25 Nov 20

White Paper: How does NTS work and why is it important

How does NTS work and why is it important? - A White Paper by Netnod
This white paper gives an overview of NTS and a detailed description of the authentication process that ensures you receive time information from a trusted source. This includes the step-by-step details of the key establishment and time stamping process. We also provide a summary of the elements that enable NTS to scale and to secure NTP against a range of attack vectors.

This is a preview of Netnod's NTS white paper. To read the full white paper, see link below.

Introduction

Many of the important security tools that keep us safe online depend on accurate time. But until recently there was no way to ensure that the time you received over the Internet was correct. There was simply no way to tell if you were being fed time from a malicious or trusted source.

This is largely because the current standard for receiving time over the Internet, the Network Time Protocol (NTP), was created in 1985. In those more innocent times, the need to secure NTP, the type of security needed, and how to provide it were less understood.

Over the last 35 years, a range of security flaws and some high-profile attacks have shown that NTP needed significantly improved security. The new Network Time Security (NTS) standard has been designed to fix that.

NTP security issues 

Unsecured NTP is vulnerable to Man-in-the-Middle (MITM) attacks where a malicious actor sits between you and the NTP server, listens in on the conversation, forges  messages and lies to you about time. As a lot of processes are dependent on accurate time, the consequences here can be very serious and can include:

  • Incorrect timestamps on logs and transactions which can support fraudulent activities or help disguise other criminal action 
  • Authentication problems, attacks and issues with authentication security measures 
  • Issues with cryptographic signatures and establishing encrypted sessions such as Transport Layer Security (TLS) 
  • DNS Security (DNSSEC) failing to work if the client doesn’t have accurate time

Previous attempts at NTP security 

There have been some previous attempts to add security to NTP. Commonly referred to as NTP-AUTH, these attempts did not provide all necessary aspects of security (confidentiality, authentication and integrity including protection against replay attacks). 

Moreover, the underlying security mechanism for NTP-AUTH (MD5 or SHA-1) could be considered weak at best. NTP-AUTH is based on secret keys but the key agreement is not standardized. This means that any NTP service provider wanting to use NTP-AUTH has to find their own way to exchange keys with the client out-of-band. 

This often requires a potential client to send a letter or fax to get the secret key. The need for a server to store uniquesecret keys for all clients creates scalability problems: as the number of users grows, the storage requirements and especially the ability to rapidly look up a given key makes the service hard to scale.

Given all these issues, it has long been apparent that a new security mechanism for NTP is needed; one based on modern security mechanisms that could also allow the service to scale to potentially millions of clients.

The NTS standard

NTS has been developed within the Internet Engineering Task Force (IETF). In March 2015, the first Internet-Draft of the NTS standard was published. Over the next five years, the draft went through 28 further iterations until the Internet Draft ‘Network Time Security for the Network Time Protocol’ was published as a Proposed Standard (RFC8915) in September 2020. 

NTS uses modern cryptography to add an important layer of security to NTP. It prevents spoofing and MITM attacks by using authenticated packets. Amplification attacks are prevented by ensuring that request and response packets are always the same size.

NTS is really two protocols: a key establishment protocol, and NTP with some new Extension Fields. The reason for using two protocols is separation of concerns:

1. The seldom used key establishment on top of standard Transport Layer Security (TLS), and

2. The (already existing) low latency UDP-based time synchronisation path.

This means that the existing NTP functionality is the same as before, but the time data can now be authenticated. 

The NTS authentication process

The authentication process consists of a key establishment and a timestamp request. The key exchange server typically runs on an ordinary computer, but the slim NTS-enabled NTP server is UDP-based and stateless. It can be served from anycast addresses and can be implemented at the hardware level. The NTP server’s state about each client is kept in the cookie provided by the client itself with each request. As there can potentially be hundreds of millions of clients, this is crucial for the smooth operation of a large-scale NTS service.

Since the cryptographic operations in the NTS path are symmetric it is both easier to implement them in hardware and to make them use constant time. This increases the accuracy of the time synchronisation and keeps the slower key exchange outside of the time synchronisation path. 

NTS uses Authenticated Encryption using the Advanced Encryption Standard (AES), more specifically what is known as Synthetic Initialization Vector (RFC 5297). This is a block cipher mode of operation providing nonce-based, misuse-resistant authenticated encryption. Using AES-SIV enables the encryption processes described below to add integrity and origin authentication. The consequences for this at a hardware level will be discussed in an upcoming white paper.

The key establishment

The key establishment process works as follows: first, a client initiates a key establishment using the NTS-KE protocol embedded in TLS (see figure 1.)

NTS wp figure 1

Figure 1: Key establishment. Note: the numbers shown correspond to the text below.

 

To read the full white paper, click here