NTP authentication is a measure used by the Network Time Protocol (NTP) to mitigate security risks associated with time synchronization. It allows a client to be sure that a response has indeed been generated from an expected source, rather than being generated, or intercepted, by malicious actors.
NTP is often used by time critical processes to ensure timing integrity. Authentication adds a layer of security, enhancing the reliability and resilience of the time synchronization process.
NTP Vulnerabilities
NTP clients transmit non-authenticated packets by default, to which a server responds with a non-authenticated packet.
A malicious actor could possibly impersonate a legitimate NTP server by intercepting non-authenticated packets and responding with incorrect time stamps.
NTP authentication provides enhanced security measures allowing NTP clients to verify the identity of the server that they are communicating with. If a client sends an authenticated packet, the server responds with an authenticated packet.
NTP Authentication
NTP provides a number of measures to reduce the security risks associated with time synchronization. Authentication is one such measure. It allows a client to be sure that a response has indeed been generated from an expected source, rather than being maliciously generated or intercepted.
Authentication is based on symmetric key cryptography where a list of agreed keys, or passwords, are shared between a client and server. Any communication between server and client has an encrypted version of one of the agreed keys appended to the messages. The server or client can un-encrypt the key appended to the received communication to ensure it matches one of the agreed keys before taking appropriate action. Keys are encrypted using a hashing algorithm.
Using Authentication
Authentication keys are stored on a client and server in a keys file named, by default, ‘ntp.keys’.
Each line of the file contains 3 fields: a key identifier, an encryption identifier and the key.
The key identifier should be a unique 16-bit number in the range 1 to 65535.
The encryption identifier is used to select the algorithm that should be used to encrypt the key. If the OpenSSL library is installed, the key type can be any message digest algorithm supported by the library. If the library is not installed, the only permitted key type is MD5. Valid identifiers are: MD5, SHA1 and SHA256.
MD5 is an older hash algorithm but is still widely used and generates a 128-bit hash. SHA1 is considered to be more secure than MD5, generating a 160-bit hash. While SHA-256 is even more secure, generating a 256-bit hash, and is recommended for NTP authentication.
The key field is the secret password that is shared between the client and server. An encrypted version of the key is appended to packets and transmitted between server and client.
The key is a series of printable ASCII characters no longer than 20 characters in length. Alternatively, the key may be specified as a hexified string of 40 hex digits.
The # character can be used to add comments to lines and therefore should not be used in the key.
An example of a typical key file is shown below:
1 MD5 MyMD5AuthenticationKey # Comments here, if required. 2 MD5 BirmingHAM!! 10 MD5 ForEVer17 11 MD5 Another-Key 12 SHA1 MySHA1AuthenticationKey # Another comment. 13 SHA1 REAListIC 14 SHA1 276a99bc546e778f9cde625e65248b2a75926e7f 22 SHA1 22817deb6e398165ef82377c2daf6d338fed5682 23 SHA256 MySHA256AuthenticationKey 24 SHA256 MySHA256AuthenticationKey 25 SHA256 765e87327f8ed54682fe8d334b926f4ea892427e
The keys stored in the keys file on the client would generally be identical, but may be a subset of, the keys file stored on the server.
Trusted Keys
In addition to specifying the individual keys in the keys file, a user can also specify a subset of the keys which should be considered as currently valid. The subset is specified by key identifier as trusted-keys in the NTP configuration file.
For instance, you may have a large keys file with many keys, however, you may only require that a smaller subset of these is to be valid at any one time. Using the ‘trusted-keys’ parameter in the ‘ntp.conf’ configuration file, you can specify just such as subset. The parameter takes the form of a space-delimited list of key identifiers:
trusted-keys 1 2 10 22 23 24
The above parameter would make keys 1, 2, 10, 22, 23 and 24 in the keys file trusted and the remaining keys invalid.
TimeTools TA-Series NTP Servers
TimeTools TA-Series NTP Servers fully implement NTP authentication along with other security measures, enhancing the reliability and resilience of the time synchronization process.
