draft-ietf-ntp-network-time-security-12.txt   draft-ietf-ntp-network-time-security-13.txt 
NTP Working Group D. Sibold NTP Working Group D. Sibold
Internet-Draft PTB Internet-Draft PTB
Intended status: Standards Track S. Roettger Intended status: Standards Track S. Roettger
Expires: June 23, 2016 Google Inc. Expires: August 28, 2016 Google Inc.
K. Teichel K. Teichel
PTB PTB
December 21, 2015 February 25, 2016
Network Time Security Network Time Security
draft-ietf-ntp-network-time-security-12 draft-ietf-ntp-network-time-security-13
Abstract Abstract
This document describes Network Time Security (NTS), a collection of This document describes Network Time Security (NTS), a collection of
measures that enable secure time synchronization with time servers measures that enable secure time synchronization with time servers
using protocols like the Network Time Protocol (NTP) or the Precision using protocols like the Network Time Protocol (NTP) or the Precision
Time Protocol (PTP). Its design considers the special requirements Time Protocol (PTP). Its design considers the special requirements
of precise timekeeping which are described in Security Requirements of precise timekeeping which are described in Security Requirements
of Time Protocols in Packet Switched Networks [RFC7384]. of Time Protocols in Packet Switched Networks [RFC7384].
skipping to change at page 1, line 44 skipping to change at page 1, line 44
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 23, 2016. This Internet-Draft will expire on August 28, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 51 skipping to change at page 2, line 51
6.2.2. Goals of the Broadcast Time Synchronization Exchange 11 6.2.2. Goals of the Broadcast Time Synchronization Exchange 11
6.2.3. Message Type: "server_broad" . . . . . . . . . . . . 11 6.2.3. Message Type: "server_broad" . . . . . . . . . . . . 11
6.2.4. Procedure Overview of Broadcast Time Synchronization 6.2.4. Procedure Overview of Broadcast Time Synchronization
Exchange . . . . . . . . . . . . . . . . . . . . . . 12 Exchange . . . . . . . . . . . . . . . . . . . . . . 12
6.3. Broadcast Keycheck . . . . . . . . . . . . . . . . . . . 13 6.3. Broadcast Keycheck . . . . . . . . . . . . . . . . . . . 13
6.3.1. Preconditions for the Broadcast Keycheck Exchange . . 13 6.3.1. Preconditions for the Broadcast Keycheck Exchange . . 13
6.3.2. Goals of the Broadcast Keycheck Exchange . . . . . . 14 6.3.2. Goals of the Broadcast Keycheck Exchange . . . . . . 14
6.3.3. Message Type: "client_keycheck" . . . . . . . . . . . 14 6.3.3. Message Type: "client_keycheck" . . . . . . . . . . . 14
6.3.4. Message Type: "server_keycheck" . . . . . . . . . . . 14 6.3.4. Message Type: "server_keycheck" . . . . . . . . . . . 14
6.3.5. Procedure Overview of the Broadcast Keycheck Exchange 15 6.3.5. Procedure Overview of the Broadcast Keycheck Exchange 15
7. Server Seed Considerations . . . . . . . . . . . . . . . . . 16 7. Server Seed, Hash Algorithms and Generating MACs . . . . . . 16
8. Hash Algorithms and MAC Generation . . . . . . . . . . . . . 16 7.1. Server Seed . . . . . . . . . . . . . . . . . . . . . . . 16
8.1. Hash Algorithms . . . . . . . . . . . . . . . . . . . . . 16 7.2. Hash Algorithms . . . . . . . . . . . . . . . . . . . . . 16
8.2. MAC Calculation . . . . . . . . . . . . . . . . . . . . . 17 7.3. MAC Calculation . . . . . . . . . . . . . . . . . . . . . 17
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17
10. Security Considerations . . . . . . . . . . . . . . . . . . . 17 9. Security Considerations . . . . . . . . . . . . . . . . . . . 17
10.1. Privacy . . . . . . . . . . . . . . . . . . . . . . . . 17 9.1. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 17
10.2. Initial Verification of the Server Certificates . . . . 17 9.2. Initial Verification of the Server Certificates . . . . . 18
10.3. Revocation of Server Certificates . . . . . . . . . . . 18 9.3. Revocation of Server Certificates . . . . . . . . . . . . 18
10.4. Mitigating Denial-of-Service for broadcast packets . . . 18 9.4. Mitigating Denial-of-Service for broadcast packets . . . 18
10.5. Delay Attack . . . . . . . . . . . . . . . . . . . . . . 18 9.5. Delay Attack . . . . . . . . . . . . . . . . . . . . . . 19
10.6. Random Number Generation . . . . . . . . . . . . . . . . 20 9.6. Random Number Generation . . . . . . . . . . . . . . . . 20
11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 20 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 20
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 20 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 20
