draft-ietf-ntp-network-time-security-10.txt   draft-ietf-ntp-network-time-security-11.txt 
NTP Working Group D. Sibold NTP Working Group D. Sibold
Internet-Draft PTB Internet-Draft PTB
Intended status: Standards Track S. Roettger Intended status: Standards Track S. Roettger
Expires: April 7, 2016 Google Inc. Expires: April 21, 2016 Google Inc.
K. Teichel K. Teichel
PTB PTB
October 05, 2015 October 19, 2015
Network Time Security Network Time Security
draft-ietf-ntp-network-time-security-10 draft-ietf-ntp-network-time-security-11
Abstract Abstract
This document describes Network Time Security (NTS), a collection of This document describes Network Time Security (NTS), a collection of
measures that enable secure time synchronization with time servers measures that enable secure time synchronization with time servers
using protocols like the Network Time Protocol (NTP) or the Precision using protocols like the Network Time Protocol (NTP) or the Precision
Time Protocol (PTP). Its design considers the special requirements Time Protocol (PTP). Its design considers the special requirements
of precise timekeeping which are described in Security Requirements of precise timekeeping which are described in Security Requirements
of Time Protocols in Packet Switched Networks [RFC7384]. of Time Protocols in Packet Switched Networks [RFC7384].
skipping to change at page 1, line 44 skipping to change at page 1, line 44
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 7, 2016. This Internet-Draft will expire on April 21, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 26 skipping to change at page 2, line 26
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Terms and Abbreviations . . . . . . . . . . . . . . . . . 4 2.1. Terms and Abbreviations . . . . . . . . . . . . . . . . . 4
2.2. Common Terminology for PTP and NTP . . . . . . . . . . . 4 2.2. Common Terminology for PTP and NTP . . . . . . . . . . . 4
3. Security Threats . . . . . . . . . . . . . . . . . . . . . . 4 3. Security Threats . . . . . . . . . . . . . . . . . . . . . . 5
4. Objectives . . . . . . . . . . . . . . . . . . . . . . . . . 5 4. Objectives . . . . . . . . . . . . . . . . . . . . . . . . . 5
5. NTS Overview . . . . . . . . . . . . . . . . . . . . . . . . 5 5. NTS Overview . . . . . . . . . . . . . . . . . . . . . . . . 6
6. Protocol Messages . . . . . . . . . . . . . . . . . . . . . . 6 6. Protocol Messages . . . . . . . . . . . . . . . . . . . . . . 7
6.1. Unicast Time Synchronisation Messages . . . . . . . . . . 7 6.1. Unicast Time Synchronisation Messages . . . . . . . . . . 7
6.1.1. Preconditions for the Unicast Time Synchronization 6.1.1. Preconditions for the Unicast Time Synchronization
Exchange . . . . . . . . . . . . . . . . . . . . . . 7 Exchange . . . . . . . . . . . . . . . . . . . . . . 7
6.1.2. Goals of the Unicast Time Synchronization Exchange . 7 6.1.2. Goals of the Unicast Time Synchronization Exchange . 8
6.1.3. Message Type: "time_request" . . . . . . . . . . . . 7 6.1.3. Message Type: "time_request" . . . . . . . . . . . . 8
6.1.4. Message Type: "time_response" . . . . . . . . . . . . 8 6.1.4. Message Type: "time_response" . . . . . . . . . . . . 8
6.1.5. Procedure Overview of the Unicast Time 6.1.5. Procedure Overview of the Unicast Time
Synchronization Exchange . . . . . . . . . . . . . . 8 Synchronization Exchange . . . . . . . . . . . . . . 9
6.2. Broadcast Time Synchronization Exchange . . . . . . . . . 9 6.2. Broadcast Time Synchronization Exchange . . . . . . . . . 10
6.2.1. Preconditions for the Broadcast Time Synchronization 6.2.1. Preconditions for the Broadcast Time Synchronization
Exchange . . . . . . . . . . . . . . . . . . . . . . 9 Exchange . . . . . . . . . . . . . . . . . . . . . . 10
6.2.2. Goals of the Broadcast Time Synchronization Exchange 10 6.2.2. Goals of the Broadcast Time Synchronization Exchange 11
6.2.3. Message Type: "server_broad" . . . . . . . . . . . . 10 6.2.3. Message Type: "server_broad" . . . . . . . . . . . . 11
6.2.4. Procedure Overview of Broadcast Time Synchronization 6.2.4. Procedure Overview of Broadcast Time Synchronization
Exchange . . . . . . . . . . . . . . . . . . . . . . 11 Exchange . . . . . . . . . . . . . . . . . . . . . . 11
