summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc5906.txt
diff options
context:
space:
mode:
authorThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
committerThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
commit4bfd864f10b68b71482b35c818559068ef8d5797 (patch)
treee3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc5906.txt
parentea76e11061bda059ae9f9ad130a9895cc85607db (diff)
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc5906.txt')
-rw-r--r--doc/rfc/rfc5906.txt3251
1 files changed, 3251 insertions, 0 deletions
diff --git a/doc/rfc/rfc5906.txt b/doc/rfc/rfc5906.txt
new file mode 100644
index 0000000..ce03e44
--- /dev/null
+++ b/doc/rfc/rfc5906.txt
@@ -0,0 +1,3251 @@
+
+
+
+
+
+
+Internet Engineering Task Force (IETF) B. Haberman, Ed.
+Request for Comments: 5906 JHU/APL
+Category: Informational D. Mills
+ISSN: 2070-1721 U. Delaware
+ June 2010
+
+
+ Network Time Protocol Version 4: Autokey Specification
+
+Abstract
+
+ This memo describes the Autokey security model for authenticating
+ servers to clients using the Network Time Protocol (NTP) and public
+ key cryptography. Its design is based on the premise that IPsec
+ schemes cannot be adopted intact, since that would preclude stateless
+ servers and severely compromise timekeeping accuracy. In addition,
+ Public Key Infrastructure (PKI) schemes presume authenticated time
+ values are always available to enforce certificate lifetimes;
+ however, cryptographically verified timestamps require interaction
+ between the timekeeping and authentication functions.
+
+ This memo includes the Autokey requirements analysis, design
+ principles, and protocol specification. A detailed description of
+ the protocol states, events, and transition functions is included. A
+ prototype of the Autokey design based on this memo has been
+ implemented, tested, and documented in the NTP version 4 (NTPv4)
+ software distribution for the Unix, Windows, and Virtual Memory
+ System (VMS) operating systems at http://www.ntp.org.
+
+Status of This Memo
+
+ This document is not an Internet Standards Track specification; it is
+ published for informational purposes.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It represents the consensus of the IETF community. It has
+ received public review and has been approved for publication by the
+ Internet Engineering Steering Group (IESG). Not all documents
+ approved by the IESG are a candidate for any level of Internet
+ Standard; see Section 2 of RFC 5741.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ http://www.rfc-editor.org/info/rfc5906.
+
+
+
+
+
+
+
+Haberman & Mills Informational [Page 1]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+Copyright Notice
+
+ Copyright (c) 2010 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+ This document may contain material from IETF Documents or IETF
+ Contributions published or made publicly available before November
+ 10, 2008. The person(s) controlling the copyright in some of this
+ material may not have granted the IETF Trust the right to allow
+ modifications of such material outside the IETF Standards Process.
+ Without obtaining an adequate license from the person(s) controlling
+ the copyright in such materials, this document may not be modified
+ outside the IETF Standards Process, and derivative works of it may
+ not be created outside the IETF Standards Process, except to format
+ it for publication as an RFC or to translate it into languages other
+ than English.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Haberman & Mills Informational [Page 2]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+Table of Contents
+
+ 1. Introduction ....................................................4
+ 2. NTP Security Model ..............................................4
+ 3. Approach ........................................................7
+ 4. Autokey Cryptography ............................................8
+ 5. Autokey Protocol Overview ......................................12
+ 6. NTP Secure Groups ..............................................14
+ 7. Identity Schemes ...............................................19
+ 8. Timestamps and Filestamps ......................................20
+ 9. Autokey Operations .............................................22
+ 10. Autokey Protocol Messages .....................................23
+ 10.1. No-Operation .............................................26
+ 10.2. Association Message (ASSOC) ..............................26
+ 10.3. Certificate Message (CERT) ...............................26
+ 10.4. Cookie Message (COOKIE) ..................................27
+ 10.5. Autokey Message (AUTO) ...................................27
+ 10.6. Leapseconds Values Message (LEAP) ........................27
+ 10.7. Sign Message (SIGN) ......................................27
+ 10.8. Identity Messages (IFF, GQ, MV) ..........................27
+ 11. Autokey State Machine .........................................28
+ 11.1. Status Word ..............................................28
+ 11.2. Host State Variables .....................................30
+ 11.3. Client State Variables (all modes) .......................33
