Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Security Analysis of Version 2 of the Network Time Protocol NTP Matt Bishop Presented by Alexander Gorman.

Published byBeatrice Roberts Modified over 9 years ago

Similar presentations

Presentation on theme: "A Security Analysis of Version 2 of the Network Time Protocol NTP Matt Bishop Presented by Alexander Gorman."— Presentation transcript:

1 A Security Analysis of Version 2 of the Network Time Protocol NTP Matt Bishop Presented by Alexander Gorman

2 Goal of Paper  Examine the security requirements of the Network Time Protocol (version 2)  Determine if version 2 meets requirements  Suggest Improvements

3 My Goals  Describe version 2 of NTP  Analyze attacks  Improvements

4 Attacks  Masquerade  Modification  Replay  DoS  Delay

5 Assumptions  Messages leave source uncorrupted  Not altered on arrival  Focus on transmission

6 NTP  NTP = Network Time Protocol  Primary time servers  Secondary time servers  Stratum Number Measure distance from primary to secondary time serverMeasure distance from primary to secondary time server

7 NTP A B C Top level stratum Level 2 stratum Level 3 Stratum Primary

8 NTP Rules  Primary time servers synchronized by external system  Secondary time servers synchronized by: Primary time serverPrimary time server Another secondary time server with lower stratum numberAnother secondary time server with lower stratum number

9 Association Modes Non-Server sync with NTP Server  Client What time is it?What time is it? Send msgs to peersSend msgs to peers  Server Created when received client msgCreated when received client msg Responds with server’s time, terminatesResponds with server’s time, terminates  Broadcast Sends periodic time messagesSends periodic time messages

10 Association Modes Time Server sync with other Time Servers  Symmetric active Broadcast sync msgsBroadcast sync msgs  Symmetric passive If sender strata > receiver, reply + terminateIf sender strata > receiver, reply + terminate Else, sender syncs host and receiver responds with time msg of its own.Else, sender syncs host and receiver responds with time msg of its own. Note: Normally servers with high strata run in active mode

11 Smooth Data  Improve accuracy Algorithm 1 Compute roundtrip delay and offsetCompute roundtrip delay and offset Take sample from last 8 msgsTake sample from last 8 msgs Choose lowest delay and use associated offset as estimated clock offsetChoose lowest delay and use associated offset as estimated clock offset Estimate sample dispersionEstimate sample dispersion

12 Offset and Delay t i-3 titi t i-2 t i-1 C i = ((t i-2 - t i-3 ) + (t i-1 – t i )) / 2 D i = (t i – t i-3 ) + (t i-1 – t i-2 )

13 Selection of Source Peer  Algorithm 2 Who should sync clock?Who should sync clock? Uses Algorithm 1Uses Algorithm 1 List is sorted and scanned repeatedlyList is sorted and scanned repeatedly  Clock dispersion relative to peer is computed  Highest dispersion eliminated Only one source leftOnly one source left

14 Receive and Packet Procedures  When a msg (packet) is received either Error: packet discarded, association deletedError: packet discarded, association deleted Packet ProcedurePacket Procedure

15 Packet Procedures if (time packet transmitted=time last received packet transmitted) then sanity := true; if (time peer received last packet from host<>time last message sent to peer) then sanity := true; (*update association variables in Figure 3*) if (peer clock not synchronized) or (peer clock not updated for 1 day) then sanity := true; if (not authenticated correctly) then sanity := true; if (peer not preconfigured) and (packet’s stratum>peer’s stratum) then sanity := true; if sanity then (*discard message and exit*) if (packet originate timestamp= 0) or (time last message received by peer= 0) then (*exit; note sanity flag not set*) (*compute delay, offset, corrections, update local clock*)

16 Packet Procedures  Check Eliminate re-transmitted packetsEliminate re-transmitted packets  Packet not transmitted at the same time as the last one received from that peer Ensure messages are received in orderEnsure messages are received in order  The last packet received from the local host was indeed the one the local host sent to the peer Peer clock is synchronized correctlyPeer clock is synchronized correctly Packet is authenticated correctlyPacket is authenticated correctly Packet is preconfigured correctly andPacket is preconfigured correctly and Packet’s stratum level > peer’s stratum level FAILPacket’s stratum level > peer’s stratum level FAIL

17 Packet Procedure  If successful Resets internal variablesResets internal variables Adjusts local clock if necessaryAdjusts local clock if necessary Possibly select new peer as clock sourcePossibly select new peer as clock source

