[an error occurred while processing this directive]
HP OpenVMS Systems Documentation |
HP TCP/IP Services for OpenVMS
|
Previous | Contents | Index |
The following sample shows a standard NTP log file that has no extra logging enabled. Each line of the NTP log file begins with the date, the time, the program name, and the process identification (PID). The following samples show the remainder of each log file line.
ntpd version = 4.2.0 precision = 976.500 usec no IPv6 interfaces found frequency initialized 3.307 PPM from SYS$SPECIFIC:[TCPIP$NTP]TCPIP$NTP.DRIFT synchronized to 16.141.42.135, stratum=2 offset: -0.005229 sec freq: 2.557 ppm poll: 512 sec error: 0.028384 offset: 0.005578 sec freq: 3.181 ppm poll: 1024 sec error: 0.016115 offset: 0.019279 sec freq: 4.563 ppm poll: 1024 sec error: 0.009479 offset: 0.025102 sec freq: 5.392 ppm poll: 1024 sec error: 0.006337 offset: 0.024946 sec freq: 5.933 ppm poll: 512 sec error: 0.003737 offset: 0.003863 sec freq: 5.950 ppm poll: 512 sec error: 0.003157 offset: -0.001525 sec freq: 6.021 ppm poll: 1024 sec error: 0.002122 no servers reachable offset: 0.036898 sec freq: 7.105 ppm poll: 16 sec error: 0.011337 synchronized to 16.141.42.135, stratum=2 offset: -0.006789 sec freq: 7.179 ppm poll: 128 sec error: 0.008491 offset: -0.063347 sec freq: 7.001 ppm poll: 512 sec error: 0.012344 offset: -0.015588 sec freq: 4.727 ppm poll: 256 sec error: 0.007519 offset: -0.017718 sec freq: 6.508 ppm poll: 512 sec error: 0.014940 ======== |
The next sample shows an NTP log file with all categories of logging enabled.
ntpd version = 4.2.0 precision = 1000.000 usec frequency initialized 8.824 PPM from SYS$SPECIFIC:[TCPIP$NTP]TCPIP$NTP.DRIFT system event 'event_restart' (0x01) status 'sync_alarm, sync_unspec, 1 event, event_unspec' (0xc010) peer 16.103.128.90 event 'event_reach' (0x84) status 'unreach, conf, 1 event, event_reach' (0xa014) signal_no_reset: signal 14 had flags 2 peer 16.140.0.12 event 'event_reach' (0x84) status 'unreach, conf, 1 event, event_reach' (0xa014) peer 16.141.40.135 event 'event_reach' (0x84) status 'unreach, conf, 1 event, event_reach' (0xa014) system event 'event_peer/strat_chg' (0x04) status 'sync_alarm, sync_ntp, 2 events, event_restart' (0xc621) synchronized to 16.141.42.135, stratum=1 system event 'event_sync_chg' (0x03) status 'leap_none, sync_ntp, 3 events, event_peer/strat_chg' (0x634) system event 'event_peer/strat_chg' (0x04) status 'leap_none, sync_ntp, 4 events, event_sync_chg' (0x643) offset -0.002887 sec freq 8.833 ppm error 0.011770 poll 8 offset: -0.002887 sec freq: 8.833 ppm poll: 256 sec error: 0.011770 offset -0.002329 sec freq 8.822 ppm error 0.012771 poll 9 offset: -0.002329 sec freq: 8.822 ppm poll: 512 sec error: 0.012771 |
Authentication support allows the NTP client to verify that the server is in fact known and trusted and not an intruder intending accidentally or on purpose to masquerade as that server. The NTPv3 specification RFC-1305 defines a scheme which provides cryptographic authentication of received NTP packets. Originally, this was done using the Data Encryption Standard (DES) algorithm operating in Cipher Block Chaining (CBC) mode, commonly called DES-CBC. Subsequently, this was replaced by the RSA Message Digest 5 (MD5) algorithm using a private key, commonly called keyed-MD5. Either algorithm computes a message digest, or one-way hash, which can be used to verify the server has the correct private key and key identifier.
NTPv4 retains the NTPv3 scheme, properly described as symmetric key cryptography, and, in addition, provides a new Autokey scheme based on public key cryptography. Public key cryptography is generally considered more secure than symmetric key cryptography, since the security is based on a private value that is generated by each host and never revealed. With the exception of the group key described later, all key distribution and management functions involve only public values, which considerably simplifies key distribution and storage. Public key management is based on X.509 certificates, which can be provided by commercial services or produced by utility programs in the OpenSSL software library or the included utilities.