+ 11.4. Protocol State Transitions ...............................34
+ 11.4.1. Server Dance ......................................34
+ 11.4.2. Broadcast Dance ...................................35
+ 11.4.3. Symmetric Dance ...................................36
+ 11.5. Error Recovery ...........................................37
+ 12. Security Considerations .......................................39
+ 12.1. Protocol Vulnerability ...................................39
+ 12.2. Clogging Vulnerability ...................................40
+ 13. IANA Considerations ...........................................42
+ 13. References ....................................................42
+ 13.1. Normative References .....................................42
+ 13.2. Informative References ...................................43
+ Appendix A. Timestamps, Filestamps, and Partial Ordering .........45
+ Appendix B. Identity Schemes .....................................46
+ Appendix C. Private Certificate (PC) Scheme ......................47
+ Appendix D. Trusted Certificate (TC) Scheme ......................47
+ Appendix E. Schnorr (IFF) Identity Scheme ........................48
+ Appendix F. Guillard-Quisquater (GQ) Identity Scheme .............49
+ Appendix G. Mu-Varadharajan (MV) Identity Scheme .................51
+ Appendix H. ASN.1 Encoding Rules .................................54
+ Appendix I. COOKIE Request, IFF Response, GQ Response, MV
+ Response .............................................54
+ Appendix J. Certificates .........................................55
+
+
+
+
+Haberman & Mills Informational [Page 3]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+1. Introduction
+
+ A distributed network service requires reliable, ubiquitous, and
+ survivable provisions to prevent accidental or malicious attacks on
+ the servers and clients in the network or the values they exchange.
+ Reliability requires that clients can determine that received packets
+ are authentic; that is, were actually sent by the intended server and
+ not manufactured or modified by an intruder. Ubiquity requires that
+ a client can verify the authenticity of a server using only public
+ information. Survivability requires protection from faulty
+ implementations, improper operation, and possibly malicious clogging
+ and replay attacks.
+
+ This memo describes a cryptographically sound and efficient
+ methodology for use in the Network Time Protocol (NTP) [RFC5905].
+ The various key agreement schemes [RFC4306][RFC2412][RFC2522]
+ proposed require per-association state variables, which contradicts
+ the principles of the remote procedure call (RPC) paradigm in which
+ servers keep no state for a possibly large client population. An
+ evaluation of the PKI model and algorithms, e.g., as implemented in
+ the OpenSSL library, leads to the conclusion that any scheme
+ requiring every NTP packet to carry a PKI digital signature would
+ result in unacceptably poor timekeeping performance.
+
+ The Autokey protocol is based on a combination of PKI and a pseudo-
+ random sequence generated by repeated hashes of a cryptographic value
+ involving both public and private components. This scheme has been
+ implemented, tested, and deployed in the Internet of today. A
+ detailed description of the security model, design principles, and
+ implementation is presented in this memo.
+
+ This informational document describes the NTP extensions for Autokey
+ as implemented in an NTPv4 software distribution available from
+ http://www.ntp.org. This description is provided to offer a basis
+ for future work and a reference for the software release. This
+ document also describes the motivation for the extensions within the
+ protocol.
+
+2. NTP Security Model
+
+ NTP security requirements are even more stringent than most other
+ distributed services. First, the operation of the authentication
+ mechanism and the time synchronization mechanism are inextricably
+ intertwined. Reliable time synchronization requires cryptographic
+ keys that are valid only over designated time intervals; but, time
+ intervals can be enforced only when participating servers and clients
+ are reliably synchronized to UTC. In addition, the NTP subnet is
+
+
+
+
+Haberman & Mills Informational [Page 4]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+ hierarchical by nature, so time and trust flow from the primary
+ servers at the root through secondary servers to the clients at the
+ leaves.
+
+ A client can claim authentic to dependent applications only if all
+ servers on the path to the primary servers are bona fide authentic.
+ In order to emphasize this requirement, in this memo, the notion of
+ "authentic" is replaced by "proventic", an adjective new to English
+ and derived from "provenance", as in the provenance of a painting.
+ Having abused the language this far, the suffixes fixable to the
+ various derivatives of authentic will be adopted for proventic as
+ well. In NTP, each server authenticates the next-lower stratum
+ servers and proventicates (authenticates by induction) the lowest
+ stratum (primary) servers. Serious computer linguists would
+ correctly interpret the proventic relation as the transitive closure
+ of the authentic relation.
