, which transports a CMS structure of archetype "NTS-Plain", containing an ASN.1 object of type "ClientKeyCheckSecurityData".
This message is also realized as an NTP packet with an extension field, which contains an ASN.1 object of type "ServerKeyCheckSecurityData" (packed in a CMS structure of archetype "NTS-Plain"). Additionally, this NTP packet has another extension field which contains a Message Authentication Code generated over the whole packet (including the extension field).
Within the "NTP Extensions Field Types" registry table, add one field type:
Field Type Meaning References ---------- ------------------------------------ ---------- TBD1 NTS-Related Content [this doc]
If an implementation uses alternative means to perform association and cookie exchange, it MUST make sure that an adversary cannot abuse the server to obtain a cookie belonging to a chosen KIV.
The certification-based authentication scheme described in [I-D.ietf-ntp-network-time-security] is not applicable to the concept of NTP pools. Therefore, NTS is unable to provide secure usage of NTP pools.
tbd
The list of the hash algorithms supported by the server has to fulfill the following requirements:
The authors would like to thank Russ Housley, Steven Bellovin, David Mills and Kurt Roeckx for discussions and comments on the design of NTS. Also, thanks to Harlan Stenn for his technical review and specific text contributions to this document.
[RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997. |
[RFC4082] | Perrig, A., Song, D., Canetti, R., Tygar, J. and B. Briscoe, "Timed Efficient Stream Loss-Tolerant Authentication (TESLA): Multicast Source Authentication Transform Introduction", RFC 4082, DOI 10.17487/RFC4082, June 2005. |
[RFC5652] | Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, RFC 5652, DOI 10.17487/RFC5652, September 2009. |
[RFC5905] | Mills, D., Martin, J., Burbank, J. and W. Kasch, "Network Time Protocol Version 4: Protocol and Algorithms Specification", RFC 5905, DOI 10.17487/RFC5905, June 2010. |
[I-D.ietf-ntp-cms-for-nts-message] | Sibold, D., Teichel, K., Roettger, S. and R. Housley, "Protecting Network Time Security Messages with the Cryptographic Message Syntax (CMS)", Internet-Draft draft-ietf-ntp-cms-for-nts-message-04, July 2015. |
[I-D.ietf-ntp-network-time-security] | Sibold, D., Roettger, S. and K. Teichel, "Network Time Security", Internet-Draft draft-ietf-ntp-network-time-security-11, October 2015. |
[RFC7384] | Mizrahi, T., "Security Requirements of Time Protocols in Packet Switched Networks", RFC 7384, DOI 10.17487/RFC7384, October 2014. |
+---------------------+ |Association Messages | +----------+----------+ | +------------------------------>o | | | v | +---------------+ | |Cookie Messages| | +-------+-------+ | | | o<------------------------------+ | | | | v | | +-------------------+ | | |Time Sync. Messages| | | +---------+---------+ | | | | | v | | +-----+ | | |Check| | | +--+--+ | | | | | /------------------+------------------\ | | v v v | | .-----------. .-------------. .-------. | | ( MAC Failure ) ( Nonce Failure ) ( Success ) | | '-----+-----' '------+------' '---+---' | | | | | | | v v v | | +-------------+ +-------------+ +--------------+ | | |Discard Data | |Discard Data | |Sync. Process | | | +-------------+ +------+------+ +------+-------+ | | | | | | | | | v | +-----------+ +------------------>o-----------+
Figure 1: The client's behavior in NTS unicast mode.
+-----------------------------+ |Broadcast Parameter Messages | +--------------+--------------+ | o<--------------------------+ | | v | +-----------------------------+ | |Broadcast Time Sync. Message | | +--------------+--------------+ | | | +-------------------------------------->o | | | | | v | | +-------------------+ | | |Key and Auth. Check| | | +---------+---------+ | | | | | /----------------*----------------\ | | v v | | .---------. .---------. | | ( Verified ) ( Falsified ) | | '----+----' '----+----' | | | | | | v v | | +-------------+ +-------+ | | |Store Message| |Discard| | | +------+------+ +---+---+ | | | | | | v +---------o | +---------------+ | | |Check Previous | | | +-------+-------+ | | | | | /--------*--------\ | | v v | | .---------. .---------. | | ( Verified ) ( Falsified ) | | '----+----' '----+----' | | | | | | v v | | +-------------+ +-----------------+ | | |Sync. Process| |Discard Previous | | | +------+------+ +--------+--------+ | | | | | +-----------+ +-----------------------------------+
Figure 2: The client's behaviour in NTS broadcast mode.
Define the following bit lengths for server seed, nonces, cookies and MACs: