Logo of the European Computer Security Incident Response Team Network (eCSIRT.net)

Using the cryptographically authenticated time server (Crypto NTP)

eCSIRT.net > Services > Crypto-NTP  

The PRESECURE cryptographic NTP timeserver

The PRESECURE Consulting GmbH operates a timeserver that offers a cryptographically authenticated time service. The server receives its time signal from a DCF-77 (also hereRadio Clock. This documentation describes how to compile and configure an ntp client to use this service.

Our timeserver time.pre-secure.de offers a cryptographically authenticated time service via the Network Time Protocol (NTP)  and its identity  mechanism "Autokey Version 2".

A general description of autokey and its schemes can be found under http://www.eecis.udel.edu/~mills/ident.html and http://www.eecis.udel.edu/~mills/ntp/html/authopt.html.

From the different identity schemes which are supported by the autokey mechanism, ntp.pre-secure.de only offers the "Schnorr (IFF) Cryptosystem". In this cryptosystem, each host holds its own private hostkey and a matching certificate. This keypair can be generated (and regenerated at any time)  by each individual system taking part in the identity scheme. Additionally, each host that wants to join the group needs to hold a group key, the IFF-key.

Setting up a system to use the IFF scheme is relatively simple, but currently only the development version of ntpd supports autokey 2. We have tested the timeserver with client versions 4.1.74 and 4.1.80-rc1. We recommend you use 4.1.80-rc1 or any more recent development version.
This documentation assumes you are familiar with NTP and the ntpd in general. (If you are not, further documentation can be found at http://www.ntp.org for example.)

First you need to download the ntpd-sources from http://www.ntp.org/development.html and the files specific
to time.pre-secure.de from this site.

The files you need are:

The host you install ntpd on also needs a recent installation of OpenSSL for the cryptographic algorithms it uses. Most current systems should already have that. If not, download it from their website and install it before continuing with the installation of ntpd.

Before we start building ntpd, one important notice:

NTP with Autokey does not work from a host that is behind a masquerading or NAT host!

This documentation assumes you will compile ntpd on some kind of *NIX system. If you want to compile ntpd under some other OS (e.g. windows), send me (ntpadmin@pre-secure) a mail and I will try to give you any help I can.

Requirements for installation:

Step-by-step documentation:

  1. Download all the files listed above and put them all into one directory. This directory will be used to build ntpd in. It must be writable for the user-ID you compile ntpd as.
  2. Decide where ntpd should be installed. The default is /usr/local/ntp.  This directory must exist and be writable before you begin compiling ntpd.
  3. Open the build skript (build_ntp.sh) with an editor and look through the first set of configuration variables (up to line 61). Most variables should be fine with the default setting.
  4. Execute the build skript. In this step, ntpd will be configured, build, and installed with a config file to access time.pre-secure.de. Additionally, all necessary key material will be generated.
  5. Check your system clock. With the current configuration it must not be out of sync by more than 1000s (~15min). If it is, do a rough correction by hand.
  6. You're done! Now you can start the ntpd daemon with <installpath>/bin/ntpd -c <installpath>/etc/ntpd.conf

Once ntpd is running, you can see some logging in <installpath>/var/log/ntp. A startup should look something like this. Note the long time this log snippet covers. It can take up to 10 minutes after startup until the client has established an authenticated association with the server.

     27 Aug 15:49:55 ntpd[9876]: frequency initialized 27.710 PPM from /services/daemon/ntp/var/log/ntp.drift
     27 Aug 15:49:55 ntpd[9876]: system event 'event_restart' (0x01) status 'sync_alarm, sync_unspec, 1 event, event_unspec' (0xc010)
     27 Aug 15:52:05 ntpd[9876]: peer event 'event_reach' (0x84) status 'unreach, conf, auth, 1 event, event_reach' (0xe014)
     27 Aug 15:56:25 ntpd[9876]: system event 'event_peer/strat_chg' (0x04) status 'sync_alarm, sync_ntp, 2 events, event_restart' (0xc621)
     27 Aug 15:56:25 ntpd[9876]: kernel time discipline status change 41
     27 Aug 15:56:25 ntpd[9876]: system event 'event_sync_chg' (0x03) status 'leap_none, sync_ntp, 3 events, event_peer/strat_chg' (0x634)
     27 Aug 15:56:25 ntpd[9876]: system event 'event_peer/strat_chg' (0x04) status 'leap_none, sync_ntp, 4 events, event_sync_chg' (0x643)

You can use the ntpq utility to check the status of your client. Use the "assoc" command to do this. Just after startup you should get the first of the two outputs below. After the association is in place, you should get the second output. At some point (after 5-10 minutes) the condition field should change to sys.peer. If this does not happen, something is wrong with your installation.

     user@system:~> /usr/local/ntp/bin/ntpq localhost
     ind assID status  conf reach auth condition  last_event cnt
       1 34772  e000   yes   yes   ok     reject

     ntpq> assoc
     ind assID status  conf reach auth condition  last_event cnt
       1 55524  f614   yes   yes   ok   sys.peer   reachable  1

The default configuration that is created by build_ntp.sh is a pretty restrictive setup. By default, the client talks to the server and accepts queries from, that's it. If you want to further distribute the time to other machines, you will have to change the settings in the config file <installpath>/etc/ntpd.conf. How access-control is handled is described on the Access Control Options Page (http://www.eecis.udel.edu/~mills/ntp/html/accopt.html) of the ntpd documentation.

Please send us a note!
If you use our NTP service, please drop us a mail to ntpadmin@pre-secure.de  and tell us so. Just to make it easier for us to track how many systems use our service. Thanks.

This concludes the short installation documentation. Comments and suggestions are always welcome. Send them to the address above. If you have problems compiling or using ntpd with our timeserver, feel free to contact us as well.


The hostname patch

In its operation ntpd uses as hostname whatever is returned by the gethostname system call. Some systems have the hostname set to just the simple hostname without any domain part, other systems return a FQDN. By default, ntpd does not allow the administrator to influence that value through the configuration file. We wrote a patch to ntpd that adds a new configuration directive hostname that can be used to manually set the hostname that is used by ntpd. You can use this patch to make ntpd not use the hostname but a name that reflects a DNS name that stands for one of the systems IP adresses or even some host alias, like we do with time.pre-secure.de.  In almost all cases this is more of a cosmetic than a functional issue.

To use the hostname patch, download it via the link above, put it in the same directory as the other files. Then set the variable WITH_HOSTNAME_PATCH to "yes" and set the variable "HOSTNAME" to whatever hostname which you want your client to use in its communication. The build skript takes care of the rest.

Again, if you experience difficulties, drop us a mail to ntpadmin@pre-secure.de 

eCSIRT.net > Services > Crypto-NTP  
eCSIRT.net eCSIRT.net
The European Computer Security Incident Response Team Network
News | Sitemap | Imprint | Privacy Statement | Contact | Top
Last changed: October 06, 2003 / TD
Copyright © 2002-2003 by PRESECURE Consulting GmbH, Germany
Signed with PGP!This page is digitally signed with PGP! eCSIRT.net