Though the algorithms for symmetric key cryptography are included in the NTPv4 distribution, public key cryptography requires the OpenSSL software library to be installed before running NTP. The minimum version required is SSL for OpenVMS V1.2.
Authentication is configured separately for each association using the key or autokey subcommand on the peer , server , broadcast , and manycastclient configuration commands as described in Table 13-3. The authentication options described below specify the locations of the key files, if other than default, which symmetric keys are trusted and the interval between various operations, if other than default.
Authentication is always enabled, although ineffective if not configured as described below. If an NTP packet arrives including a message authentication code (MAC), it is accepted only if it passes all cryptographic checks. The checks require correct key ID, key value and message digest. If the packet has been modified in any way or replayed by an intruder, it will fail one or more of these checks and be discarded. Furthermore, the Autokey scheme requires a preliminary protocol exchange to obtain the server certificate, verify its credentials and initialize the protocol
The auth flag controls whether new associations or remote configuration commands require cryptographic authentication. This flag can be set or reset by the enable and disable commands and also by remote configuration commands sent by an ntpdc program running on another machine. If this flag is enabled, which is the default case, new broadcast/manycast client and symmetric passive associations and remote configuration commands must be cryptographically authenticated using either symmetric key or public key cryptography. If this flag is disabled, these operations are effective even if not cryptographically authenticated. It should be understood that operating with the auth flag disabled invites a significant vulnerability where a rogue hacker can masquerade as a truechimer and seriously disrupt system timekeeping. Note that this flag has no purpose other than to allow or disallow a new association in response to new broadcast and symmetric active messages and remote configuration commands and, in particular, the flag has no effect on the authentication process itself.
13.7.1 Symmetric Key Cryptography
The original RFC-1305 specification allows any one of possibly 65,534
keys, each distinguished by a 32-bit key identifier, to authenticate an
association. The servers and clients involved must agree on the key and
key identifier to authenticate NTP packets. Keys and related
information are specified in a key file, which must be distributed and
stored using secure means beyond the scope of the NTP protocol itself.
Besides the keys used for ordinary NTP associations, additional keys
can be used as passwords for the
ntpq
and
ntpdc
utility programs. Ordinarily, the
keys
file is generated by the ntp_keygen program.
When the NTP server is first started, it reads the key file specified
in the
keys
configuration command and installs the keys in the key cache. However,
individual keys must be activated with the
trustedkey
command before use. This allows, for instance, the installation of
possibly several batches of keys and then activating or deactivating
each batch remotely using
ntpdc
. This also provides a revocation capability that can be used if a key
becomes compromised. The
requestkey
command selects the key used as the password for the
ntpdc
utility, while the
controlkey
command selects the key used as the password for the
ntpq
utility.
13.7.2 Public Key Cryptography
NTPv4 supports the original NTPv3 symmetric key scheme described in
RFC-1305 and in addition the Autokey protocol, which is based on public
key cryptography. The Autokey Version 2 protocol described in
Section 13.7.2.1 verifies packet integrity using MD5 message digests and
verifies the source with digital signatures and any of several
digest/signature schemes. Optional identity schemes described in
Section 13.7.2.4 and based on cryptographic challenge/response algorithms
are also available. Using these schemes provides strong security
against replay with or without modification, spoofing, masquerade and
most forms of clogging attacks.
13.7.2.1 Autokey Protocol
What makes Autokey special is the way in which these algorithms are
used to deflect intruder attacks while maintaining the integrity and
accuracy of the time synchronization function. The detailed design is
complicated by the need to provisionally authenticate under conditions
when reliable time values have not yet been acquired. Only when the
server identities have been confirmed, signatures verified and accurate
time values obtained does the Autokey protocol declare success.
The NTP message format has been augmented to include one or more extension fields between the original NTP header and the message authenticator code (MAC). The Autokey protocol exchanges cryptographic values in a manner designed to resist clogging and replay attacks. It uses timestamped digital signatures to sign a session key and then a pseudo-random sequence to bind each session key to the preceding one and eventually to the signature. In this way the expensive signature computations are greatly reduced and removed from the critical code path for constructing accurate time values.
Each session key is hashed from the IPv4 or IPv6 source and destination addresses and key identifier, which are public values, and a cookie that can be a public value or hashed from a private value depending on the mode. The pseudo-random sequence is generated by repeated hashes of these values and saved in a key list. The server uses the key list in reverse order, so as a practical matter the next session key cannot be predicted from the previous one, but the client can verify it using the same hash as the server.
There are three Autokey protocol variants in NTP, one for client/server
mode, another for broadcast/multicast mode, and a third for symmetric
active/passive mode. For instance, in client/server mode the server
keeps no state for each client, but uses a fast algorithm and a private
value to regenerate the cookie upon arrival of a client message. A
client sends its designated public key to the server, which generates
the cookie and sends it to the client encrypted with this key. The
client decrypts the cookie using its private key and generates the key
list. Session keys from this list are used to generate message
authentication codes (MAC) that are checked by the server for the
request and by the client for the response.