6.3. Broadcast Keycheck . . . . . . . . . . . . . . . . . . . 12 6.3. Broadcast Keycheck . . . . . . . . . . . . . . . . . . . 13
6.3.1. Preconditions for the Broadcast Keycheck Exchange . . 12 6.3.1. Preconditions for the Broadcast Keycheck Exchange . . 13
6.3.2. Goals of the Broadcast Keycheck Exchange . . . . . . 13 6.3.2. Goals of the Broadcast Keycheck Exchange . . . . . . 13
6.3.3. Message Type: "client_keycheck" . . . . . . . . . . . 13 6.3.3. Message Type: "client_keycheck" . . . . . . . . . . . 14
6.3.4. Message Type: "server_keycheck" . . . . . . . . . . . 13 6.3.4. Message Type: "server_keycheck" . . . . . . . . . . . 14
6.3.5. Procedure Overview of the Broadcast Keycheck Exchange 14 6.3.5. Procedure Overview of the Broadcast Keycheck Exchange 14
7. Server Seed Considerations . . . . . . . . . . . . . . . . . 15 7. Server Seed Considerations . . . . . . . . . . . . . . . . . 16
8. Hash Algorithms and MAC Generation . . . . . . . . . . . . . 15 8. Hash Algorithms and MAC Generation . . . . . . . . . . . . . 16
8.1. Hash Algorithms . . . . . . . . . . . . . . . . . . . . . 15 8.1. Hash Algorithms . . . . . . . . . . . . . . . . . . . . . 16
8.2. MAC Calculation . . . . . . . . . . . . . . . . . . . . . 16 8.2. MAC Calculation . . . . . . . . . . . . . . . . . . . . . 16
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16
10. Security Considerations . . . . . . . . . . . . . . . . . . . 16 10. Security Considerations . . . . . . . . . . . . . . . . . . . 17
10.1. Privacy . . . . . . . . . . . . . . . . . . . . . . . . 16 10.1. Privacy . . . . . . . . . . . . . . . . . . . . . . . . 17
10.2. Initial Verification of the Server Certificates . . . . 16 10.2. Initial Verification of the Server Certificates . . . . 17
10.3. Revocation of Server Certificates . . . . . . . . . . . 17 10.3. Revocation of Server Certificates . . . . . . . . . . . 17
10.4. Mitigating Denial-of-Service for broadcast packets . . . 17 10.4. Mitigating Denial-of-Service for broadcast packets . . . 17
10.5. Delay Attack . . . . . . . . . . . . . . . . . . . . . . 17 10.5. Delay Attack . . . . . . . . . . . . . . . . . . . . . . 18
10.6. Random Number Generation . . . . . . . . . . . . . . . . 19 10.6. Random Number Generation . . . . . . . . . . . . . . . . 19
11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 19 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 19
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 19
12.1. Normative References . . . . . . . . . . . . . . . . . . 19 12.1. Normative References . . . . . . . . . . . . . . . . . . 20
12.2. Informative References . . . . . . . . . . . . . . . . . 19 12.2. Informative References . . . . . . . . . . . . . . . . . 20
Appendix A. (informative) TICTOC Security Requirements . . . . . 21 Appendix A. (informative) TICTOC Security Requirements . . . . . 21
Appendix B. (normative) Inherent Association Protocol Messages . 22 Appendix B. (normative) Inherent Association Protocol Messages . 23
B.1. Overview of NTS with Inherent Association Protocol . . . 22 B.1. Overview of NTS with Inherent Association Protocol . . . 23
B.2. Association Message Exchange . . . . . . . . . . . . . . 22 B.2. Access Message Exchange . . . . . . . . . . . . . . . . . 23
B.2.1. Goals of the Association Exchange . . . . . . . . . . 23 B.2.1. Goals of the Access Message Exchange . . . . . . . . 23
B.2.2. Message Type: "client_assoc" . . . . . . . . . . . . 23 B.2.2. Message Type: "client_access" . . . . . . . . . . . . 24
B.2.3. Message Type: "server_assoc" . . . . . . . . . . . . 23 B.2.3. Message Type: "server_access" . . . . . . . . . . . . 24
B.2.4. Procedure Overview of the Association Exchange . . . 24 B.2.4. Procedure Overview of the Access Exchange . . . . . . 24
B.3. Cookie Messages . . . . . . . . . . . . . . . . . . . . . 25 B.3. Association Message Exchange . . . . . . . . . . . . . . 24
B.3.1. Goals of the Cookie Exchange . . . . . . . . . . . . 25 B.3.1. Goals of the Association Exchange . . . . . . . . . . 25
B.3.2. Message Type: "client_cook" . . . . . . . . . . . . . 26 B.3.2. Message Type: "client_assoc" . . . . . . . . . . . . 25
B.3.3. Message Type: "server_cook" . . . . . . . . . . . . . 26 B.3.3. Message Type: "server_assoc" . . . . . . . . . . . . 25
