3
4
5
6Authentication Support
7<link href="scripts/style.css" type="text/css" rel="stylesheet">
8<style type="text/css">
9<!--
10<style1 {
11color: #FF0000;
12 font-weight: bold;
13}
14.style1 {color: #FF0000}
15-->
16</style>
17</head>
18<body>
19<h3>Authentication Support</h3>
20<img src="pic/alice44.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/%7emills/pictures.html">from <i>Alice's Adventures in Wonderland</i>, Lewis Carroll</a>
21<p>Our resident cryptographer; now you see him, now you don't.</p>
22<p>Last update:
23 <!-- #BeginDate format:En2m -->5-Feb-2016 09:13<!-- #EndDate -->
24 UTC</p>
25<br clear="left">
26<h4>Related Links</h4>
27<script type="text/javascript" language="javascript" src="scripts/hand.txt"></script>
28<script type="text/javascript" language="javascript" src="scripts/authopt.txt"></script>
29<h4>Table of Contents</h4>
30<ul>
31 <li class="inline"><a href="#auth">Introduction</a></li>
32 <li class="inline"><a href="#symm">Symmetric Key Cryptography</a></li>
33 <li class="inline"><a href="#windows">Microsoft Windows Authentication</a></li>
34 <li class="inline"><a href="#pub">Public Key Cryptography</a></li>
35</ul>
36<hr>
37<h4 id="auth">Introduction</h4>
38<p>This page describes the various cryptographic authentication provisions in NTPv4. Authentication support allows the NTP client to verify that servers are in fact known and trusted and not intruders intending accidentally or intentionally to masquerade as a legitimate server. A detailed discussion of the NTP multi-layer security model and vulnerability analysis is in the white paper <a href="http://www.eecis.udel.edu/~mills/security.html">NTP Security Analysis</a>.</p>
39<p> The NTPv3 specification (RFC-1305) defined an authentication scheme properly described as <em>symmetric key cryptography</em>. It used the Data Encryption Standard (DES) algorithm operating in cipher-block chaining (CBC) mode. Subsequently, this algorithm was replaced by the RSA Message Digest 5 (MD5) algorithm commonly called keyed-MD5. Either algorithm computes a message digest or one-way hash which can be used to verify the client has the same message digest as the server. The MD5 message digest algorithm is included in the distribution, so without further cryptographic support, the distribution can be freely exported.</p>
40<p>If the OpenSSL cryptographic library is installed prior to building the distribution, all message digest algorithms included in the library may be used, including SHA and SHA1. However, if conformance to FIPS 140-2 is required, only a limited subset of these algorithms can be used. This library is available from <a href="http://www.openssl.org">http://www.openssl.org</a> and can be installed using the procedures outlined in the <a href="build.html">Building and Installing the Distribution</a> page. Once installed, the configure and build process automatically detects the library and links the library routines
41required.</p>
42<p>In addition to the symmetric key algorithms, this distribution includes support for the Autokey public key algorithms and protocol specified in RFC-5906 "Network Time Protocol Version 4: Autokey Specification". This support is available only if the OpenSSL library has been installed and the <tt>--enable-autokey</tt> option is used when the distribution is built.</p>
43<p> Public key cryptography is generally considered more secure than symmetric key cryptography, since the security is based on private and public values which are generated by each participant and where the private value is never revealed. Autokey uses X.509 public certificates, which can be produced by commercial services, the OpenSSL application program, or the <a href="keygen.html"><tt>ntp-keygen</tt></a> utility program in the NTP software distribution.</p>
44<p>Note that according to US law, NTP binaries including OpenSSL library components, including the OpenSSL library itself, cannot be exported outside the US without license from the US Department of Commerce. Builders outside the US are advised to obtain the OpenSSL library directly from OpenSSL, which is outside the US, and build outside the US.</p>