13.7.2.2 Certificate Trails
A timestamped digital signature scheme provides secure server authentication, but it does not provide protection against masquerade, unless the server identity is verified by other means. The PKI security model assumes each client is able to verify the certificate trail to a trusted certificate authority (TA), where each ascendent server must prove identity to the immediately descendant client by independent means, such as a credit card number or PIN. While Autokey supports this model by default, in a hierarchical ad-hoc network, especially with server discovery schemes like Manycast, proving identity at each rest stop on the trail must be an intrinsic capability of Autokey itself.
Our model is that every member of a closed group, such as might be operated by a timestamping service, be in possession of a secret group key. This could take the form of a private certificate or one or another identification schemes described in the literature and below. Certificate trails and identification schemes are at the heart of the NTP security model preventing masquerade and middleman attacks. The Autokey protocol operates to hike the trails and run the identity schemes.
An NTP secure group consists of a number of hosts dynamically assembled as a forest with roots the trusted hosts (TH) at the lowest stratum of the group. The TH do not have to be, but often are, primary (stratum 1) servers. A TA, not necessarily a group host, generates private and public identity values and deploys selected values to the group members using secure means.
The Alice group consists of TH Alice, which is also the TA, and Carol. Dependent servers Brenda and Denise have configured Alice and Carol, respectively, as their time sources. Stratum 3 server Eileen has configured both Brenda and Denise as her time sources. The certificates are identified by the subject and signed by the issuer. Note that the group key has previously been generated by Alice and deployed by secure means to all group members.
The steps in hiking the certificate trails and verifying identity are as follows.
13.7.2.3 Secure Groups
The NTP security model is based on multiple overlapping security
compartments or groups. The preceding example illustrates how groups
can be used to construct closed compartments, depending on how the
identity credentials are deployed. The rules can be summarized as
follows:
Each compartment is assigned a group key by the TA, which is then deployed to all group members by secure means. For retrieval purposes the name of the group key file is the name of a TH.
For various reasons it may be convenient for a server to hold keys for more than one group. There are three secure groups: Alice, Helen, and Carol.
Hosts A, B, C and D belong to the Alice group, hosts R, S to the Helen group and hosts X, Y and Z to the Carol group. Hosts A, B, R and X hold trusted certificates, while the remaining hosts hold standard certificates. Hosts A, B, C, D and X hold the group key for Alice; hosts R, S and X hold the group key for Helen; hosts X, Y and Z hold the group key for Carol.
The name of the group key file in Carol is X, while the name of that file in Helen is R, since there is no ambiguity in server selection. Alice is a special case, as the name of the group key depends on which server is chosen by the selection algorithm. By convention, both A and B generate individual group keys and distribute them to all group hosts by secure means. Then, it doesn't matter whether the certificate trail lands on A or B. Note that only X needs the group keys for Alice and Helen; Carol and her dependents need only her group key.
In most identity schemes there are two kinds of group keys, server and client. The intent of the design is to provide security separation, so that servers cannot masquerade as TAs and clients cannot masquerade as servers. Assume for example that Alice and Helen belong to national standards laboratories and their group keys are used to confirm identity between members of each group. Carol is a prominent corporation receiving standards products via broadcast satellite and requiring cryptographic authentication.
Perhaps under contract, trusted host X belonging to the Carol group rents client keys for both Alice and Helen and has server keys for Carol. Hosts Y and Z have only client keys for Carol. The Autokey protocol operates as previously described for each group separately while preserving security separation. Host X can prove identity in Carol to clients Y and Z, but cannot prove to anybody that she can sign certificates for either Alice or Helen.
Ordinarily, it would not be desirable to reveal the group key in server keys and forbidden to reveal it in client keys. This can be avoided using the MV identity scheme described later. It allows the same broadcast transmission to be authenticated by more than one key, one used internally by the laboratories (Alice and/or Helen) and the the other handed out to clients like Carol. In the MV scheme these keys can be separately activated upon subscription and deactivated if the subscriber fails to pay the bill.
The following example shows operational details where more than one group is involved, in this case Carol and Alice. As in the previous example, Brenda has configured Alice as her time source and Denise has configured Carol as her time source. Alice and Carol have server keys; Brenda and Denise have server and client keys only for their respective groups. Eileen has client keys for both Alice and Carol. The protocol operates as previously described to verify Alice to Brenda and Carol to Denise.
