|The NTP FAQ and HOWTO: Understanding and using the Network Time Protocol (A first try on a non-technical Mini-HOWTO and FAQ on NTP)|
Providing or enabling the use of encryption in software is (or at least was) considered harmful by the U.S.A. Therefore NTP version 3 was available as export version without DES encryption as well as a non-export version. As xntpd is actually an international product developed and improved allover in the world, NTP version 4 includes no cryptography (from the viewpoint of government regulations) and introduces MD5 keys.
As MD5 is heavily used in digital signatures, MD5 is not considered as cryptography (despite of the fact that digital signatures actually do use encryption).
Basically NTP uses encryption only for integrity checking and authentication (which effectively is integrity checking):
|symmetric keys (shared secrets) are used to prove authenticity of data received over the network|
|key pairs are used where establishing shared secrets is difficult. The autokey mechanism uses key pairs.|
Cryptographic hash functions like MD5 (and SHA) are believed to have the following properties:
|Large amount of input data produce some samll fingerprint (output data)|
|Different input creates different output|
|It's not possible to construct some input matching a specific output other than by brute force (trying at least as many combinations of input that correspond to the key space of the output)|
The sender computes a fingerprint consisting of public data plus some secret data (the symmetric key), and it adds that to the data being transferred. The recipient uses the received data plus the shared secret to compute his own fingerprint in the same way as the sender does. It is believed that providing a correct fingerprint implies that the sender knows the shared secret, and that the data received weren't changed during transmission.
While the above procedure is not considered being data encryption, the following procedure using key pairs is: The sender computes a fingerprint of the public data only, but then encrypts that fingerprint with its part (named private key or secret key) of the key pair. Message plus encrypted fingerprint are sent. The recipient decrypts the fingerprint using its part (named public key) and compares it tho the fingerprint computed locally from the public data. If both are the same, it is believed that it's only possible to send the correct encrypted fingerpint when knowing the secret key.
The mathematical properties and generation of key pairs are not presented here. Look up literature for RSA if you are interested.
The uses of authenticated messages in NTP are:
|Remote configuration commands|
|Time messages (authentication is optional)|
Strong Cryptography is computationally expensive. Furthermore, the time required to complete the computations may depend on the actual values being processed in a non-predictable way.
Therefore NTP tries to avoid cryptography whenever possibly. MD5 is believed to require almost constant CPU cycles, while public key algorithms are known to require significantly more, and a varying number of CPU cycles.
Symmetric key encryption requires a secure channel to exchange secret keys. Every communication partner (NTP client) needs such a secret key for authenticating the time messages from a server. Therefore public key cryptography and X.509 version 3 certificates are used for a new authentication schema that is summarized below. See the original documentation and Q: 188.8.131.52. for details.
As public key algorithms are computationally expensive, those algorithms are not used for every packet being exchanged.
In NTP Security Model the phrases are defined like this:
A client is authentic if it can reliably verify the credentials of at least one server and the integrity of its messages
A client is proventic if there exists a path to a trusted server where each node is authentic
A secure group defines a subset of the NTP network that uses a common security model, authentication protocol, and identity scheme. Each member of a group has identity parameters and a group key provided by some trusted agent.
Each secure group has at least one trusted host that operates as certificate authority at the lowest stratum of the group.
A primary group includes at least one trusted primary server (startum 1).
Identity Schemes are methods to prove the identity of a remote system, helping to prevent man-in-the-middle attacks. In NTP Security Algorithms and NTP Security Model the following identity schemes are mentioned:
|Private Certificate (PC)|
|Trusted Certificate (TC)|
|Schnorr Identity Scheme (IFF)|
|Guillou-Quisquater Identity Scheme (GQ)|
|Mu-Varadharajan Identity Scheme (MV)|
The PC scheme is much like private keys, requiring a secret channel to distribute keys. The TC scheme uses a trusted authority (TA) and certificate chains. The IFF scheme uses DSA principles. The GQ scheme is based on RSA principles. The MV scheme is based on DSA principles also, but does not require trusted clients.
All schemes use relatively small keys (few bits), so that those keys must be refreshed regularly. Even though certificates are valid for one year after creation, the keys should be re-created on a shorter interval. Using the NTP timestamp as the certificates' serial number ensures uniqueness. Thus signatures are only generated when the host's time is considered synchronized.
According to NTP Security Protocol, a proventic trail (certificate trail) is a cryptographically verified sequence of NTP servers ending at a trusted host.
According to NTP Security Protocol, session keys are 128 bits (16 octets). Session keys are created as lists of keys, and the last key in the list is digitally signed. See [RFC 2104] (HMAC: Keyed-Hashing for Message Authentication) for basics.
However electronic commerce is only possibly with safe data exchange, so use of encryption became a bit more allowed recently.