45<p>Authentication is configured separately for each association using the <tt>key</tt> or <tt>autokey</tt> option of the <tt>server</tt> configuration command, as described in the <a href="confopt.html">Server Options</a> page. The <a href="keygen.html">ntp-keygen</a> page describes the files required for the various authentication schemes. Further details are in the briefings, papers and reports at the NTP project page linked from <a href="http://www.ntp.org">www.ntp.org</a>.</p>
46<p>By default, the client sends non-authenticated packets and the server responds with non-authenticated packets. If the client sends authenticated packets, the server responds with authenticated packets if correct, or a crypto-NAK packet if not. In the case of unsolicited packets which might consume significant resources, such as broadcast or symmetric mode packets, authentication is required, unless overridden by a <tt>disable auth</tt> command. In the current climate of targeted broadcast or "letterbomb" attacks, defeating this requirement would be decidedly dangerous. In any case, the <tt>notrust </tt>flag, described on the <a href="authopt.html">Access Control Options</a> page, can be used to disable access to all but correctly authenticated clients.</p>
47<h4 id="symm">Symmetric Key Cryptography</h4>
48<p>The original NTPv3 specification (RFC-1305), as well as the current NTPv4 specification (RFC-5905), allows any one of possibly 65,534 message digest keys (excluding zero), each distinguished by a 32-bit key ID, to authenticate an association. The servers and clients involved must agree on the key ID, key type and key to authenticate NTP packets.</p>
49<p>The message digest is a cryptographic hash computed by an algorithm such as MD5, SHA, or AES-128 CMAC. When authentication is specified, a message authentication code (MAC) is appended to the NTP packet header. The MAC consists of a 32-bit key identifier (key ID) followed by a 128- or 160-bit message digest. The algorithm computes the digest as the hash of a 128- or 160- bit message digest key concatenated with the NTP packet header fields with the exception of the MAC. On transmit, the message digest is computed and inserted in the MAC. On receive, the message digest is computed and compared with the MAC. The packet is accepted only if the two MACs are identical. If a discrepancy is found by the client, the client ignores the packet, but raises an alarm. If this happens at the server, the server returns a special message called a <em>crypto-NAK</em>. Since the crypto-NAK is protected by the loopback test, an intruder cannot disrupt the protocol by sending a bogus crypto-NAK.</p>
50<p>Keys and related information are specified in a keys file, which must be distributed and stored using secure means beyond the scope of the NTP protocol itself. Besides the keys used for ordinary NTP associations, additional keys can be used as passwords for the <tt><a href="ntpq.html">ntpq</a></tt> and <tt><a href="ntpdc.html">ntpdc</a></tt> utility programs. Ordinarily, the <tt>ntp.keys</tt> file is generated by the <tt><a href="keygen.html">ntp-keygen</a></tt> program, but it can be constructed and edited using an ordinary text editor.</p>
51<p> Each line of the keys file consists of three or four fields: a key ID in the range 1 to 65,534, inclusive, a key type, a message digest key consisting of a printable ASCII string less than 40 characters or a 40-character hex digit string, and an optional comma-separated list of IPs that are allowed to serve time. If the OpenSSL library is installed, the key type can be any message digest algorithm supported by the library. If the OpenSSL library is not installed, the only permitted key type is MD5.</p>
52<table>
53 <caption style="caption-side: bottom;">
54 Figure 1. Typical Symmetric Key File
55 </caption>
56 <tr><td style="border: 1px solid black; border-spacing: 0;">
57 <pre style="color:grey;">
58# ntpkey_MD5key_bk.ntp.org.3595864945
59# Thu Dec 12 19:22:25 2013
| 3 <head>
4 <meta http-equiv="content-type" content="text/html;charset=iso-8859-1">
5 <meta name="generator" content="HTML Tidy, see www.w3.org">
6 <title>Authentication Support</title>
7 <!-- Changed by: Harlan Stenn, 24-Jul-2018 -->
8 <link href="scripts/style.css" type="text/css" rel="stylesheet">
9 <style type="text/css">
10 <!--
11 <style1 {
12 color: #FF0000;
13 font-weight: bold;
14 }
15 .style1 {color: #FF0000}
16 -->
17 </style>
18 </head>