12.1. Normative References . . . . . . . . . . . . . . . . . . 20 11.1. Normative References . . . . . . . . . . . . . . . . . . 20
12.2. Informative References . . . . . . . . . . . . . . . . . 20 11.2. Informative References . . . . . . . . . . . . . . . . . 21
Appendix A. (informative) TICTOC Security Requirements . . . . . 22 Appendix A. (informative) TICTOC Security Requirements . . . . . 22
Appendix B. (normative) Inherent Association Protocol Messages . 23 Appendix B. (normative) Inherent Association Protocol Messages . 23
B.1. Overview of NTS with Inherent Association Protocol . . . 23 B.1. Overview of NTS with Inherent Association Protocol . . . 23
B.2. Access Message Exchange . . . . . . . . . . . . . . . . . 24 B.2. Access Message Exchange . . . . . . . . . . . . . . . . . 24
B.2.1. Goals of the Access Message Exchange . . . . . . . . 24 B.2.1. Goals of the Access Message Exchange . . . . . . . . 24
B.2.2. Message Type: "client_access" . . . . . . . . . . . . 24 B.2.2. Message Type: "client_access" . . . . . . . . . . . . 24
B.2.3. Message Type: "server_access" . . . . . . . . . . . . 24 B.2.3. Message Type: "server_access" . . . . . . . . . . . . 24
B.2.4. Procedure Overview of the Access Exchange . . . . . . 24 B.2.4. Procedure Overview of the Access Exchange . . . . . . 25
B.3. Association Message Exchange . . . . . . . . . . . . . . 25 B.3. Association Message Exchange . . . . . . . . . . . . . . 25
B.3.1. Goals of the Association Exchange . . . . . . . . . . 25 B.3.1. Goals of the Association Exchange . . . . . . . . . . 25
B.3.2. Message Type: "client_assoc" . . . . . . . . . . . . 25 B.3.2. Message Type: "client_assoc" . . . . . . . . . . . . 26
B.3.3. Message Type: "server_assoc" . . . . . . . . . . . . 26 B.3.3. Message Type: "server_assoc" . . . . . . . . . . . . 26
B.3.4. Procedure Overview of the Association Exchange . . . 26 B.3.4. Procedure Overview of the Association Exchange . . . 27
B.4. Cookie Message Exchange . . . . . . . . . . . . . . . . . 27 B.4. Cookie Message Exchange . . . . . . . . . . . . . . . . . 28
B.4.1. Goals of the Cookie Exchange . . . . . . . . . . . . 28 B.4.1. Goals of the Cookie Exchange . . . . . . . . . . . . 28
B.4.2. Message Type: "client_cook" . . . . . . . . . . . . . 28 B.4.2. Message Type: "client_cook" . . . . . . . . . . . . . 29
B.4.3. Message Type: "server_cook" . . . . . . . . . . . . . 28 B.4.3. Message Type: "server_cook" . . . . . . . . . . . . . 29
B.4.4. Procedure Overview of the Cookie Exchange . . . . . . 29 B.4.4. Procedure Overview of the Cookie Exchange . . . . . . 30
B.4.5. Broadcast Parameter Messages . . . . . . . . . . . . 30 B.4.5. Broadcast Parameter Messages . . . . . . . . . . . . 31
Appendix C. (normative) Using TESLA for Broadcast-Type Messages 32 Appendix C. (normative) Using TESLA for Broadcast-Type Messages 33
C.1. Server Preparation . . . . . . . . . . . . . . . . . . . 32 C.1. Server Preparation . . . . . . . . . . . . . . . . . . . 33
C.2. Client Preparation . . . . . . . . . . . . . . . . . . . 34 C.2. Client Preparation . . . . . . . . . . . . . . . . . . . 35
C.3. Sending Authenticated Broadcast Packets . . . . . . . . . 35 C.3. Sending Authenticated Broadcast Packets . . . . . . . . . 36
C.4. Authentication of Received Packets . . . . . . . . . . . 35 C.4. Authentication of Received Packets . . . . . . . . . . . 36
Appendix D. (informative) Dependencies . . . . . . . . . . . . . 37 Appendix D. (informative) Dependencies . . . . . . . . . . . . . 38
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 39 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 40
1. Introduction 1. Introduction
Time synchronization protocols are increasingly utilized to Time synchronization protocols are increasingly utilized to
synchronize clocks in networked infrastructures. Successful attacks synchronize clocks in networked infrastructures. Successful attacks
against the time synchronization protocol can seriously degrade the against the time synchronization protocol can seriously degrade the
reliable performance of such infrastructures. Therefore, time reliable performance of such infrastructures. Therefore, time
synchronization protocols have to be secured if they are applied in synchronization protocols have to be secured if they are applied in
environments that are prone to malicious attacks. This can be environments that are prone to malicious attacks. This can be
accomplished either by utilization of external security protocols, accomplished either by utilization of external security protocols,
like IPsec or TLS, or by intrinsic security measures of the time like IPsec or TLS, or by intrinsic security measures of the time
synchronization protocol. synchronization protocol.