B.3.4. Procedure Overview of the Cookie Exchange . . . . . . 27 B.3.4. Procedure Overview of the Association Exchange . . . 26
B.3.5. Broadcast Parameter Messages . . . . . . . . . . . . 28 B.4. Cookie Message Exchange . . . . . . . . . . . . . . . . . 27
Appendix C. (normative) Using TESLA for Broadcast-Type Messages 30 B.4.1. Goals of the Cookie Exchange . . . . . . . . . . . . 27
C.1. Server Preparation . . . . . . . . . . . . . . . . . . . 30 B.4.2. Message Type: "client_cook" . . . . . . . . . . . . . 28
C.2. Client Preparation . . . . . . . . . . . . . . . . . . . 32 B.4.3. Message Type: "server_cook" . . . . . . . . . . . . . 28
C.3. Sending Authenticated Broadcast Packets . . . . . . . . . 33 B.4.4. Procedure Overview of the Cookie Exchange . . . . . . 29
C.4. Authentication of Received Packets . . . . . . . . . . . 33 B.4.5. Broadcast Parameter Messages . . . . . . . . . . . . 30
Appendix D. (informative) Dependencies . . . . . . . . . . . . . 35 Appendix C. (normative) Using TESLA for Broadcast-Type Messages 32
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 37 C.1. Server Preparation . . . . . . . . . . . . . . . . . . . 32
C.2. Client Preparation . . . . . . . . . . . . . . . . . . . 34
C.3. Sending Authenticated Broadcast Packets . . . . . . . . . 35
C.4. Authentication of Received Packets . . . . . . . . . . . 35
Appendix D. (informative) Dependencies . . . . . . . . . . . . . 37
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 39
1. Introduction 1. Introduction
Time synchronization protocols are increasingly utilized to Time synchronization protocols are increasingly utilized to
synchronize clocks in networked infrastructures. Successful attacks synchronize clocks in networked infrastructures. Successful attacks
against the time synchronization protocol can seriously degrade the against the time synchronization protocol can seriously degrade the
reliable performance of such infrastructures. Therefore, time reliable performance of such infrastructures. Therefore, time
synchronization protocols have to be secured if they are applied in synchronization protocols have to be secured if they are applied in
environments that are prone to malicious attacks. This can be environments that are prone to malicious attacks. This can be
accomplished either by utilization of external security protocols, accomplished either by utilization of external security protocols,
skipping to change at page 5, line 27 skipping to change at page 5, line 33
o Authorization: NTS enables the client to verify its time server's o Authorization: NTS enables the client to verify its time server's
authorization. NTS optionally enables the server to verify the authorization. NTS optionally enables the server to verify the
client's authorization as well. client's authorization as well.
o Request-Response-Consistency: NTS enables a client to match an o Request-Response-Consistency: NTS enables a client to match an
incoming response to a request it has sent. NTS also enables the incoming response to a request it has sent. NTS also enables the
client to deduce from the response whether its request to the client to deduce from the response whether its request to the
server has arrived without alteration. server has arrived without alteration.
o Integration with protocols: NTS can be used to secure different o Applicability to Protocols: NTS can be used to secure different
time synchronization protocols, specifically at least NTP and PTP. time synchronization protocols, specifically at least NTP and PTP.
A client or server running an NTS-secured version of a time
protocol does not negatively affect other participants who are o Integration with Protocols: A client or server running an NTS-
running unsecured versions of that protocol. secured version of a time protocol does not negatively affect
other participants who are running unsecured versions of that
protocol.
o Server-Side Statelessness: All security measures of NTS work
without creating the necessity for a server to keep state of a
connection.
o Prevention of Amplification Attacks: All communication introduced
by NTS offers protection against abuse for amplification denial-
of-service attacks.