19 <body>
20 <h3>Authentication Support</h3>
21 <img src="pic/alice44.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/%7emills/pictures.html">from <i>Alice's Adventures in Wonderland</i>, Lewis Carroll</a>
22 <p>Our resident cryptographer; now you see him, now you don't.</p>
23 <p>Last update:
24 <!-- #BeginDate format:En2m -->24-Jul-2018 09:12<!-- #EndDate -->
25 UTC</p>
26 <br clear="left">
27 <h4>Related Links</h4>
28 <script type="text/javascript" language="javascript" src="scripts/hand.txt"></script>
29 <script type="text/javascript" language="javascript" src="scripts/authopt.txt"></script>
30 <h4>Table of Contents</h4>
31 <ul>
32 <li class="inline"><a href="#auth">Introduction</a></li>
33 <li class="inline"><a href="#symm">Symmetric Key Cryptography</a></li>
34 <li class="inline"><a href="#windows">Microsoft Windows Authentication</a></li>
35 <li class="inline"><a href="#pub">Public Key Cryptography</a></li>
36 </ul>
37 <hr>
38 <h4 id="auth">Introduction</h4>
39 <p>This page describes the various cryptographic authentication
40 provisions in NTPv4. Authentication support allows the NTP client to
41 verify that servers are in fact known and trusted and not intruders
42 intending accidentally or intentionally to masquerade as a legitimate
43 server. A detailed discussion of the NTP multi-layer security model
44 and vulnerability analysis is in the white
45 paper <a href="http://www.eecis.udel.edu/~mills/security.html">NTP
46 Security Analysis</a>.</p>
47 <p>The NTPv3 specification (RFC-1305) defined an authentication scheme
48 properly described as <em>symmetric key cryptography</em>. It used
49 the Data Encryption Standard (DES) algorithm operating in cipher-block
50 chaining (CBC) mode. Subsequently, this algorithm was replaced by the
51 RSA Message Digest 5 (MD5) algorithm commonly called keyed-MD5.
52 Either algorithm computes a message digest or one-way hash which can
53 be used to verify the client has the same message digest as the
54 server. The MD5 message digest algorithm is included in the
55 distribution, so without further cryptographic support, the
56 distribution can be freely exported.</p>
57 <p>If the OpenSSL cryptographic library is installed prior to building
58 the distribution, all message digest algorithms included in the
59 library may be used, including SHA and SHA1. However, if conformance
60 to FIPS 140-2 is required, only a limited subset of these algorithms
61 can be used. This library is available
62 from <a href="http://www.openssl.org">http://www.openssl.org</a> and
63 can be installed using the procedures outlined in
64 the <a href="build.html">Building and Installing the Distribution</a>
65 page. Once installed, the configure and build process automatically
66 detects the library and links the library routines required.</p>
67 <p>In addition to the symmetric key algorithms, this distribution
68 includes support for the Autokey public key algorithms and protocol
69 specified in RFC-5906 "Network Time Protocol Version 4: Autokey
70 Specification". This support is available only if the OpenSSL
71 library has been installed and the <tt>--enable-autokey</tt> option is
72 used when the distribution is built.</p>
73 <p> Public key cryptography is generally considered more secure than
74 symmetric key cryptography, since the security is based on private and
75 public values which are generated by each participant and where the
76 private value is never revealed. Autokey uses X.509 public
77 certificates, which can be produced by commercial services, the
78 OpenSSL application program, or
79 the <a href="keygen.html"><tt>ntp-keygen</tt></a> utility program in
80 the NTP software distribution.</p>
81 <p>Note that according to US law, NTP binaries including OpenSSL library
82 components, including the OpenSSL library itself, cannot be exported
83 outside the US without license from the US Department of Commerce.
84 Builders outside the US are advised to obtain the OpenSSL library
85 directly from OpenSSL, which is outside the US, and build outside the
86 US.</p>
87 <p>Authentication is configured separately for each association using
88 the <tt>key</tt> or <tt>autokey</tt> option of the <tt>server</tt>
89 configuration command, as described in
90 the <a href="confopt.html">Server Options</a> page.