18 Security Mechanisms  Delay Compensation  Access Control  Authentication

19 Delay Compensation  Compensate for network delays  Algorithm calculates roundtrip delay and clock offset relative to peer  Applies statistical procedure to update clock (see book Network Time Protocol (Version 2) Specification and Implementation) (see book Network Time Protocol (Version 2) Specification and Implementation)

20 Access Control  All hosts partitioned into 3 groups TrustedTrusted  Allowed to synchronize the local clock  Either preconfigured or based on trusted ticket service (Kerberos) FriendlyFriendly  Sent NTP msgs and timestamps when needed  Cannot change local clock OthersOthers  Messages from this group are ignored

21 Authentication  Covers Authentication and integrity  Packet in authenticated mode TransmittedTransmitted  NTP packet (except for authenticator) is checksummed using active peer’s key  Key depends on mode

22 Authentication if peer.config = 0 then if(authenticator in message data) then peer.authenable := 1 else peer.authenable := 0; if peer.authenable =1 then begin peer.authentic := 0; if (authenticator in message data) then begin peer.keyid := packet.keyid; compute_mac(mac, peer.keyid, packet); if peer.keyid <> 0 and mac = packet.check then peer.authentic := 1; end; (*if peer.authenable is 0, authentication is not done;*) (*otherwise if peer.authentic is 0, the integrity of the *) (*packet’s contents are suspect*)

23 Authentication Packet ReceivedPacket Received  If msg contains authentication info Index # of peer’s key reset to that in packetIndex # of peer’s key reset to that in packet Checksum recomputed and compared to transmitted checksumChecksum recomputed and compared to transmitted checksum If checksums match check succeedsIf checksums match check succeeds  If packet has no authentication info Check fails, routine exitsCheck fails, routine exits

24 Analysis of Security  Analyze the following: Access ControlAccess Control AuthenticationAuthentication

25 Access Control  Relies completely on an unauthenticated source address (in the absence of an integrity checking mechanism)  Solution: routing info  IP record route

26 Authentication Key index can be alteredKey index can be altered Check is only 64bitsCheck is only 64bits No key distribution mechanism definedNo key distribution mechanism defined Keys used on a per host basisKeys used on a per host basis  Could lead to a compromise of all hosts that peer synchronizes

27 Attacks  Goal  Attack  Effect  Countermeasure

28 Masquerade  Goal  Convince timekeeper that attacker is authorized to synchronize it  Attack  Send a victim packets with source address of timekeeper  Effects  If host is known None if change is drasticNone if change is drastic Drift created if timestamps changed graduallyDrift created if timestamps changed gradually  Unknown host Compromise server by sending 8 uninterrupted messagesCompromise server by sending 8 uninterrupted messages Send msgs claiming low stratum numberSend msgs claiming low stratum number  Countermeasure  Use authentication  Do not allow non-preconfigured peer to become clock source

29 Message Modification  Goal Alter msgs from one timekeeper to another to cause incorrect synchronizationAlter msgs from one timekeeper to another to cause incorrect synchronization  Attack Alter packets sent to victimAlter packets sent to victim  Different types of attacks

30 Modification Attacks  Integrity the recipient’s clock pkt.rec, pkt.xmt, pkt.precisionpkt.rec, pkt.xmt, pkt.precision  Change round trip delay

31 Modification Attack pkt.versionDoS pkt.mode Disconnection of association pkt.stratum Lower stratum pkt.ppoll Affects polling interval pkt.distance Affects roundtrip delay, effect choice of clock source and frequency of polling pkt.dispersion Affects estimated dispersion

32 Modification  Countermeasures Use Authentication!Use Authentication! Stratum level used only if checks passStratum level used only if checks pass Access controls indicate if connection is trustedAccess controls indicate if connection is trusted

33 Replay  Goal Intercept + resend NTP msgs to cause recipient to incorrectly resynchronizeIntercept + resend NTP msgs to cause recipient to incorrectly resynchronize Disable active associationDisable active association  Attack Record msgs + replay them laterRecord msgs + replay them later  Effects Alternate and replayAlternate and replay Reset local clock to earlier timeReset local clock to earlier time  Counter Reject any msg with a timestamp older last msg receivedReject any msg with a timestamp older last msg received Create a special msg when clock needs to be changed backwardsCreate a special msg when clock needs to be changed backwards Route basedRoute based

34 Delay  Goal Cause incorrect resynchronizationCause incorrect resynchronization Disable active associationDisable active association  Attack Artificially increase the roundtrip delay of an associationArtificially increase the roundtrip delay of an association  Effects Delay packets in sampleDelay packets in sample Peer sending packets not sourcePeer sending packets not source Results in having no source, DoSResults in having no source, DoS  Counter Redundancy of clock sourcesRedundancy of clock sources