5. NTS Overview 5. NTS Overview
NTS initially verifies the authenticity of the time server and NTS initially verifies the authenticity of the time server and
exchanges a symmetric key, the so-called cookie, as well as a key exchanges a symmetric key, the so-called cookie, as well as a key
input value (KIV). After the cookie and the KIV are exchanged, the input value (KIV). The KIV can be opaque for the client. After the
client then uses them to protect the authenticity and the integrity cookie and the KIV are exchanged, the client then uses them to
of subsequent unicast-type time synchronization packets. In order to protect the authenticity and the integrity of subsequent unicast-type
do this, a Message Authentication Code (MAC) is attached to each time time synchronization packets. In order to do this, a Message
synchronization packet. The calculation of the MAC includes the Authentication Code (MAC) is attached to each time synchronization
whole time synchronization packet and the cookie which is shared packet. The calculation of the MAC includes the whole time
between client and server. synchronization packet and the cookie which is shared between client
and server.
The cookie is calculated according to: The cookie is calculated according to:
cookie = MSB_<b> (HMAC(server seed, KIV)), cookie = MSB_<b> (HMAC(server seed, KIV)),
with the server seed as the key, where KIV is the client's key input with the server seed as the key, where KIV is the client's key input
value, and where the application of the function MSB_<b> returns only value, and where the application of the function MSB_<b> returns only
the b most significant bits. The server seed is a random value of the b most significant bits. The server seed is a random value of
bit length b that the server possesses, which has to remain secret. bit length b that the server possesses, which has to remain secret.
The cookie deterministically depends on KIV as long as the server The cookie deterministically depends on KIV as long as the server
seed stays the same. The server seed has to be refreshed seed stays the same. The server seed has to be refreshed
periodically in order to provide key freshness as required in periodically in order to provide key freshness as required in
[RFC7384]. See Section 7 for details on seed refreshing. [RFC7384]. See Section 7 for details on seed refreshing.
Since the server does not keep a state of the client, it has to Since the server does not keep a state of the client, it has to
recalculate the cookie each time it receives a unicast time recalculate the cookie each time it receives a unicast time
synchronization request from the client. To this end, the client has synchronization request from the client. To this end, the client has
to attach its KIV to each request (see Section 6.1). to attach its KIV to each request (see Section 6.1).
skipping to change at page 15, line 36 skipping to change at page 16, line 16
The server has to calculate a random seed which has to be kept The server has to calculate a random seed which has to be kept
secret. The server MUST generate a seed for each supported hash secret. The server MUST generate a seed for each supported hash
algorithm, see Section 8.1. algorithm, see Section 8.1.
According to the requirements in [RFC7384], the server MUST refresh According to the requirements in [RFC7384], the server MUST refresh
each server seed periodically. Consequently, the cookie memorized by each server seed periodically. Consequently, the cookie memorized by
the client becomes obsolete. In this case, the client cannot verify the client becomes obsolete. In this case, the client cannot verify
the MAC attached to subsequent time response messages and has to the MAC attached to subsequent time response messages and has to
respond accordingly by re-initiating the protocol with a cookie respond accordingly by re-initiating the protocol with a cookie
request (Appendix B.3). request (Appendix B.4).
8. Hash Algorithms and MAC Generation 8. Hash Algorithms and MAC Generation
8.1. Hash Algorithms 8.1. Hash Algorithms
Hash algorithms are used for calculation of the cookie and the MAC. Hash algorithms are used for calculation of the cookie and the MAC.
The client and the server negotiate a hash algorithm H during the The client and the server negotiate a hash algorithm H during the
association phase at the beginning. The selected algorithm H is used association phase at the beginning. The selected algorithm H is used
for all hashing processes in that run. for all hashing processes in that run.
skipping to change at page 17, line 10 skipping to change at page 17, line 38
initial association phase. Since it generally has no reliable time initial association phase. Since it generally has no reliable time
during this initial communication phase, it is impossible to verify during this initial communication phase, it is impossible to verify
the period of validity of the certificates. To solve this chicken- the period of validity of the certificates. To solve this chicken-
and-egg problem, the client has to rely on external means. and-egg problem, the client has to rely on external means.
10.3. Revocation of Server Certificates 10.3. Revocation of Server Certificates
According to Section 7, it is the client's responsibility to initiate According to Section 7, it is the client's responsibility to initiate
a new association with the server after the server's certificate a new association with the server after the server's certificate
expires. To this end, the client reads the expiration date of the expires. To this end, the client reads the expiration date of the
certificate during the certificate message exchange (Appendix B.2.3). certificate during the certificate message exchange (Appendix B.3.3).