91 The <a href="keygen.html">ntp-keygen</a> page describes the files
92 required for the various authentication schemes. Further details are
93 in the briefings, papers and reports at the NTP project page linked
94 from <a href="http://www.ntp.org">www.ntp.org</a>.</p>
95 <p>By default, the client sends non-authenticated packets and the server
96 responds with non-authenticated packets. If the client sends
97 authenticated packets, the server responds with authenticated packets
98 if correct, or a crypto-NAK packet if not. In the case of unsolicited
99 packets which might consume significant resources, such as broadcast
100 or symmetric mode packets, authentication is required, unless
101 overridden by a <tt>disable auth</tt> command. In the current climate
102 of targeted broadcast or "letterbomb" attacks, defeating
103 this requirement would be decidedly dangerous. In any case,
104 the <tt>notrust </tt>flag, described on
105 the <a href="authopt.html">Access Control Options</a> page, can be
106 used to disable access to all but correctly authenticated clients.</p>
107 <h4 id="symm">Symmetric Key Cryptography</h4>
108 <p>The original NTPv3 specification (RFC-1305), as well as the current
109 NTPv4 specification (RFC-5905), allows any one of possibly 65,535
110 message digest keys (excluding zero), each distinguished by a 32-bit
111 key ID, to authenticate an association. The servers and clients
112 involved must agree on the key ID, key type and key to authenticate
113 NTP packets.</p>
114 <p>The message digest is a cryptographic hash computed by an algorithm
115 such as MD5, SHA, or AES-128 CMAC. When authentication is specified,
116 a message authentication code (MAC) is appended to the NTP packet
117 header. The MAC consists of a 32-bit key identifier (key ID) followed
118 by a 128- or 160-bit message digest. The algorithm computes the
119 digest as the hash of a 128- or 160- bit message digest key
120 concatenated with the NTP packet header fields with the exception of
121 the MAC. On transmit, the message digest is computed and inserted in
122 the MAC. On receive, the message digest is computed and compared with
123 the MAC. The packet is accepted only if the two MACs are identical.
124 If a discrepancy is found by the client, the client ignores the
125 packet, but raises an alarm. If this happens at the server, the
126 server returns a special message called a <em>crypto-NAK</em>. Since
127 the crypto-NAK is protected by the loopback test, an intruder cannot
128 disrupt the protocol by sending a bogus crypto-NAK.</p>
129 <p>Keys and related information are specified in a keys file, which must
130 be distributed and stored using secure means beyond the scope of the
131 NTP protocol itself. Besides the keys used for ordinary NTP
132 associations, additional keys can be used as passwords for
133 the <tt><a href="ntpq.html">ntpq</a></tt>
134 and <tt><a href="ntpdc.html">ntpdc</a></tt> utility programs.
135 Ordinarily, the <tt>ntp.keys</tt> file is generated by
136 the <tt><a href="keygen.html">ntp-keygen</a></tt> program, but it can
137 be constructed and edited using an ordinary text editor.</p>
138 <p> Each line of the keys file consists of three or four fields: a key
139 ID in the range 1 to 65,535, inclusive, a key type, a message digest
140 key consisting of a printable ASCII string less than 40 characters or
141 a 40-character hex digit string, and an optional comma-separated list
142 of IPs that are allowed to serve time. If the OpenSSL library is
143 installed, the key type can be any message digest algorithm supported
144 by the library. If the OpenSSL library is not installed, the only
145 permitted key type is MD5.</p>
146 <table>
147 <caption style="caption-side: bottom;">
148 Figure 1. Typical Symmetric Key File