The two most popular time synchronization protocols, the Network Time The two most popular time synchronization protocols, the Network Time
Protocol (NTP) [RFC5905] and the Precision Time Protocol (PTP) Protocol (NTP) [RFC5905] and the Precision Time Protocol (PTP)
[IEEE1588], currently do not provide adequate intrinsic security [IEEE1588], currently do not provide adequate intrinsic security
precautions. This document specifies security measures which enable precautions. This document specifies generic security measures which
these and possibly other protocols to verify the authenticity of the enable these and possibly other protocols to verify the authenticity
time server/master and the integrity of the time synchronization of the time server/master and the integrity of the time
protocol packets. The utilization of these measures for a given synchronization protocol packets. The utilization of these measures
specific time synchronization protocol has to be described in a for a given specific time synchronization protocol has to be
separate document. described in a separate document.
[RFC7384] specifies that a security mechanism for timekeeping must be [RFC7384] specifies that a security mechanism for timekeeping must be
designed in such a way that it does not degrade the quality of the designed in such a way that it does not degrade the quality of the
time transfer. This implies that for time keeping the increase in time transfer. This implies that for time keeping the increase in
bandwidth and message latency caused by the security measures should bandwidth and message latency caused by the security measures should
be small. Also, NTP as well as PTP work via UDP and connections are be small. Also, NTP as well as PTP work via UDP and connections are
stateless on the server/master side. Therefore, all security stateless on the server/master side. Therefore, all security
measures in this document are designed in such a way that they add measures in this document are designed in such a way that they add
little demand for bandwidth, that the necessary calculations can be little demand for bandwidth, that the necessary calculations can be
executed in a fast manner, and that the measures do not require a executed in a fast manner, and that the measures do not require a
skipping to change at page 6, line 36 skipping to change at page 6, line 36
The cookie deterministically depends on KIV as long as the server The cookie deterministically depends on KIV as long as the server
seed stays the same. The server seed has to be refreshed seed stays the same. The server seed has to be refreshed
periodically in order to provide key freshness as required in periodically in order to provide key freshness as required in
[RFC7384]. See Section 7 for details on seed refreshing. [RFC7384]. See Section 7 for details on seed refreshing.
Since the server does not keep a state of the client, it has to Since the server does not keep a state of the client, it has to
recalculate the cookie each time it receives a unicast time recalculate the cookie each time it receives a unicast time
synchronization request from the client. To this end, the client has synchronization request from the client. To this end, the client has
to attach its KIV to each request (see Section 6.1). to attach its KIV to each request (see Section 6.1).
Note: The communication of the KIV and the cookie can be performed
between client and server directly, or via a third party key
distribution entity.
For broadcast-type messages, authenticity and integrity of the time For broadcast-type messages, authenticity and integrity of the time
synchronization packets are also ensured by a MAC, which is attached synchronization packets are also ensured by a MAC, which is attached
to the time synchronization packet by the sender. Verification of to the time synchronization packet by the sender. Verification of
the broadcast-type packets' authenticity is based on the TESLA the broadcast-type packets' authenticity is based on the TESLA
protocol, in particular on its "not re-using keys" scheme, see protocol, in particular on its "not re-using keys" scheme, see
Section 3.7.2 of [RFC4082]. TESLA uses a one-way chain of keys, Section 3.7.2 of [RFC4082]. TESLA uses a one-way chain of keys,
where each key is the output of a one-way function applied to the where each key is the output of a one-way function applied to the
previous key in the chain. The server securely shares the last previous key in the chain. The server securely shares the last
element of the chain with all clients. The server splits time into element of the chain with all clients. The server splits time into
intervals of uniform duration and assigns each key to an interval in intervals of uniform duration and assigns each key to an interval in
skipping to change at page 9, line 23 skipping to change at page 9, line 23
client MUST save the included nonce and the transmit_timestamp client MUST save the included nonce and the transmit_timestamp
(from the time synchronization data) as a correlated pair for (from the time synchronization data) as a correlated pair for
later verification steps. Optionally, the client protects the later verification steps. Optionally, the client protects the
request message with an appended MAC. request message with an appended MAC.
2. Upon receipt of a time_request message, the server performs the 2. Upon receipt of a time_request message, the server performs the
following steps: following steps:
* It re-calculates the cookie. * It re-calculates the cookie.
* If the request message contains a MAC the server verifies the * If the request message contains a MAC the server re-calculates
received data. the MAC and compares this value with the MAC in the received
data.
+ If falsified the server MUST stop the processing of the + If the re-calculated MAC does not match the MAC in the
received data the server MUST stop the processing of the
request. request.
+ If verified the server continuous to process the request. + If the re-calculated MAC matches the MAC in the received
data the server continues to process the request.
* The server computes the necessary time synchronization data * The server computes the necessary time synchronization data
and constructs a time_response message as given in and constructs a time_response message as given in
Section 6.1.4. Section 6.1.4.
3. The client awaits a reply in the form of a time_response message. 3. The client awaits a reply in the form of a time_response message.