+
+ It is important to note that the notion of proventic does not
+ necessarily imply the time is correct. An NTP client mobilizes a
+ number of concurrent associations with different servers and uses a
+ crafted agreement algorithm to pluck truechimers from the population
+ possibly including falsetickers. A particular association is
+ proventic if the server certificate and identity have been verified
+ by the means described in this memo. However, the statement "the
+ client is synchronized to proventic sources" means that the system
+ clock has been set using the time values of one or more proventic
+ associations and according to the NTP mitigation algorithms.
+
+ Over the last several years, the IETF has defined and evolved the
+ IPsec infrastructure for privacy protection and source authentication
+ in the Internet. The infrastructure includes the Encapsulating
+ Security Payload (ESP) [RFC4303] and Authentication Header (AH)
+ [RFC4302] for IPv4 and IPv6. Cryptographic algorithms that use these
+ headers for various purposes include those developed for the PKI,
+ including various message digest, digital signature, and key
+ agreement algorithms. This memo takes no position on which message
+ digest or digital signature algorithm is used. This is established
+ by a profile for each community of users.
+
+ It will facilitate the discussion in this memo to refer to the
+ reference implementation available at http://www.ntp.org. It
+ includes Autokey as described in this memo and is available to the
+ general public; however, it is not part of the specification itself.
+ The cryptographic means used by the reference implementation and its
+ user community are based on the OpenSSL cryptographic software
+ library available at http://www.openssl.org, but other libraries with
+ equivalent functionality could be used as well. It is important for
+
+
+
+
+Haberman & Mills Informational [Page 5]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+ distribution and export purposes that the way in which these
+ algorithms are used precludes encryption of any data other than
+ incidental to the construction of digital signatures.
+
+ The fundamental assumption in NTP about the security model is that
+ packets transmitted over the Internet can be intercepted by those
+ other than the intended recipient, remanufactured in various ways,
+ and replayed in whole or part. These packets can cause the client to
+ believe or produce incorrect information, cause protocol operations
+ to fail, interrupt network service, or consume precious network and
+ processor resources.
+
+ In the case of NTP, the assumed goal of the intruder is to inject
+ false time values, disrupt the protocol or clog the network, servers,
+ or clients with spurious packets that exhaust resources and deny
+ service to legitimate applications. The mission of the algorithms
+ and protocols described in this memo is to detect and discard
+ spurious packets sent by someone other than the intended sender or
+ sent by the intended sender, but modified or replayed by an intruder.
+
+ There are a number of defense mechanisms already built in the NTP
+ architecture, protocol, and algorithms. The on-wire timestamp
+ exchange scheme is inherently resistant to spoofing, packet-loss, and
+ replay attacks. The engineered clock filter, selection, and
+ clustering algorithms are designed to defend against evil cliques of
+ Byzantine traitors. While not necessarily designed to defeat
+ determined intruders, these algorithms and accompanying sanity checks
+ have functioned well over the years to deflect improperly operating
+ but presumably friendly scenarios. However, these mechanisms do not
+ securely identify and authenticate servers to clients. Without
+ specific further protection, an intruder can inject any or all of the
+ following attacks.
+
+ 1. An intruder can intercept and archive packets forever, as well as
+ all the public values ever generated and transmitted over the
+ net.
+
+ 2. An intruder can generate packets faster than the server, network,
+ or client can process them, especially if they require expensive
+ cryptographic computations.
+
+ 3. In a wiretap attack, the intruder can intercept, modify, and
+ replay a packet. However, it cannot permanently prevent onward
+ transmission of the original packet; that is, it cannot break the
+ wire, only tell lies and congest it. Except in the unlikely
+ cases considered in Section 12, the modified packet cannot arrive
+ at the victim before the original packet, nor does it have the
+ server private keys or identity parameters.
+
+
+
+Haberman & Mills Informational [Page 6]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+ 4. In a man-in-the-middle or masquerade attack, the intruder is
+ positioned between the server and client, so it can intercept,
+ modify, and replay a packet and prevent onward transmission of
+ the original packet. Except in unlikely cases considered in
+ Section 12, the middleman does not have the server private keys.