The interesting case is Eileen, who may verify identity via Brenda or
Denise or both. To do that she uses the client keys of both Alice and
Carol. But, Eileen doesn't know which of the two keys to use until
hiking the certificate trail to find the trusted certificate of either
Alice or Carol and then loading the associated local key. This scenario
can of course become even more complex as the number of servers and
depth of the tree increase. The bottom line is that every host must
have the client keys for all the lowest-stratum trusted hosts it is
ever likely to find.
13.7.2.4 Identity Schemes
While the identity scheme described in RFC-2875 is based on a ubiquitous Diffie-Hellman infrastructure, it is expensive to generate and use when compared to others described here. There are five schemes now implemented in Autokey to prove identity: (1) private certificates (PC), (2) trusted certificates (TC), (3) a modified Schnorr algorithm (IFF aka Identify Friendly or Foe), (4) a modified Guillou-Quisquater algorithm (GQ), and (5) a modified Mu-Varadharajan algorithm (MV).
For more information, see Section 13.7.4.
13.7.3 Naming and Addressing
Note that Autokey does not use DNS to resolve addresses, because DNS cannot be completely trusted until the name servers have synchronized clocks. The cryptographic name used by Autokey to bind the host identity credentials and cryptographic values must be independent of interface, network and any other naming convention. The name appears in the host certificate in either or both the subject and issuer fields, so protection against DNS compromise is essential.
By convention, the name of an Autokey host is the name returned by the gethostname() call. By the system design model, there are no provisions to allow alternate names or aliases. However, this is not to say that DNS aliases, different names for each interface, etc., are constrained in any way.
Also note that Autokey verifies authenticity using the host name,
network address and public keys, all of which are bound together by the
protocol specifically to deflect masquerade attacks. For this reason
Autokey includes the source and destination IP addresses in message
digest computations and so the same addresses must be available at both
the server and client. For this reason operation with network address
translation schemes is not possible. This reflects the intended robust
security model where government and corporate NTP servers are operated
outside firewall perimeters.
13.7.4 Operation
A specific combination of authentication scheme (none, symmetric key, public key) and identity scheme is called a cryptotype, although not all combinations are compatible. There may be management configurations where the clients, servers, and peers may not all support the same cryptotypes. A secure NTPv4 subnet can be configured in many ways while keeping in mind the principles explained above and in this section. Note, however, that some cryptotype combinations may successfully interoperate with each other, but may not represent good security practice.
The cryptotype of an association is determined at the time of mobilization, either at configuration time or sometime later when a message of appropriate cryptotype arrives. When mobilized by a server or peer configuration command and no key or autokey subcommands are present, the association is not authenticated; if the key subcommand is present, the association is authenticated using the symmetric key ID specified; if the autokey subcommand is present, the association is authenticated using Autokey.
When multiple identity schemes are supported in the Autokey protocol, the first message exchange determines which one is used, called the cryptotype. The client request message contains bits corresponding to which schemes it has available. The server response message contains bits corresponding to which schemes it has available. Both server and client match the received bits with their own and select a common scheme.
Following the principle that time is a public value, a server responds to any client packet that matches its cryptotype capabilities. Thus, a server receiving an unauthenticated packet will respond with an unauthenticated packet, while the same server receiving a packet of a cryptotype it supports will respond with packets of that cryptotype. However, unconfigured broadcast or manycast client associations or symmetric passive associations will not be mobilized unless the server supports a cryptotype compatible with the first packet received. By default, unauthenticated associations will not be mobilized unless overridden in a decidedly dangerous way.
Some examples may help to reduce confusion. Client Alice has no specific cryptotype selected. Server Bob has both a symmetric key file and minimal Autokey files. Alice's unauthenticated messages arrive at Bob, who replies with unauthenticated messages. Cathy has a copy of Bob's symmetric key file and has selected key ID 4 in messages to Bob. Bob verifies the message with his key ID 4. If it is the same key and the message is verified, Bob sends Cathy a reply authenticated with that key. If verification fails, Bob sends Cathy a thing called a crypto-NAK, which tells her something broke. She can see the debris using the ntpq program.
Denise has rolled her own host key and certificate. She also uses one of the identity schemes that Bob uses. She sends the first Autokey message to Bob and they both dance the protocol authentication and identity steps. If all turns out well, Denise and Bob continue as described above.
It should be clear from the above that Bob can support all the girls at the same time, as long as he has compatible authentication and identity credentials. Now, Bob can act just like the girls in his own choice of servers; he can run multiple configured associations with multiple different servers (or the same server, although that might not be useful). But, wise security policy might preclude some cryptotype combinations; for instance, running an identity scheme with one server and no authentication with another might not be wise.
Previous | Next | Contents | Index |