Upon receipt, it checks: Upon receipt, it checks:
* that the transmitted version number matches the one negotiated * that the transmitted version number matches the one negotiated
previously, previously,
skipping to change at page 14, line 31 skipping to change at page 14, line 31
contains contains
o the NTS message ID "client_keycheck", o the NTS message ID "client_keycheck",
o the NTS version number negotiated during association, o the NTS version number negotiated during association,
o a nonce, o a nonce,
o an interval number from the TESLA disclosure schedule, o an interval number from the TESLA disclosure schedule,
o the hash algorithm H negotiated during association, and o the hash algorithm H negotiated during association,
o the client's key input value KIV. o the client's key input value KIV, and
o optional: a MAC (generated with the cookie as key) for
verification of all of the above data.
6.3.4. Message Type: "server_keycheck" 6.3.4. Message Type: "server_keycheck"
A message of this type is sent by the server upon receipt of a A message of this type is sent by the server upon receipt of a
client_keycheck message during the broadcast loop of the server. client_keycheck message during the broadcast loop of the server.
Prior to this, the server MUST recalculate the client's cookie by Prior to this, the server MUST recalculate the client's cookie by
using the received key input value and the transmitted hash using the received key input value and the transmitted hash
algorithm. It contains algorithm. It contains
o the NTS message ID "server_keycheck" o the NTS message ID "server_keycheck"
skipping to change at page 15, line 17 skipping to change at page 15, line 19
6.3.5. Procedure Overview of the Broadcast Keycheck Exchange 6.3.5. Procedure Overview of the Broadcast Keycheck Exchange
A broadcast keycheck message exchange consists of the following A broadcast keycheck message exchange consists of the following
steps: steps:
1. The client sends a client_keycheck message. It MUST memorize the 1. The client sends a client_keycheck message. It MUST memorize the
nonce and the time interval number that it sends as a correlated nonce and the time interval number that it sends as a correlated
pair. pair.
2. Upon receipt of a client_keycheck message, the server looks up 2. Upon receipt of a client_keycheck message the server performs as
whether it has already disclosed the key associated with the follows: If the client_keycheck message contains a MAC the server
interval number transmitted in that message. If it has not re-calculates the MAC and compares this value with the MAC in the
disclosed it, it constructs and sends the appropriate received data.
server_keycheck message as described in Section 6.3.4. For more
details, see also Appendix C. * If the re-calculated MAC does not match the MAC in the
received data the server MUST stop the processing of the
request.
* If the re-calculated MAC matches the MAC in the received data
the server continues to process the request: It looks up
whether it has already disclosed the key associated with the
interval number transmitted in that message. If it has not
disclosed it, it constructs and sends the appropriate
server_keycheck message as described in Section 6.3.4. For
more details, see also Appendix C.
3. The client awaits a reply in the form of a server_keycheck 3. The client awaits a reply in the form of a server_keycheck
message. On receipt, it performs the following checks: message. On receipt, it performs the following checks:
* that the transmitted version number matches the one negotiated * that the transmitted version number matches the one negotiated
previously, previously,
* that the transmitted nonce belongs to a previous * that the transmitted nonce belongs to a previous
client_keycheck message, client_keycheck message,
skipping to change at page 16, line 25 skipping to change at page 16, line 25
\ broad keycheck / \ keycheck \ broad keycheck / \ keycheck
\| / \| \| / \|
Client ---------------------------------------------> Client --------------------------------------------->
<-------- Extended broadcast time -------> <-------- Extended broadcast time ------->
synchronization exchange synchronization exchange
<---- Keycheck exchange ---> <---- Keycheck exchange --->
Procedure for extended broadcast time synchronization exchange. Procedure for extended broadcast time synchronization exchange.
7. Server Seed Considerations 7. Server Seed, Hash Algorithms and Generating MACs
7.1. Server Seed
The server has to calculate a random seed which has to be kept The server has to calculate a random seed which has to be kept
secret. The server MUST generate a seed for each supported hash secret. The server MUST generate a seed for each supported hash
algorithm, see Section 8.1. algorithm, see Section 7.2.
According to the requirements in [RFC7384], the server MUST refresh According to the requirements in [RFC7384], the server MUST refresh
each server seed periodically. Consequently, the cookie memorized by each server seed periodically. Consequently, the cookie memorized by
the client becomes obsolete. In this case, the client cannot verify the client becomes obsolete. In this case, the client cannot verify
the MAC attached to subsequent time response messages and has to the MAC attached to subsequent time response messages and has to
respond accordingly by re-initiating the protocol with a cookie respond accordingly by re-initiating the protocol with a cookie
request (Appendix B.4). request (Appendix B.4).
8. Hash Algorithms and MAC Generation 7.2. Hash Algorithms
8.1. Hash Algorithms
Hash algorithms are used for calculation of the cookie and the MAC. Hash algorithms are used for calculation of the cookie and the MAC.
The client and the server negotiate a hash algorithm H during the The client and the server negotiate a hash algorithm H during the
association phase at the beginning. The selected algorithm H is used association phase at the beginning. The selected algorithm H MUST be
for all hashing processes in that run. used for all hashing processes in that run.