+
+ The NTP security model assumes the following possible limitations.
+
+ 1. The running times for public key algorithms are relatively long
+ and highly variable. In general, the performance of the time
+ synchronization function is badly degraded if these algorithms
+ must be used for every NTP packet.
+
+ 2. In some modes of operation, it is not feasible for a server to
+ retain state variables for every client. It is however feasible
+ to regenerated them for a client upon arrival of a packet from
+ that client.
+
+ 3. The lifetime of cryptographic values must be enforced, which
+ requires a reliable system clock. However, the sources that
+ synchronize the system clock must be cryptographically
+ proventicated. This circular interdependence of the timekeeping
+ and proventication functions requires special handling.
+
+ 4. Client security functions must involve only public values
+ transmitted over the net. Private values must never be disclosed
+ beyond the machine on which they were created, except in the case
+ of a special trusted agent (TA) assigned for this purpose.
+
+ Unlike the Secure Shell (SSH) security model, where the client must
+ be securely authenticated to the server, in NTP, the server must be
+ securely authenticated to the client. In SSH, each different
+ interface address can be bound to a different name, as returned by a
+ reverse-DNS query. In this design, separate public/private key pairs
+ may be required for each interface address with a distinct name. A
+ perceived advantage of this design is that the security compartment
+ can be different for each interface. This allows a firewall, for
+ instance, to require some interfaces to authenticate the client and
+ others not.
+
+3. Approach
+
+ The Autokey protocol described in this memo is designed to meet the
+ following objectives. In-depth discussions on these objectives is in
+ the web briefings and will not be elaborated in this memo. Note that
+ here, and elsewhere in this memo, mention of broadcast mode means
+ multicast mode as well, with exceptions as noted in the NTP software
+ documentation [RFC5905].
+
+
+
+Haberman & Mills Informational [Page 7]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+ 1. It must interoperate with the existing NTP architecture model and
+ protocol design. In particular, it must support the symmetric
+ key scheme described in [RFC1305]. As a practical matter, the
+ reference implementation must use the same internal key
+ management system, including the use of 32-bit key IDs and
+ existing mechanisms to store, activate, and revoke keys.
+
+ 2. It must provide for the independent collection of cryptographic
+ values and time values. An NTP packet is accepted for processing
+ only when the required cryptographic values have been obtained
+ and verified and the packet has passed all header sanity checks.
+
+ 3. It must not significantly degrade the potential accuracy of the
+ NTP synchronization algorithms. In particular, it must not make
+ unreasonable demands on the network or host processor and memory
+ resources.
+
+ 4. It must be resistant to cryptographic attacks, specifically those
+ identified in the security model above. In particular, it must
+ be tolerant of operational or implementation variances, such as
+ packet loss or disorder, or suboptimal configurations.
+
+ 5. It must build on a widely available suite of cryptographic
+ algorithms, yet be independent of the particular choice. In
+ particular, it must not require data encryption other than that
+ which is incidental to signature and cookie encryption
+ operations.
+
+ 6. It must function in all the modes supported by NTP, including
+ server, symmetric, and broadcast modes.
+
+4. Autokey Cryptography
+
+ Autokey cryptography is based on the PKI algorithms commonly used in
+ the Secure Shell and Secure Sockets Layer (SSL) applications. As in
+ these applications, Autokey uses message digests to detect packet
+ modification, digital signatures to verify credentials, and public
+ certificates to provide traceable authority. What makes Autokey
+ cryptography unique is the way in which these algorithms are used to
+ deflect intruder attacks while maintaining the integrity and accuracy
+ of the time synchronization function.
+
+ Autokey, like many other remote procedure call (RPC) protocols,
+ depends on message digests for basic authentication; however, it is
+ important to understand that message digests are also used by NTP
+ when Autokey is not available or not configured. Selection of the
+ digest algorithm is a function of NTP configuration and is
+ transparent to Autokey.
+
+
+
+Haberman & Mills Informational [Page 8]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+ The protocol design and reference implementation support both 128-bit
+ and 160-bit message digest algorithms, each with a 32-bit key ID. In
+ order to retain backwards compatibility with NTPv3, the NTPv4 key ID
+ space is partitioned in two subspaces at a pivot point of 65536.