35 DoS  Goal Prevent NTP msgs from one timekeeper to anotherPrevent NTP msgs from one timekeeper to another  Attack Prevent packets from clock sources from reaching an NTP hostPrevent packets from clock sources from reaching an NTP host  Effects Forces NTP to run under its own clock, high drift!Forces NTP to run under its own clock, high drift!  Counter Redundancy of clock sourcesRedundancy of clock sources

36 Combined Attack  Very effective  E.g. Deny a secondary server from all but one source, and delay packets from source  To counter, deal with each component attack separately

37 Suggestions  Internal Mechanisms Assume no underlying security mechanismAssume no underlying security mechanism  Always use Authentication  Keys used per-path not per-host  Base Access Control on recorded routes  Change variables after packet passes checks  Further restrict values of variables  Increase sample size  Require special packet to set clock backwards  Redundancy, server should have many sources

38 Suggestions  External Secure transmissionSecure transmission Run into problems with this schemeRun into problems with this scheme  Public-key checksum - Too slow!  IP does not provide sufficient security Strict source does not work!Strict source does not work!

39 Conclusion  NTP has some weaknesses, but well designed  Remember, security analyst’s view May or may not impact goals of protocolMay or may not impact goals of protocol

40 Questions?

Download ppt "A Security Analysis of Version 2 of the Network Time Protocol NTP Matt Bishop Presented by Alexander Gorman."

Similar presentations

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
HIERARCHY REFERENCING TIME SYNCHRONIZATION PROTOCOL Prepared by : Sunny Kr. Lohani, Roll – 16 Sem – 7, Dept. of Comp. Sc. & Engg.

HIERARCHY REFERENCING TIME SYNCHRONIZATION PROTOCOL Prepared by : Sunny Kr. Lohani, Roll – 16 Sem – 7, Dept. of Comp. Sc. & Engg.
Sri Lanka Institute of Information Technology

Sri Lanka Institute of Information Technology
1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.

1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
Internet Control Message Protocol (ICMP)

Internet Control Message Protocol (ICMP)
Distributed Systems Fall 2010 Time and synchronization.

Distributed Systems Fall 2010 Time and synchronization.
1 Fall 2005 Hardware Addressing and Frame Identification Qutaibah Malluhi CSE Department Qatar University.

1 Fall 2005 Hardware Addressing and Frame Identification Qutaibah Malluhi CSE Department Qatar University.
Secure Multicast Xun Kang. Content Why need secure Multicast? Secure Group Communications Using Key Graphs Batch Update of Key Trees Reliable Group Rekeying.

Secure Multicast Xun Kang. Content Why need secure Multicast? Secure Group Communications Using Key Graphs Batch Update of Key Trees Reliable Group Rekeying.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
Internet Networking Spring 2003

Internet Networking Spring 2003
Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)

Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)
Lecture 9: Time & Clocks CDK4: Sections 11.1 – 11.4 CDK5: Sections 14.1 – 14.4 TVS: Sections 6.1 – 6.2 Topics: Synchronization Logical time (Lamport) Vector.

Lecture 9: Time & Clocks CDK4: Sections 11.1 – 11.4 CDK5: Sections 14.1 – 14.4 TVS: Sections 6.1 – 6.2 Topics: Synchronization Logical time (Lamport) Vector.
Lecture 2-1 CS 425/ECE 428 Distributed Systems Lecture 2 Time & Synchronization Reading: 11.1-11.4 Klara Nahrstedt.

Lecture 2-1 CS 425/ECE 428 Distributed Systems Lecture 2 Time & Synchronization Reading: Klara Nahrstedt.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
1 Physical Clocks need for time in distributed systems physical clocks and their problems synchronizing physical clocks u coordinated universal time (UTC)

1 Physical Clocks need for time in distributed systems physical clocks and their problems synchronizing physical clocks u coordinated universal time (UTC)
Jennifer Rexford Fall 2014 (TTh 3:00-4:20 in CS 105) COS 561: Advanced Computer Networks Locations.

Jennifer Rexford Fall 2014 (TTh 3:00-4:20 in CS 105) COS 561: Advanced Computer Networks Locations.
Enhanced NTP IETF – TicToc BOF Greg Dowd – Jeremy Bennington –

Enhanced NTP IETF – TicToc BOF Greg Dowd – Jeremy Bennington –
A Security Analysis of the Network Time Protocol (NTP) Presentation by Tianen Liu.

A Security Analysis of the Network Time Protocol (NTP) Presentation by Tianen Liu.

Similar presentations

Ads by Google