In the TESLA scheme, hash algorithms are used as pseudo-random In the TESLA scheme, hash algorithms are used as pseudo-random
functions to construct the one-way key chain. Here, the utilized functions to construct the one-way key chain. Here, the utilized
hash algorithm is communicated by the server and is non-negotiable. hash algorithm is communicated by the server and is non-negotiable.
Note: Note: Any hash algorithm is prone to be compromised in the future.
A successful attack on a hash algorithm would enable any NTS
client to derive the server seed from its own cookie. Therefore,
the server MUST have separate seed values for its different
supported hash algorithms. This way, knowledge gained from an
attack on a hash algorithm H can at least only be used to
compromise such clients who use hash algorithm H as well.
Any hash algorithm is prone to be compromised in the future. A 7.3. MAC Calculation
successful attack on a hash algorithm would enable any NTS client
to derive the server seed from its own cookie. Therefore, the
server MUST have separate seed values for its different supported
hash algorithms. This way, knowledge gained from an attack on a
hash algorithm H can at least only be used to compromise such
clients who use hash algorithm H as well.
8.2. MAC Calculation For the calculation of the MAC, client and server MUST use a Keyed-
Hash Message Authentication Code (HMAC) as described in [RFC2104].
The HMAC is generated with the hash algorithm specified by the client
(see Section 7.2). The input values for the HMAC are the cookie and
the content that has to be protected by NTS.
For the calculation of the MAC, client and server use a Keyed-Hash 8. IANA Considerations
Message Authentication Code (HMAC) approach [RFC2104]. The HMAC is
generated with the hash algorithm specified by the client (see
Section 8.1).
9. IANA Considerations As mentioned, this document generically specifies security measures
whose utilization for any given specific time synchronization
protocol requires a separate document. Consequently, this document
itself does not have any IANA actions (TO BE REVIEWED).
10. Security Considerations 9. Security Considerations
10.1. Privacy Aspects of security for time synchronization protocols are treated
throughout this document. For a comprehensive discussion of security
requirements in time synchronization contexts, refer to [RFC7384].
See Appendix A for a tabular overview of how NTS deals with those
requirements.
Additional NTS specific discussion of security issues can be found in
the following subsections.
Note: Any separate document describing the utilization of NTS to a
specific time synchronization protocol may additionally introduce
discussion of its own specific security considerations.
9.1. Privacy
The payload of time synchronization protocol packets of two-way time The payload of time synchronization protocol packets of two-way time
transfer approaches like NTP and PTP consists basically of time transfer approaches like NTP and PTP consists basically of time
stamps, which are not considered secret [RFC7384]. Therefore, stamps, which are not considered secret [RFC7384]. Therefore,
encryption of the time synchronization protocol packet's payload is encryption of the time synchronization protocol packet's payload is
not considered in this document. However, an attacker can exploit not considered in this document. However, an attacker can exploit
the exchange of time synchronization protocol packets for topology the exchange of time synchronization protocol packets for topology
detection and inference attacks as described in [RFC7624]. To make detection and inference attacks as described in [RFC7624]. To make
such attacks more difficult, that draft recommends the encryption of such attacks more difficult, that draft recommends the encryption of
the packet payload. Yet, in the case of time synchronization the packet payload. Yet, in the case of time synchronization
protocols the confidentiality protection of time synchronization protocols the confidentiality protection of time synchronization
packet's payload is of secondary importance since the packet's meta packet's payload is of secondary importance since the packet's meta
data (IP addresses, port numbers, possibly packet size and regular data (IP addresses, port numbers, possibly packet size and regular
sending intervals) carry more information than the payload. To sending intervals) carry more information than the payload. To
enhance the privacy of the time synchronization partners, the usage enhance the privacy of the time synchronization partners, the usage
of tunnel protocols such as IPsec and MACsec, where applicable, is of tunnel protocols such as IPsec and MACsec, where applicable, is
therefore more suited than confidentiality protection of the payload. therefore more suited than confidentiality protection of the payload.
10.2. Initial Verification of the Server Certificates 9.2. Initial Verification of the Server Certificates
The client may wish to verify the validity of certificates during the The client may wish to verify the validity of certificates during the
initial association phase. Since it generally has no reliable time initial association phase. Since it generally has no reliable time
during this initial communication phase, it is impossible to verify during this initial communication phase, it is impossible to verify
the period of validity of the certificates. To solve this chicken- the period of validity of the certificates. To solve this chicken-
and-egg problem, the client has to rely on external means. and-egg problem, the client has to rely on external means.
10.3. Revocation of Server Certificates 9.3. Revocation of Server Certificates
According to Section 7, it is the client's responsibility to initiate According to Section 7, it is the client's responsibility to initiate
a new association with the server after the server's certificate a new association with the server after the server's certificate
expires. To this end, the client reads the expiration date of the expires. To this end, the client reads the expiration date of the
certificate during the certificate message exchange (Appendix B.3.3). certificate during the certificate message exchange (Appendix B.3.3).