Furthermore, certificates may also be revoked prior to the normal Furthermore, certificates may also be revoked prior to the normal
expiration date. To increase security the client MAY periodically expiration date. To increase security the client MAY periodically
verify the state of the server's certificate via Online Certificate verify the state of the server's certificate via Online Certificate
Status Protocol (OCSP) Online Certificate Status Protocol (OCSP) Status Protocol (OCSP) Online Certificate Status Protocol (OCSP)
[RFC6960]. [RFC6960].
10.4. Mitigating Denial-of-Service for broadcast packets 10.4. Mitigating Denial-of-Service for broadcast packets
TESLA authentication buffers packets for delayed authentication. TESLA authentication buffers packets for delayed authentication.
This makes the protocol vulnerable to flooding attacks, causing the This makes the protocol vulnerable to flooding attacks, causing the
skipping to change at page 22, line 22 skipping to change at page 23, line 7
| | Hybrid mode | SHOULD | - | | | Hybrid mode | SHOULD | - |
+---------+------------------------------+-------------+------------+ +---------+------------------------------+-------------+------------+
*) See discussion in Section 10.5. *) See discussion in Section 10.5.
Comparison of NTS specification against Security Requirements of Time Comparison of NTS specification against Security Requirements of Time
Protocols in Packet Switched Networks (RFC 7384) Protocols in Packet Switched Networks (RFC 7384)
Appendix B. (normative) Inherent Association Protocol Messages Appendix B. (normative) Inherent Association Protocol Messages
One option for completing association, cookie exchange, and also This appendix presents a procedure that performs the association, the
broadcast parameter exchange between a client and server is to use cookie, and also the broadcast parameter message exchanges between a
the message exchanges listed below. client and a server. This procedure is one possible way to achieve
the preconditions listed in Sections Section 6.1.1, Section 6.2.1,
and Section 6.3.1 while taking into account the objectives given in
Section Section 4.
B.1. Overview of NTS with Inherent Association Protocol B.1. Overview of NTS with Inherent Association Protocol
This inherent association protocol applies X.509 certificates to This inherent association protocol applies X.509 certificates to
verify the authenticity of the time server and to exchange the verify the authenticity of the time server and to exchange the
cookie. This is done in two separate message exchanges, described cookie. This is done in two separate message exchanges, described
below. A client needs a public/private key pair for encryption, with below. An additional required exchange in advance serves to limit
the public key enclosed in a certificate. A server needs a public/ the amplification potential of the association message exchange.
A client needs a public/private key pair for encryption, with the
public key enclosed in a certificate. A server needs a public/
private key pair for signing, with the public key enclosed in a private key pair for signing, with the public key enclosed in a
certificate. If a participant intends to act as both a client and a certificate. If a participant intends to act as both a client and a
server, it MUST have two different key pairs for these purposes. server, it MUST have two different key pairs for these purposes.
If this protocol is employed, the hash value of the client's If this protocol is employed, the hash value of the client's
certificate is used as the client's key input value, i.e. the cookie certificate is used as the client's key input value, i.e. the cookie
is calculated according to: is calculated according to:
cookie = MSB_<b> (HMAC(server seed, H(certificate of client))). cookie = MSB_<b> (HMAC(server seed, H(certificate of client))).
The client's certificate contains the client's public key and enables The client's certificate contains the client's public key and enables
the server to identify the client, if client authorization is the server to identify the client, if client authorization is
desired. desired.
B.2. Association Message Exchange B.2. Access Message Exchange
This message exchange serves only to prevent the next (association)
exchange from being abusable for amplification denial-of-service
attacks.
B.2.1. Goals of the Access Message Exchange
The access message exchange:
o transfers a secret value from the server to the client
(initiator),
o the secret value permits the client to initiate an association
message exchange.
B.2.2. Message Type: "client_access"
This message is sent by a client who intends to perform an
association exchange with the server in the future. It contains:
o the NTS message ID "client_access".
B.2.3. Message Type: "server_access"
This message is sent by the server on receipt of a client_access
message. It contains:
o the NTS message ID "server_access",
o an access key.
B.2.4. Procedure Overview of the Access Exchange
For an access exchange, the following steps are performed:
1. The client sends a client_access message to the server.
2. Upon receipt of a client_access, the server calculates the access
key according to
access_key = HMAC(server seed; address of client),
then it constructs and sends a reply in the form of a
server_access message. In general the address of the client will
be represented by the IP address of the client.
3. The client waits for a response in the form of a server_access
message. Upon receipt of one, it MUST memorize the included
access key.
