Implementing NTP Time Server Authentication
NTP, or Network Time Protocol, was originally developed for ensuring the synchronisation of client machines across the Internet. NTP is one of the oldest Internet protocols still widely used today. The protocol is still widely used to ensure time synchronisation of client machines across the internet and local area networks. The protocol utilises the UDP (User Datagram Protocol) over TCP/IP and implements a hierarchical structure whereby each level serves the level below. This article describes how to implement NTP security features to ensure timestamps are not maliciously altered.
The Network Time Protocol may be used to synchronise many time critical processes on distributed computers across a network. The NTP protocol is therefore a potential security risk. Hackers or malicious users could attempt to disrupt system synchronisation by attempting to modify or replicate NTP time stamps.
Luckily, NTP has an integral security feature to thwart attempts to tamper with system time synchronisation. NTP can use MD5 encrypted keys to authenticate time stamps received from a time server. The time client can utilise keys to ensure that a time stamp has indeed been received from a secure source.
NTP implements authentication by utilising an agreed set of keys between a server and client that are encrypted in time stamps. A NTP time server passes a timestamp to a client with one of a selection of keys encrypted and appended to the message. When a timestamp is received by the client, the security key is un-encrypted and checked against the list of stored secure keys. In this manner the client can ensure that the received timestamp originated from the expected time source.
The Network Time Protocol utilises MD5 (Message Digest Encryption 5) encrypted keys. MD5 is a widely used secure encryption algorithm that utilises a 128-bit cryptographic hash function. The algorithm outputs a fingerprint of the supplied key, which is appended to the timestamp.
UNIX and LINUX NTP installations store secure keys in a file named 'ntp.keys'. Each record in the file describes an authentication key in the format: 'key-number' 'encryption-code' 'key'. The 'key-number' is a reference to the key. The 'encryption code' describes the encryption algorithm in use, usually 'M' for MD5 encryption. The 'key' field is the agreed key that is to be encrypted by the encryption algorithm. A subset of 'trusted keys' may be specified in the NTP configuration file 'ntp.conf'. This allows a reduced subset of keys to be utilised by the server. Allowing compromised keys to be easily excluded from use. Trusted keys are specified using the 'trusted-keys' command followed by a space-delimited list of key references.
Cisco routers and switches implement the Network Time Protocol and also include MD5 authentication. To enable a Cisco router to perform MD5 authentication you must follow a number of steps. Firstly, NTP authentication needs to be enabled using the 'ntp authenticate' command. Secondly, define an NTP authentication key using the 'ntp authentication-key' command. A unique reference number identifies each NTP key. The key reference number is supplied as the first paramater to the 'ntp authentication-key' command. Thirdly, use the 'ntp trusted-key' command to tell the router which keys are valid. The command's only argument is the reference number of the key defined in the previous step
The Windows 2000\2003\XP operating systems adopt a SNTP (Simple Network Time Protocol) application for time synchronisation. The implementation used by Microsoft does not include authentication keys.
Essentially, secure key authentication is a method used to erradicate the possibility of the interception of timestamps for malicous purposes. Network time clients can be sure that timestamps have indeed emanated from the expected time reference and have not been intercepted for malicious purposes.
D. Evans is a technical author who has written numerous articles describing how to install and configure time server devices for computer network time synchronisation. D. Evans specialises in the installation of NTP server systems and has provided a technical resource for a number of manufacturers. Click here to obtain more information on Windows time server systems.
Rating: Not yet rated
Comments
No comments posted yet.
Add Comment
You do not have permission to comment. If you log in, you may be able to comment.