Furthermore, certificates may also be revoked prior to the normal Furthermore, certificates may also be revoked prior to the normal
expiration date. To increase security the client MAY periodically expiration date. To increase security the client MAY periodically
verify the state of the server's certificate via Online Certificate verify the state of the server's certificate via Online Certificate
Status Protocol (OCSP) Online Certificate Status Protocol (OCSP) Status Protocol (OCSP) Online Certificate Status Protocol (OCSP)
[RFC6960]. [RFC6960].
10.4. Mitigating Denial-of-Service for broadcast packets 9.4. Mitigating Denial-of-Service for broadcast packets
TESLA authentication buffers packets for delayed authentication. TESLA authentication buffers packets for delayed authentication.
This makes the protocol vulnerable to flooding attacks, causing the This makes the protocol vulnerable to flooding attacks, causing the
client to buffer excessive numbers of packets. To add stronger DoS client to buffer excessive numbers of packets. To add stronger DoS
protection to the protocol, the client and the server use the "not protection to the protocol, the client and the server use the "not
re-using keys" scheme of TESLA as pointed out in Section 3.7.2 of RFC re-using keys" scheme of TESLA as pointed out in Section 3.7.2 of RFC
4082 [RFC4082]. In this scheme the server never uses a key for the 4082 [RFC4082]. In this scheme the server never uses a key for the
MAC generation more than once. Therefore, the client can discard any MAC generation more than once. Therefore, the client can discard any
packet that contains a disclosed key it already knows, thus packet that contains a disclosed key it already knows, thus
preventing memory flooding attacks. preventing memory flooding attacks.
Discussion: Note that an alternative approach to enhance TESLA's Discussion: Note that an alternative approach to enhance TESLA's
resistance against DoS attacks involves the addition of a group resistance against DoS attacks involves the addition of a group
MAC to each packet. This requires the exchange of an additional MAC to each packet. This requires the exchange of an additional
shared key common to the whole group. This adds additional shared key common to the whole group. This adds additional
complexity to the protocol and hence is currently not considered complexity to the protocol and hence is currently not considered
in this document. in this document.
10.5. Delay Attack 9.5. Delay Attack
In a packet delay attack, an adversary with the ability to act as a In a packet delay attack, an adversary with the ability to act as a
MITM delays time synchronization packets between client and server MITM delays time synchronization packets between client and server
asymmetrically [RFC7384]. This prevents the client from accurately asymmetrically [RFC7384]. This prevents the client from accurately
measuring the network delay, and hence its time offset to the server measuring the network delay, and hence its time offset to the server
[Mizrahi]. The delay attack does not modify the content of the [Mizrahi]. The delay attack does not modify the content of the
exchanged synchronization packets. Therefore, cryptographic means do exchanged synchronization packets. Therefore, cryptographic means do
not provide a feasible way to mitigate this attack. However, several not provide a feasible way to mitigate this attack. However, several
non-cryptographic precautions can be taken in order to detect this non-cryptographic precautions can be taken in order to detect this
attack. attack.
skipping to change at page 20, line 5 skipping to change at page 20, line 20
accumulate until the loose time synchronization requirement is accumulate until the loose time synchronization requirement is
violated, which breaks the TESLA scheme. To mitigate this violated, which breaks the TESLA scheme. To mitigate this
vulnerability the security condition in TESLA has to be supplemented vulnerability the security condition in TESLA has to be supplemented
by an additional check in which the client, upon receipt of a by an additional check in which the client, upon receipt of a
broadcast message, verifies the status of the corresponding key via a broadcast message, verifies the status of the corresponding key via a
unicast message exchange with the broadcast server (see Appendix C.4 unicast message exchange with the broadcast server (see Appendix C.4
for a detailed description of this check). Note that a broadcast for a detailed description of this check). Note that a broadcast
client should also apply the above-mentioned precautions as far as client should also apply the above-mentioned precautions as far as
possible. possible.
10.6. Random Number Generation 9.6. Random Number Generation
At various points of the protocol, the generation of random numbers At various points of the protocol, the generation of random numbers
is required. The employed methods of generation need to be is required. The employed methods of generation need to be
cryptographically secure. See [RFC4086] for guidelines concerning cryptographically secure. See [RFC4086] for guidelines concerning
this topic. this topic.
11. Acknowledgements 10. Acknowledgements
The authors would like to thank Tal Mizrahi, Russ Housley, Steven The authors would like to thank Tal Mizrahi, Russ Housley, Steven
Bellovin, David Mills, Kurt Roeckx, Rainer Bermbach, Martin Langer Bellovin, David Mills, Kurt Roeckx, Rainer Bermbach, Martin Langer
and Florian Weimer for discussions and comments on the design of NTS. and Florian Weimer for discussions and comments on the design of NTS.
Also, thanks go to Harlan Stenn for his technical review and specific Also, thanks go to Harlan Stenn and Richard Welty for their technical
text contributions to this document. review and specific text contributions to this document.