+ Symmetric key IDs have values less than the pivot and indefinite
+ lifetime. Autokey key IDs have pseudo-random values equal to or
+ greater than the pivot and are expunged immediately after use.
+
+ Both symmetric key and public key cryptography authenticate as shown
+ in Figure 1. The server looks up the key associated with the key ID
+ and calculates the message digest from the NTP header and extension
+ fields together with the key value. The key ID and digest form the
+ message authentication code (MAC) included with the message. The
+ client does the same computation using its local copy of the key and
+ compares the result with the digest in the MAC. If the values agree,
+ the message is assumed authentic.
+
+ +------------------+
+ | NTP Header and |
+ | Extension Fields |
+ +------------------+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | | | Message Authentication Code |
+ \|/ \|/ + (MAC) +
+ ******************** | +-------------------------+ |
+ * Compute Hash *<----| Key ID | Message Digest | +
+ ******************** | +-------------------------+ |
+ | +-+-+-+-+-+-+-|-+-+-+-+-+-+-+-+-+
+ \|/ \|/
+ +------------------+ +-------------+
+ | Message Digest |------>| Compare |
+ +------------------+ +-------------+
+
+ Figure 1: Message Authentication
+
+ Autokey uses specially contrived session keys, called autokeys, and a
+ precomputed pseudo-random sequence of autokeys that are saved in the
+ autokey list. The Autokey protocol operates separately for each
+ association, so there may be several autokey sequences operating
+ independently at the same time.
+
+ +-------------+-------------+--------+--------+
+ | Src Address | Dst Address | Key ID | Cookie |
+ +-------------+-------------+--------+--------+
+
+ Figure 2: NTPv4 Autokey
+
+
+
+
+
+
+Haberman & Mills Informational [Page 9]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+ An autokey is computed from four fields in network byte order as
+ shown in Figure 2. The four values are hashed using the MD5
+ algorithm to produce the 128-bit autokey value, which in the
+ reference implementation is stored along with the key ID in a cache
+ used for symmetric keys as well as autokeys. Keys are retrieved from
+ the cache by key ID using hash tables and a fast lookup algorithm.
+
+ For use with IPv4, the Src Address and Dst Address fields contain 32
+ bits; for use with IPv6, these fields contain 128 bits. In either
+ case, the Key ID and Cookie fields contain 32 bits. Thus, an IPv4
+ autokey has four 32-bit words, while an IPv6 autokey has ten 32-bit
+ words. The source and destination addresses and key ID are public
+ values visible in the packet, while the cookie can be a public value
+ or shared private value, depending on the NTP mode.
+
+ The NTP packet format has been augmented to include one or more
+ extension fields piggybacked between the original NTP header and the
+ MAC. For packets without extension fields, the cookie is a shared
+ private value. For packets with extension fields, the cookie has a
+ default public value of zero, since these packets are validated
+ independently using digital signatures.
+
+ There are some scenarios where the use of endpoint IP addresses may
+ be difficult or impossible. These include configurations where
+ network address translation (NAT) devices are in use or when
+ addresses are changed during an association lifetime due to mobility
+ constraints. For Autokey, the only restriction is that the address
+ fields that are visible in the transmitted packet must be the same as
+ those used to construct the autokey list and that these fields be the
+ same as those visible in the received packet. (The use of
+ alternative means, such as Autokey host names (discussed later) or
+ hashes of these names may be a topic for future study.)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Haberman & Mills Informational [Page 10]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
++-----------+-----------+------+------+ +---------+ +-----+------+
+|Src Address|Dst Address|Key ID|Cookie|-->| | |Final|Final |
++-----------+-----------+------+------+ | Session | |Index|Key ID|
+ | | | | | Key ID | +-----+------+
+ \|/ \|/ \|/ \|/ | List | | |
+ ************************************* +---------+ \|/ \|/
+ * COMPUTE HASH * *******************
+ ************************************* *COMPUTE SIGNATURE*
+ | Index n *******************
+ \|/ |
+ +--------+ |
+ | Next | \|/
+ | Key ID | +-----------+
+ +--------+ | Signature |
+ Index n+1 +-----------+
+
+ Figure 3: Constructing the Key List
+
+ Figure 3 shows how the autokey list and autokey values are computed.