B.3. Association Message Exchange
In this message exchange, the participants negotiate the hash and In this message exchange, the participants negotiate the hash and
encryption algorithms that are used throughout the protocol. In encryption algorithms that are used throughout the protocol. In
addition, the client receives the certification chain up to a trusted addition, the client receives the certification chain up to a trusted
anchor. With the established certification chain the client is able anchor. With the established certification chain the client is able
to verify the server's signatures and, hence, the authenticity of to verify the server's signatures and, hence, the authenticity of
future NTS messages from the server is ensured. future NTS messages from the server is ensured.
B.2.1. Goals of the Association Exchange B.3.1. Goals of the Association Exchange
The association exchange: The association exchange:
o enables the client to verify any communication with the server as o enables the client to verify any communication with the server as
authentic, authentic,
o lets the participants negotiate NTS version and algorithms, o lets the participants negotiate NTS version and algorithms,
o guarantees authenticity and integrity of the negotiation result to o guarantees authenticity and integrity of the negotiation result to
the client, the client,
o guarantees to the client that the negotiation result is based on o guarantees to the client that the negotiation result is based on
the client's original, unaltered request. the client's original, unaltered request.
B.2.2. Message Type: "client_assoc" B.3.2. Message Type: "client_assoc"
The protocol sequence starts with the client sending an association This message is sent by the client if it wants to perform association
message, called client_assoc. This message contains with a server. It contains
o the NTS message ID "client_assoc", o the NTS message ID "client_assoc",
o a nonce, o a nonce,
o the access key obtained earlier via an access message exchange,
o the version number of NTS that the client wants to use (this o the version number of NTS that the client wants to use (this
SHOULD be the highest version number that it supports), SHOULD be the highest version number that it supports),
o a selection of accepted hash algorithms, and o a selection of accepted hash algorithms, and
o a selection of accepted encryption algorithms. o a selection of accepted encryption algorithms.
B.2.3. Message Type: "server_assoc" B.3.3. Message Type: "server_assoc"
This message is sent by the server upon receipt of client_assoc. It This message is sent by the server upon receipt of client_assoc. It
contains contains
o the NTS message ID "server_assoc", o the NTS message ID "server_assoc",
o the nonce transmitted in client_assoc, o the nonce transmitted in client_assoc,
o the client's proposal for the version number, selection of o the client's proposal for the version number, selection of
accepted hash algorithms and selection of accepted encryption accepted hash algorithms and selection of accepted encryption
skipping to change at page 24, line 22 skipping to change at page 26, line 22
o a signature, calculated over the data listed above, with the o a signature, calculated over the data listed above, with the
server's private key and according to the signature algorithm server's private key and according to the signature algorithm
which is also used for the certificates that are included (see which is also used for the certificates that are included (see
below), and below), and
o a chain of certificates, which starts at the server and goes up to o a chain of certificates, which starts at the server and goes up to
a trusted authority; each certificate MUST be certified by the one a trusted authority; each certificate MUST be certified by the one
directly following it. directly following it.
B.2.4. Procedure Overview of the Association Exchange B.3.4. Procedure Overview of the Association Exchange
For an association exchange, the following steps are performed: For an association exchange, the following steps are performed:
1. The client sends a client_assoc message to the server. It MUST 1. The client sends a client_assoc message to the server. It MUST
keep the transmitted values for the version number and algorithms keep the transmitted values for the version number and algorithms
available for later checks. available for later checks.
2. Upon receipt of a client_assoc message, the server constructs and 2. Upon receipt of a client_assoc message, the server checks the
sends a reply in the form of a server_assoc message as described validity of the included access key. If it is not valid, the
in Appendix B.2.3. Upon unsuccessful negotiation for version server MUST abort communication. If it is valid, the server
number or algorithms the server_assoc message MUST contain an constructs and sends a reply in the form of a server_assoc
error code. message as described in Appendix B.3.3. Upon unsuccessful
negotiation for version number or algorithms the server_assoc
message MUST contain an error code.
3. The client waits for a reply in the form of a server_assoc 3. The client waits for a reply in the form of a server_assoc
message. After receipt of the message it performs the following message. After receipt of the message it performs the following
checks: checks:
* The client checks that the message contains a conforming * The client checks that the message contains a conforming
version number. version number.
* It checks that the nonce sent back by the server matches the * It checks that the nonce sent back by the server matches the
one transmitted in client_assoc, one transmitted in client_assoc,
skipping to change at page 25, line 29 skipping to change at page 27, line 32
client_ / \ server_ client_ / \ server_
assoc / \ assoc assoc / \ assoc
/ \| / \|
Client ---------------------------> Client --------------------------->
<------ Association -----> <------ Association ----->
exchange exchange
Procedure for association and cookie exchange. Procedure for association and cookie exchange.