12. References 11. References
12.1. Normative References 11.1. Normative References
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
Hashing for Message Authentication", RFC 2104, DOI Hashing for Message Authentication", RFC 2104, DOI
10.17487/RFC2104, February 1997, 10.17487/RFC2104, February 1997,
<http://www.rfc-editor.org/info/rfc2104>. <http://www.rfc-editor.org/info/rfc2104>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/
RFC2119, March 1997, RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
skipping to change at page 20, line 44 skipping to change at page 21, line 15
[RFC4082] Perrig, A., Song, D., Canetti, R., Tygar, J., and B. [RFC4082] Perrig, A., Song, D., Canetti, R., Tygar, J., and B.
Briscoe, "Timed Efficient Stream Loss-Tolerant Briscoe, "Timed Efficient Stream Loss-Tolerant
Authentication (TESLA): Multicast Source Authentication Authentication (TESLA): Multicast Source Authentication
Transform Introduction", RFC 4082, DOI 10.17487/RFC4082, Transform Introduction", RFC 4082, DOI 10.17487/RFC4082,
June 2005, <http://www.rfc-editor.org/info/rfc4082>. June 2005, <http://www.rfc-editor.org/info/rfc4082>.
[RFC7384] Mizrahi, T., "Security Requirements of Time Protocols in [RFC7384] Mizrahi, T., "Security Requirements of Time Protocols in
Packet Switched Networks", RFC 7384, DOI 10.17487/RFC7384, Packet Switched Networks", RFC 7384, DOI 10.17487/RFC7384,
October 2014, <http://www.rfc-editor.org/info/rfc7384>. October 2014, <http://www.rfc-editor.org/info/rfc7384>.
12.2. Informative References 11.2. Informative References
[I-D.ietf-ntp-cms-for-nts-message] [I-D.ietf-ntp-cms-for-nts-message]
Sibold, D., Teichel, K., Roettger, S., and R. Housley, Sibold, D., Teichel, K., Roettger, S., and R. Housley,
"Protecting Network Time Security Messages with the "Protecting Network Time Security Messages with the
Cryptographic Message Syntax (CMS)", draft-ietf-ntp-cms- Cryptographic Message Syntax (CMS)", draft-ietf-ntp-cms-
for-nts-message-04 (work in progress), July 2015. for-nts-message-04 (work in progress), July 2015.
[I-D.ietf-tictoc-multi-path-synchronization] [I-D.ietf-tictoc-multi-path-synchronization]
Shpiner, A., Tse, R., Schelp, C., and T. Mizrahi, "Multi- Shpiner, A., Tse, R., Schelp, C., and T. Mizrahi, "Multi-
Path Time Synchronization", draft-ietf-tictoc-multi-path- Path Time Synchronization", draft-ietf-tictoc-multi-path-
skipping to change at page 23, line 15 skipping to change at page 23, line 33
+---------+------------------------------+-------------+------------+ +---------+------------------------------+-------------+------------+
| 5.9 | Protection against Packet | MUST | Limited*) | | 5.9 | Protection against Packet | MUST | Limited*) |
| | Delay and Interception | | | | | Delay and Interception | | |
| | Attacks | | | | | Attacks | | |
+---------+------------------------------+-------------+------------+ +---------+------------------------------+-------------+------------+
| 5.10 | Secure mode | MUST | OK | | 5.10 | Secure mode | MUST | OK |
+---------+------------------------------+-------------+------------+ +---------+------------------------------+-------------+------------+
| | Hybrid mode | SHOULD | - | | | Hybrid mode | SHOULD | - |
+---------+------------------------------+-------------+------------+ +---------+------------------------------+-------------+------------+
*) See discussion in Section 10.5. *) See discussion in Section 9.5.
Comparison of NTS specification against Security Requirements of Time Comparison of NTS specification against Security Requirements of Time
Protocols in Packet Switched Networks (RFC 7384) Protocols in Packet Switched Networks (RFC 7384)
Appendix B. (normative) Inherent Association Protocol Messages Appendix B. (normative) Inherent Association Protocol Messages
This appendix presents a procedure that performs the association, the This appendix presents a procedure that performs the association, the
cookie, and also the broadcast parameter message exchanges between a cookie, and also the broadcast parameter message exchanges between a
client and a server. This procedure is one possible way to achieve client and a server. This procedure is one possible way to achieve
the preconditions listed in Sections Section 6.1.1, Section 6.2.1, the preconditions listed in Sections Section 6.1.1, Section 6.2.1,
skipping to change at page 24, line 34 skipping to change at page 25, line 4
association exchange with the server in the future. It contains: association exchange with the server in the future. It contains:
o the NTS message ID "client_access". o the NTS message ID "client_access".
B.2.3. Message Type: "server_access" B.2.3. Message Type: "server_access"
This message is sent by the server on receipt of a client_access This message is sent by the server on receipt of a client_access
message. It contains: message. It contains:
o the NTS message ID "server_access", o the NTS message ID "server_access",
o an access key. o an access key.