149 </caption>
150 <tr><td style="border: 1px solid black; border-spacing: 0;">
151 <pre style="color:grey;">
152 # ntpkey_MD5key_bk.ntp.org.3595864945
153 # Thu Dec 12 19:22:25 2013
|
611 MD5 L";Nw<`.I<f4U0)247"i # MD5 key
622 MD5 &>l0%XXK9O'51VwV<xq~ # MD5 key
633 MD5 lb4zLW~d^!K:]RsD'qb6 # MD5 key
644 MD5 Yue:tL[+vR)M`n~bY,'? # MD5 key
655 MD5 B;fxlKgr/&4ZTbL6=RxA # MD5 key
666 MD5 4eYwa`o}3i@@V@..R9!l # MD5 key
677 MD5 `A.([h+;wTQ|xfi%Sn_! # MD5 key
688 MD5 45:V,r4]l6y^JH6"Sh?F # MD5 key
699 MD5 3-5vcn*6l29DS?Xdsg)* # MD5 key
7010 MD5 2late4Me # MD5 key
7111 SHA1 a27872d3030a9025b8446c751b4551a7629af65c # SHA1 key
7212 SHA1 21bc3b4865dbb9e920902abdccb3e04ff97a5e74 # SHA1 key
7313 SHA1 2b7736fe24fef5ba85ae11594132ab5d6f6daba9 # SHA1 key
7414 SHA a5332809c8878dd3a5b918819108a111509aeceb # SHA key
7515 MD2 2fe16c88c760ff2f16d4267e36c1aa6c926e6964 # MD2 key
7616 MD4 b2691811dc19cfc0e2f9bcacd74213f29812183d # MD4 key
7717 MD5 e4d6735b8bdad58ec5ffcb087300a17f7fef1f7c # MD5 key
7818 MDC2 a8d5e2315c025bf3a79174c87fbd10477de2eabc # MDC2 key
7919 RIPEMD160 77ca332cafb30e3cafb174dcd5b80ded7ba9b3d2 # RIPEMD160 key
8020 AES128CMAC f92ff73eee86c1e7dc638d6489a04e4e555af878 # AES128CMAC key
81 </pre></td></tr></table>
82<p>Figure 1 shows a typical keys file used by the reference implementation when the OpenSSL library is installed. In this figure, for key IDs in he range 1-10, the key is interpreted as a printable ASCII string. For key IDs in the range 11-20, the key is a 40-character hex digit string. The key is truncated or zero-filled internally to either 128 or 160 bits, depending on the key type. The line can be edited later or new lines can be added to change any field. The key can be changed to a password, such as <tt>2late4Me</tt> for key ID 10. Note that two or more keys files can be combined in any order as long as the key IDs are distinct.</p>
83<p>When <tt>ntpd</tt> is started, it reads the keys file specified by the <tt>keys</tt> command and installs the keys in the key cache. However, individual keys must be activated with the <tt>trustedkey</tt> configuration command before use. This allows, for instance, the installation of possibly several batches of keys and then activating a key remotely using <tt>ntpq</tt> or <tt>ntpdc</tt>. The <tt>requestkey</tt> command selects the key ID used as the password for the <tt>ntpdc</tt> utility, while the <tt>controlkey</tt> command selects the key ID used as the password for the <tt>ntpq</tt> utility.</p>
84<h4 id="windows">Microsoft Windows Authentication</h4>
85<p>In addition to the above means, <tt>ntpd</tt> now supports Microsoft Windows MS-SNTP authentication using Active Directory services. This support was contributed by the Samba Team and is still in development. It is enabled using the <tt>mssntp</tt> flag of the <tt>restrict</tt> command described on the <a href="accopt.html#restrict">Access Control Options</a> page. <span class="style1">Note: Potential users should be aware that these services involve a TCP connection to another process that could potentially block, denying services to other users. Therefore, this flag should be used only for a dedicated server with no clients other than MS-SNTP.</span></p>
86<h4 id="pub">Public Key Cryptography</h4>
87<p>See the <a href="autokey.html">Autokey Public-Key Authentication</a> page.</p>
88<hr>
89<script type="text/javascript" language="javascript" src="scripts/footer.txt"></script>
90</body>
| 155 1 MD5 L";Nw<`.I<f4U0)247"i # MD5 key
156 2 MD5 &>l0%XXK9O'51VwV<xq~ # MD5 key
157 3 MD5 lb4zLW~d^!K:]RsD'qb6 # MD5 key
158 4 MD5 Yue:tL[+vR)M`n~bY,'? # MD5 key
159 5 MD5 B;fxlKgr/&4ZTbL6=RxA # MD5 key
160 6 MD5 4eYwa`o}3i@@V@..R9!l # MD5 key
161 7 MD5 `A.([h+;wTQ|xfi%Sn_! # MD5 key
162 8 MD5 45:V,r4]l6y^JH6"Sh?F # MD5 key
