A Security Analysis of Network Time Protocol

1
A Security Analysis of Network Time Protocol
Paper by Matt Bishop, 1991

• Andy Hospodor
• COEN 317
• 11/03/03

2
Sequence

• NTP Architecture
• Overview of Security features
• Types of attacks on NTP
• Countermeasures
• Further reading

3
Where does time come from?

• Originally from the motion of the earth around
  the sun
• Today, NIST operates atomic clocks and masers
  that generate time
• More recently, USNO
• is responsible for distribution of time in the US
• is the standard for time in the US
• www.time.gov

4
NTP Architecture
11 hydrogen masers
50 HP-5071 cesiums
top level stratum
Primary Servers
level 2 stratum
1
2
1
2
Secondary Servers
level 3 stratum

• Primary servers are synchronized by radio or
  atomic clocks
• Secondary servers exist at multiple strata on
  fixed route paths
• Secondary servers measure path delay to n-1
  strata periodically
• Clients sample multiple secondary time servers
• Clock filters select best from a window of eight
  time offset samples
• Combining algorithm computes weighted average of
  time offsets.

5
NTP Packet Format
NTP Protocol Header Format (32 bits)
LI leap warning indicator VN version number
(4) Strat stratum (0-15) Poll poll interval
(log2) Prec precision (log2)
Strat
Poll
LI
Mode
VN
Prec
Root Delay
Root Dispersion
Reference Identifier
Reference Timestamp (64)
NTP Timestamp Format (64 bits)
Originate Timestamp (64)
Seconds (32)
Fraction (32)
Value is in seconds and fraction since 0h 1
January 1900
Receive Timestamp (64)
Cryptosum
Transmit Timestamp (64)
NTPv4 Extension Field
Extension Field 1 (optional)
Field Length
Field Type
Extension Field (padded to 32-bit boundary)
Extension Field 2 (optional)
Last field padded to 64-bit boundary
Key/Algorithm Identifier
NTP v3 and v4
Message Hash (64 or 128)
Authenticator (Optional)
NTP v4 only
authentication only
Authenticator uses DES-CBC or MD5 cryptosum of
NTP header plus extension fields (NTPv4)
6
Security Features

• Sanity checks
• Is the packet correct and reasonable?
• Access Control
• Can the host change the clock?
• Authentication
• Is the message from a trusted source?
• Redundant Time Sources
• Is one of the secondary servers getting weird?

7
Types of attacks on NTP

• Masquerade Attack
• Impersonate a time server
• Modification Attack
• Intercept and modify messages from time server
• Replay Attack
• Resend messages from a time server
• Denial of Service Attack
• Intercept and delete messages from a time server
• Delay Attack
• Delay the time messages, typically by flooding

8
Countermeasures
Masquerade Attack
Authentication
Modification Attack
Sanity checks
Replay Attack
Access Control
Denial of Service Attack
RedundantTime Sources
Delay Attack
9
NTP Shortcomings

• Susceptible to Combined attacks
• Deny service except for one source
• Delay packets from that source
• Allow client clocks to drift
• 64 bit DES encryption is broken
• Keys authenticated per host, not per path
• Does not deal with wiretapping
• Cooperation amongst govt agencies?

10
Further reading

• Network Time Protocol (NTP) v3 and v4
  http//www.ntp.org/
• David L. Mills http//www.eecis.udel.edu/mills
• FTP server ftp.udel.edu (pub/ntp directory)
• Related project descriptions and briefings
• http//www.eecis.udel.edu/mills/status.htm
• US Naval Ovservatory the US time standard
  http//tycho.usno.navy.mil/mc_to.html

11
Time Trivia
Sidereal time is the hour angle of the vernal
equinox, the ascending node of the ecliptic on
the celestial equator. The daily motion of this
point provides a measure of the rotation of the
Earth with respect to the stars, rather than the
Sun. Local mean sidereal time is computed from
the current Greenwich Mean Sideral Time plus an
input offset in longitude (converted to a
sidereal offset by the ratio 1.00273790935 of the
mean solar day to the mean sidereal day.)
Applying the equation of equinoxes, or nutation
of the mean pole of the Earth from mean to true
position, yields local apparent sidereal time.
Astronomers use local sidereal time because it
corresponds to the coordinate right ascension of
a celestial body that is presently on the local
meridian.