B.2.4. Procedure Overview of the Access Exchange B.2.4. Procedure Overview of the Access Exchange
For an access exchange, the following steps are performed: For an access exchange, the following steps are performed:
1. The client sends a client_access message to the server. 1. The client sends a client_access message to the server.
2. Upon receipt of a client_access, the server calculates the access 2. Upon receipt of a client_access, the server calculates the access
key according to key. It then sends a reply in the form of a server_access
message. The server must either memorize the access key or
access_key = HMAC(server seed; address of client), alternatively apply a means by which it can reconstruct the
access key. Note that in both cases the access key must be
then it constructs and sends a reply in the form of a correlated with the address of the requester. Note also that if
server_access message. In general the address of the client will the server memorizes the access key for a requester, it has to
be represented by the IP address of the client. keep state for a certain amount of time.
3. The client waits for a response in the form of a server_access 3. The client waits for a response in the form of a server_access
message. Upon receipt of one, it MUST memorize the included message. Upon receipt of one, it MUST memorize the included
access key. access key.
B.3. Association Message Exchange B.3. Association Message Exchange
In this message exchange, the participants negotiate the hash and In this message exchange, the participants negotiate the hash and
encryption algorithms that are used throughout the protocol. In encryption algorithms that are used throughout the protocol. In
addition, the client receives the certification chain up to a trusted addition, the client receives the certification chain up to a trusted
skipping to change at page 27, line 25 skipping to change at page 28, line 6
* It also verifies that the server has chosen the encryption and * It also verifies that the server has chosen the encryption and
hash algorithms from its proposal sent in the client_assoc hash algorithms from its proposal sent in the client_assoc
message and that this proposal was not altered. message and that this proposal was not altered.
* Furthermore, it performs authenticity checks on the * Furthermore, it performs authenticity checks on the
certificate chain and the signature. certificate chain and the signature.
If one of the checks fails, the client MUST abort the run. If one of the checks fails, the client MUST abort the run.
+------------------------+ +------------------------+
| o Check access key |
+------------------------+
| o Choose version | | o Choose version |
| o Choose algorithms | | o Choose algorithms |
| o Acquire certificates | | o Acquire certificates |
| o Assemble response | | o Assemble response |
| o Create signature | | o Create signature |
+-----------+------------+ +-----------+------------+
| |
<-+-> <-+->
Server ---------------------------> Server --------------------------->
skipping to change at page 38, line 4 skipping to change at page 38, line 34
| | public key | server | messages. The client uses | | | public key | server | messages. The client uses |
| | (encryption) | | the private key to decrypt | | | (encryption) | | the private key to decrypt |
| +--------------+--------+ them. The certificate is | | +--------------+--------+ them. The certificate is |
| | certificate | client | sent in client_cook messages, | | | certificate | client | sent in client_cook messages, |
| | | | where it is used for trans- | | | | | where it is used for trans- |
| | | | portation of the public key | | | | | portation of the public key |
| | | | as well as (optionally) for | | | | | as well as (optionally) for |
| | | | verification of client | | | | | verification of client |
| | | | authorization. | | | | | authorization. |
+---------+--------------+--------+-------------------------------+ +---------+--------------+--------+-------------------------------+
+------------<---------------+
| At least one | This table shows the kind of cryptographic resources that NTS
V successful | participants of server and client role should have ready before NTS
++====[ ]===++ ++=====^=====++ communication starts.
|| Cookie || ||Association||
|| Exchange || || Exchange || ++===========================================++
++====_ _===++ ++===========++ || ||
|| Secure Authentication and Cookie Exchange ||
|| ||
++=======_ _=================================++
| |
| At least one | At least one
| successful | successful
V V
++=======[ ]=======++ ++=======[ ]=======++
|| Unicast Time |>-----\ As long as further || Unicast Time |>-----\ As long as further
|| Synchronization || | synchronization || Synchronization || | synchronization
|| Exchange(s) |<-----/ is desired || Exchange(s) |<-----/ is desired
++=======_ _=======++ ++=======_ _=======++
| |
skipping to change at page 39, line 5 skipping to change at page 39, line 51
/ \ / \
either / \ or either / \ or
/----------/ \-------------\ /----------/ \-------------\
| | | |
V V V V
++========[ ]========++ ++========[ ]========++ ++========[ ]========++ ++========[ ]========++
|| Keycheck Exchange || || Keycheck Exchange || || Keycheck Exchange || || Keycheck Exchange ||
++===================++ || with TimeSync || ++===================++ || with TimeSync ||
++===================++ ++===================++
This diagram shows the dependencies between the different message
exchanges and procedures which NTS offers.
Authors' Addresses Authors' Addresses
Dieter Sibold Dieter Sibold
Physikalisch-Technische Bundesanstalt Physikalisch-Technische Bundesanstalt
Bundesallee 100 Bundesallee 100
Braunschweig D-38116 Braunschweig D-38116
Germany Germany
Phone: +49-(0)531-592-8420 Phone: +49-(0)531-592-8420
Fax: +49-531-592-698420 Fax: +49-531-592-698420
 End of changes. 45 change blocks. 
104 lines changed or deleted 148 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/