163 9 MD5 3-5vcn*6l29DS?Xdsg)* # MD5 key
164 10 MD5 2late4Me # MD5 key
165 11 SHA1 a27872d3030a9025b8446c751b4551a7629af65c # SHA1 key
166 12 SHA1 21bc3b4865dbb9e920902abdccb3e04ff97a5e74 # SHA1 key
167 13 SHA1 2b7736fe24fef5ba85ae11594132ab5d6f6daba9 # SHA1 key
168 14 SHA a5332809c8878dd3a5b918819108a111509aeceb # SHA key
169 15 MD2 2fe16c88c760ff2f16d4267e36c1aa6c926e6964 # MD2 key
170 16 MD4 b2691811dc19cfc0e2f9bcacd74213f29812183d # MD4 key
171 17 MD5 e4d6735b8bdad58ec5ffcb087300a17f7fef1f7c # MD5 key
172 18 MDC2 a8d5e2315c025bf3a79174c87fbd10477de2eabc # MDC2 key
173 19 RIPEMD160 77ca332cafb30e3cafb174dcd5b80ded7ba9b3d2 # RIPEMD160 key
174 20 AES128CMAC f92ff73eee86c1e7dc638d6489a04e4e555af878 # AES128CMAC key
175 21 MD5 sampo 10.1.2.3/24
176 </pre></td></tr></table>
177 <p>Figure 1 shows a typical symmetric keys file used by the reference
178 implementation when the OpenSSL library is installed. Each line of
179 the file contains three or four fields. The first field is an integer
180 between 1 and 65535, inclusive, representing the key identifier. The
181 second field is the digest algorithm, which in the absence of the
182 OpenSSL library must be <tt>MD5</tt>, which designates the MD5 message
183 digest algorithm. The third field is the key. The optional fourth
184 field is one or more comma-separated IPs. An IP may end with an
185 optional <tt>/subnetbits</tt> suffix, which limits the acceptance of
186 the key identifier to packets claiming to be from the described IP
187 space. In this example, for the key IDs in the range 1-10 the key is
188 interpreted as a printable ASCII string. For the key IDs in the range
189 11-20, the key is a 40-character hex digit string. In either case,
190 the key is truncated or zero-filled internally to either 128 or 160
191 bits, depending on the key type. The line can be edited later or new
192 lines can be added to change any field. The key can be changed to a
193 password, such as <tt>2late4Me</tt> for key ID 10. Note that two or
194 more keys files can be combined in any order as long as the key IDs
195 are distinct.</p>
196 <p>When <tt>ntpd</tt> is started, it reads the keys file specified by
197 the <tt>keys</tt> command and installs the keys in the key cache.
198 However, individual keys must be activated with
199 the <tt>trustedkey</tt> configuration command before use. This
200 allows, for instance, the installation of possibly several batches of
201 keys and then activating a key remotely using <tt>ntpq</tt>
202 or <tt>ntpdc</tt>. The <tt>requestkey</tt> command selects the key ID
203 used as the password for the <tt>ntpdc</tt> utility, while
204 the <tt>controlkey</tt> command selects the key ID used as the
205 password for the <tt>ntpq</tt> utility.</p>
206 <h4 id="windows">Microsoft Windows Authentication</h4>
207 <p>In addition to the above means, <tt>ntpd</tt> now supports Microsoft
208 Windows MS-SNTP authentication using Active Directory services. This
209 support was contributed by the Samba Team and is still in development.
210 It is enabled using the <tt>mssntp</tt> flag of the <tt>restrict</tt>
211 command described on the <a href="accopt.html#restrict">Access Control
212 Options</a> page. <span class="style1">Note: Potential users should
213 be aware that these services involve a TCP connection to another
214 process that could potentially block, denying services to other users.
215 Therefore, this flag should be used only for a dedicated server with
216 no clients other than MS-SNTP.</span></p>
217 <h4 id="pub">Public Key Cryptography</h4>
218 <p>See the <a href="autokey.html">Autokey Public-Key Authentication</a>
219 page.</p>
220 <hr>
221 <script type="text/javascript" language="javascript" src="scripts/footer.txt"></script>
222 </body>
|