+ The key IDs used in the autokey list consist of a sequence starting
+ with a random 32-bit nonce (autokey seed) greater than or equal to
+ the pivot as the first key ID. The first autokey is computed as
+ above using the given cookie and autokey seed and assigned index 0.
+ The first 32 bits of the result in network byte order become the next
+ key ID. The MD5 hash of the autokey is the key value saved in the
+ key cache along with the key ID. The first 32 bits of the key become
+ the key ID for the next autokey assigned index 1.
+
+ Operations continue to generate the entire list. It may happen that
+ a newly generated key ID is less than the pivot or collides with
+ another one already generated (birthday event). When this happens,
+ which occurs only rarely, the key list is terminated at that point.
+ The lifetime of each key is set to expire one poll interval after its
+ scheduled use. In the reference implementation, the list is
+ terminated when the maximum key lifetime is about one hour, so for
+ poll intervals above one hour, a new key list containing only a
+ single entry is regenerated for every poll.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Haberman & Mills Informational [Page 11]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+ +------------------+
+ | NTP Header and |
+ | Extension Fields |
+ +------------------+
+ | |
+ \|/ \|/ +---------+
+ **************** +--------+ | Session |
+ * COMPUTE HASH *<---| Key ID |<---| Key ID |
+ **************** +--------+ | List |
+ | | +---------+
+ \|/ \|/
+ +-----------------------------------+
+ | Message Authentication Code (MAC) |
+ +-----------------------------------+
+
+ Figure 4: Transmitting Messages
+
+ The index of the last autokey in the list is saved along with the key
+ ID for that entry, collectively called the autokey values. The
+ autokey values are then signed for use later. The list is used in
+ reverse order as shown in Figure 4, so that the first autokey used is
+ the last one generated.
+
+ The Autokey protocol includes a message to retrieve the autokey
+ values and verify the signature, so that subsequent packets can be
+ validated using one or more hashes that eventually match the last key
+ ID (valid) or exceed the index (invalid). This is called the autokey
+ test in the following and is done for every packet, including those
+ with and without extension fields. In the reference implementation,
+ the most recent key ID received is saved for comparison with the
+ first 32 bits in network byte order of the next following key value.
+ This minimizes the number of hash operations in case a single packet
+ is lost.
+
+5. Autokey Protocol Overview
+
+ The Autokey protocol includes a number of request/response exchanges
+ that must be completed in order. In each exchange, a client sends a
+ request message with data and expects a server response message with
+ data. Requests and responses are contained in extension fields, one
+ request or response in each field, as described later. An NTP packet
+ can contain one request message and one or more response messages.
+ The following is a list of these messages.
+
+ o Parameter exchange. The request includes the client host name and
+ status word; the response includes the server host name and status
+ word. The status word specifies the digest/signature scheme to
+ use and the identity schemes supported.
+
+
+
+Haberman & Mills Informational [Page 12]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+ o Certificate exchange. The request includes the subject name of a
+ certificate; the response consists of a signed certificate with
+ that subject name. If the issuer name is not the same as the
+ subject name, it has been signed by a host one step closer to a
+ trusted host, so certificate retrieval continues for the issuer
+ name. If it is trusted and self-signed, the trail concludes at
+ the trusted host. If nontrusted and self-signed, the host
+ certificate has not yet been signed, so the trail temporarily
+ loops. Completion of this exchange lights the VAL bit as
+ described below.
+
+ o Identity exchange. The certificate trail is generally not
+ considered sufficient protection against man-in-the-middle attacks
+ unless additional protection such as the proof-of-possession
+ scheme described in [RFC2875] is available, but this is expensive
+ and requires servers to retain state. Autokey can use one of the
+ challenge/response identity schemes described in Appendix B.
+ Completion of this exchange lights the IFF bit as described below.
+
+ o Cookie exchange. The request includes the public key of the
+ server. The response includes the server cookie encrypted with
+ this key. The client uses this value when constructing the key
+ list. Completion of this exchange lights the COOK bit as
+ described below.
+
+ o Autokey exchange. The request includes either no data or the
+ autokey values in symmetric modes. The response includes the
+ autokey values of the server. These values are used to verify the
+ autokey sequence. Completion of this exchange lights the AUT bit
+ as described below.