B.3. Cookie Messages B.4. Cookie Message Exchange
During this message exchange, the server transmits a secret cookie to During this message exchange, the server transmits a secret cookie to
the client securely. The cookie will later be used for integrity the client securely. The cookie will later be used for integrity
protection during unicast time synchronization. protection during unicast time synchronization.
B.3.1. Goals of the Cookie Exchange B.4.1. Goals of the Cookie Exchange
The cookie exchange: The cookie exchange:
o enables the server to check the client's authorization via its o enables the server to check the client's authorization via its
certificate (optional), certificate (optional),
o supplies the client with the correct cookie and corresponding KIV o supplies the client with the correct cookie and corresponding KIV
for its association to the server, for its association to the server,
o guarantees to the client that the cookie originates from the o guarantees to the client that the cookie originates from the
server and that it is based on the client's original, unaltered server and that it is based on the client's original, unaltered
request. request.
o guarantees that the received cookie is unknown to anyone but the o guarantees that the received cookie is unknown to anyone but the
server and the client. server and the client.
B.3.2. Message Type: "client_cook" B.4.2. Message Type: "client_cook"
This message is sent by the client upon successful authentication of This message is sent by the client upon successful authentication of
the server. In this message, the client requests a cookie from the the server. In this message, the client requests a cookie from the
server. The message contains server. The message contains
o the NTS message ID "client_cook", o the NTS message ID "client_cook",
o a nonce, o a nonce,
o the negotiated version number, o the negotiated version number,
o the negotiated signature algorithm, o the negotiated signature algorithm,
o the negotiated encryption algorithm, o the negotiated encryption algorithm,
o the negotiated hash algorithm H, o the negotiated hash algorithm H,
o the client's certificate. o the client's certificate.
B.3.3. Message Type: "server_cook" B.4.3. Message Type: "server_cook"
This message is sent by the server upon receipt of a client_cook This message is sent by the server upon receipt of a client_cook
message. The server generates the hash of the client's certificate, message. The server generates the hash of the client's certificate,
as conveyed during client_cook, in order to calculate the cookie as conveyed during client_cook, in order to calculate the cookie
according to Section 5. This message contains according to Section 5. This message contains
o the NTS message ID "server_cook" o the NTS message ID "server_cook"
o the version number as transmitted in client_cook, o the version number as transmitted in client_cook,
skipping to change at page 27, line 5 skipping to change at page 29, line 5
* the nonce transmitted in client_cook, and * the nonce transmitted in client_cook, and
* the cookie. * the cookie.
o a signature, created with the server's private key, calculated o a signature, created with the server's private key, calculated
over all of the data listed above. This signature MUST be over all of the data listed above. This signature MUST be
calculated according to the transmitted signature algorithm from calculated according to the transmitted signature algorithm from
the client_cook message. the client_cook message.
B.3.4. Procedure Overview of the Cookie Exchange B.4.4. Procedure Overview of the Cookie Exchange
For a cookie exchange, the following steps are performed: For a cookie exchange, the following steps are performed:
1. The client sends a client_cook message to the server. The client 1. The client sends a client_cook message to the server. The client
MUST save the included nonce until the reply has been processed. MUST save the included nonce until the reply has been processed.
2. Upon receipt of a client_cook message, the server checks whether 2. Upon receipt of a client_cook message, the server checks whether
it supports the given cryptographic algorithms. It then it supports the given cryptographic algorithms. It then
calculates the cookie according to the formula given in calculates the cookie according to the formula given in
Section 5. The server MAY use the client's certificate to check Section 5. The server MAY use the client's certificate to check
that the client is authorized to use the secure time that the client is authorized to use the secure time
synchronization service. With this, it MUST construct a synchronization service. With this, it MUST construct a
server_cook message as described in Appendix B.3.3. server_cook message as described in Appendix B.4.3.
3. The client awaits a reply in the form of a server_cook message; 3. The client awaits a reply in the form of a server_cook message;
upon receipt it executes the following actions: upon receipt it executes the following actions:
* It verifies that the received version number matches the one * It verifies that the received version number matches the one
negotiated beforehand. negotiated beforehand.
* It verifies the signature using the server's public key. The * It verifies the signature using the server's public key. The
signature has to authenticate the encrypted data. signature has to authenticate the encrypted data.
skipping to change at page 28, line 26 skipping to change at page 30, line 26
/| \ /| \
client_ / \ server_ client_ / \ server_
cook / \ cook cook / \ cook
/ \| / \|
Client ---------------------------> Client --------------------------->
<--- Cookie exchange --> <--- Cookie exchange -->
Procedure for association and cookie exchange. Procedure for association and cookie exchange.