+
+ o Sign exchange. This exchange is executed only when the client has
+ synchronized to a proventic source. The request includes the
+ self-signed client certificate. The server acting as
+ certification authority (CA) interprets the certificate as a
+ X.509v3 certificate request. It extracts the subject, issuer, and
+ extension fields, builds a new certificate with these data along
+ with its own serial number and expiration time, then signs it
+ using its own private key and includes it in the response. The
+ client uses the signed certificate in its own role as server for
+ dependent clients. Completion of this exchange lights the SIGN
+ bit as described below.
+
+ o Leapseconds exchange. This exchange is executed only when the
+ client has synchronized to a proventic source. This exchange
+ occurs when the server has the leapseconds values, as indicated in
+ the host status word. If so, the client requests the values and
+ compares them with its own values, if available. If the server
+
+
+
+Haberman & Mills Informational [Page 13]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+ values are newer than the client values, the client replaces its
+ own with the server values. The client, acting as server, can now
+ provide the most recent values to its dependent clients. In
+ symmetric mode, this results in both peers having the newest
+ values. Completion of this exchange lights the LPT bit as
+ described below.
+
+ Once the certificates and identity have been validated, subsequent
+ packets are validated by digital signatures and the autokey sequence.
+ The association is now proventic with respect to the downstratum
+ trusted host, but is not yet selectable to discipline the system
+ clock. The associations accumulate time values, and the mitigation
+ algorithms continue in the usual way. When these algorithms have
+ culled the falsetickers and cluster outliers and at least three
+ survivors remain, the system clock has been synchronized to a
+ proventic source.
+
+ The time values for truechimer sources form a proventic partial
+ ordering relative to the applicable signature timestamps. This
+ raises the interesting issue of how to differentiate between the
+ timestamps of different associations. It might happen, for instance,
+ that the timestamp of some Autokey message is ahead of the system
+ clock by some presumably small amount. For this reason, timestamp
+ comparisons between different associations and between associations
+ and the system clock are avoided, except in the NTP intersection and
+ clustering algorithms and when determining whether a certificate has
+ expired.
+
+6. NTP Secure Groups
+
+ NTP secure groups are used to define cryptographic compartments and
+ security hierarchies. A secure group consists of a number of hosts
+ dynamically assembled as a forest with roots the trusted hosts (THs)
+ at the lowest stratum of the group. The THs do not have to be, but
+ often are, primary (stratum 1) servers. A trusted authority (TA),
+ not necessarily a group host, generates private identity keys for
+ servers and public identity keys for clients at the leaves of the
+ forest. The TA deploys the server keys to the THs and other
+ designated servers using secure means and posts the client keys on a
+ public web site.
+
+ For Autokey purposes, all hosts belonging to a secure group have the
+ same group name but different host names, not necessarily related to
+ the DNS names. The group name is used in the subject and issuer
+ fields of the TH certificates; the host name is used in these fields
+ for other hosts. Thus, all host certificates are self-signed.
+ During the use of the Autokey protocol, a client requests that the
+ server sign its certificate and caches the result. A certificate
+
+
+
+Haberman & Mills Informational [Page 14]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+ trail is constructed by each host, possibly via intermediate hosts
+ and ending at a TH. Thus, each host along the trail retrieves the
+ entire trail from its server(s) and provides this plus its own signed
+ certificates to its clients.
+
+ Secure groups can be configured as hierarchies where a TH of one
+ group can be a client of one or more other groups operating at a
+ lower stratum. In one scenario, THs for groups RED and GREEN can be
+ cryptographically distinct, but both be clients of group BLUE
+ operating at a lower stratum. In another scenario, THs for group
+ CYAN can be clients of multiple groups YELLOW and MAGENTA, both
+ operating at a lower stratum. There are many other scenarios, but
+ all must be configured to include only acyclic certificate trails.