B.3.5. Broadcast Parameter Messages B.4.5. Broadcast Parameter Messages
In this message exchange, the client receives the necessary In this message exchange, the client receives the necessary
information to execute the TESLA protocol in a secured broadcast information to execute the TESLA protocol in a secured broadcast
association. The client can only initiate a secure broadcast association. The client can only initiate a secure broadcast
association after successful association and cookie exchanges and association after successful association and cookie exchanges and
only if it has made sure that its clock is roughly synchronized to only if it has made sure that its clock is roughly synchronized to
the server's. the server's.
See Appendix C for more details on TESLA. See Appendix C for more details on TESLA.
B.3.5.1. Goals of the Broadcast Parameter Exchange B.4.5.1. Goals of the Broadcast Parameter Exchange
The broadcast parameter exchange The broadcast parameter exchange
o provides the client with all the information necessary to process o provides the client with all the information necessary to process
broadcast time synchronization messages from the server, and broadcast time synchronization messages from the server, and
o guarantees authenticity, integrity and freshness of the broadcast o guarantees authenticity, integrity and freshness of the broadcast
parameters to the client. parameters to the client.
B.3.5.2. Message Type: "client_bpar" B.4.5.2. Message Type: "client_bpar"
This message is sent by the client in order to establish a secured This message is sent by the client in order to establish a secured
time broadcast association with the server. It contains time broadcast association with the server. It contains
o the NTS message ID "client_bpar", o the NTS message ID "client_bpar",
o the NTS version number negotiated during association, o the NTS version number negotiated during association,
o a nonce, and o a nonce, and
o the signature algorithm negotiated during association. o the signature algorithm negotiated during association.
B.3.5.3. Message Type: "server_bpar" B.4.5.3. Message Type: "server_bpar"
This message is sent by the server upon receipt of a client_bpar This message is sent by the server upon receipt of a client_bpar
message during the broadcast loop of the server. It contains message during the broadcast loop of the server. It contains
o the NTS message ID "server_bpar", o the NTS message ID "server_bpar",
o the version number as transmitted in the client_bpar message, o the version number as transmitted in the client_bpar message,
o the nonce transmitted in client_bpar, o the nonce transmitted in client_bpar,
skipping to change at page 29, line 39 skipping to change at page 31, line 39
* the disclosure delay (number of intervals between use and * the disclosure delay (number of intervals between use and
disclosure of a key), disclosure of a key),
* the time at which the next time interval will start, and * the time at which the next time interval will start, and
* the next interval's associated index. * the next interval's associated index.
o The message also contains a signature signed by the server with o The message also contains a signature signed by the server with
its private key, verifying all the data listed above. its private key, verifying all the data listed above.
B.3.5.4. Procedure Overview of the Broadcast Parameter Exchange B.4.5.4. Procedure Overview of the Broadcast Parameter Exchange
A broadcast parameter exchange consists of the following steps: A broadcast parameter exchange consists of the following steps:
1. The client sends a client_bpar message to the server. It MUST 1. The client sends a client_bpar message to the server. It MUST
remember the transmitted values for the nonce, the version number remember the transmitted values for the nonce, the version number
and the signature algorithm. and the signature algorithm.
2. Upon receipt of a client_bpar message, the server constructs and 2. Upon receipt of a client_bpar message, the server constructs and
sends a server_bpar message as described in Appendix B.3.5.3. sends a server_bpar message as described in Appendix B.4.5.3.
3. The client waits for a reply in the form of a server_bpar 3. The client waits for a reply in the form of a server_bpar
message, on which it performs the following checks: message, on which it performs the following checks:
* The message must contain all the necessary information for the * The message must contain all the necessary information for the
TESLA protocol, as listed in Appendix B.3.5.3. TESLA protocol, as listed in Appendix B.4.5.3.
* The message must contain a nonce belonging to a client_bpar * The message must contain a nonce belonging to a client_bpar
message that the client has previously sent. message that the client has previously sent.
* Verification of the message's signature. * Verification of the message's signature.
If any information is missing or if the server's signature cannot If any information is missing or if the server's signature cannot
be verified, the client MUST abort the broadcast run. If all be verified, the client MUST abort the broadcast run. If all
checks are successful, the client MUST remember all the broadcast checks are successful, the client MUST remember all the broadcast
parameters received for later checks. parameters received for later checks.
 End of changes. 45 change blocks. 
91 lines changed or deleted 167 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/