+
+ In Figure 5, the Alice group consists of THs Alice, which is also the
+ TA, and Carol. Dependent servers Brenda and Denise have configured
+ Alice and Carol, respectively, as their time sources. Stratum 3
+ server Eileen has configured both Brenda and Denise as her time
+ sources. Public certificates are identified by the subject and
+ signed by the issuer. Note that the server group keys have been
+ previously installed on Brenda and Denise and the client group keys
+ installed on all machines.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Haberman & Mills Informational [Page 15]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+ +-------------+ +-------------+ +-------------+
+ | Alice Group | | Brenda | | Denise |
+ | Alice | | | | |
+ | +-+-+-+-+ | | +-+-+-+-+ | | +-+-+-+-+ |
+ Certificate | | Alice | | | | Brenda| | | | Denise| |
+ +-+-+-+-+-+ | +-+-+-+-+ | | +-+-+-+-+ | | +-+-+-+-+ |
+ | Subject | | | Alice*| 1 | | | Alice | 4 | | | Carol | 4 |
+ +-+-+-+-+-+ | +-+-+-+-+ | | +-+-+-+-+ | | +-+-+-+-+ |
+ | Issuer | S | | | | | |
+ +-+-+-+-+-+ | +=======+ | | +-+-+-+-+ | | +-+-+-+-+ |
+ | ||Alice|| 3 | | | Alice | | | | Carol | |
+ Group Key | +=======+ | | +-+-+-+-+ | | +-+-+-+-+ |
+ +=========+ +-------------+ | | Alice*| 2 | | | Carol*| 2 |
+ || Group || S | Alice Group | | +-+-+-+-+ | | +-+-+-+-+ |
+ +=========+ | Carol | | | | |
+ | +-+-+-+-+ | | +-+-+-+-+ | | +-+-+-+-+ |
+ S = step | | Carol | | | | Brenda| | | | Denise| |
+ * = trusted | +-+-+-+-+ | | +-+-+-+-+ | | +-+-+-+-+ |
+ | | Carol*| 1 | | | Brenda| 1 | | | Denise| 1 |
+ | +-+-+-+-+ | | +-+-+-+-+ | | +-+-+-+-+ |
+ | | | | | |
+ | +=======+ | | +=======+ | | +=======+ |
+ | ||Alice|| 3 | | ||Alice|| 3 | | ||Alice|| 3 |
+ | +=======+ | | +=======+ | | +=======+ |
+ +-------------+ +-------------+ +-------------+
+ Stratum 1 Stratum 2
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Haberman & Mills Informational [Page 16]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+ +---------------------------------------------+
+ | Eileen |
+ | |
+ | +-+-+-+-+ +-+-+-+-+ |
+ | | Eileen| | Eileen| |
+ | +-+-+-+-+ +-+-+-+-+ |
+ | | Brenda| 4 | Carol | 4 |
+ | +-+-+-+-+ +-+-+-+-+ |
+ | |
+ | +-+-+-+-+ +-+-+-+-+ |
+ | | Alice | | Carol | |
+ | +-+-+-+-+ +-+-+-+-+ |
+ | | Alice*| 2 | Carol*| 2 |
+ | +-+-+-+-+ +-+-+-+-+ |
+ | |
+ | +-+-+-+-+ +-+-+-+-+ |
+ | | Brenda| | Denise| |
+ | +-+-+-+-+ +-+-+-+-+ |
+ | | Alice | 2 | Carol | 2 |
+ | +-+-+-+-+ +-+-+-+-+ |
+ | |
+ | +-+-+-+-+ |
+ | | Eileen| |
+ | +-+-+-+-+ |
+ | | Eileen| 1 |
+ | +-+-+-+-+ |
+ | |
+ | +=======+ |
+ | ||Alice|| 3 |
+ | +=======+ |
+ +---------------------------------------------+
+ Stratum 3
+
+ Figure 5: NTP Secure Groups
+
+ The steps in hiking the certificate trails and verifying identity are
+ as follows. Note the step number in the description matches the step
+ number in the figure.
+
+ 1. The girls start by loading the host key, sign key, self-signed
+ certificate, and group key. Each client and server acting as a
+ client starts the Autokey protocol by retrieving the server host
+ name and digest/signature. This is done using the ASSOC exchange
+ described later.
+
+ 2. They continue to load certificates recursively until a self-
+ signed trusted certificate is found. Brenda and Denise
+ immediately find trusted certificates for Alice and Carol,
+
+
+
+Haberman & Mills Informational [Page 17]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+ respectively, but Eileen will loop because neither Brenda nor
+ Denise have their own certificates signed by either Alice or
+ Carol. This is done using the CERT exchange described later.
+
+ 3. Brenda and Denise continue with the selected identity schemes to
+ verify that Alice and Carol have the correct group key previously
+ generated by Alice. This is done using one of the identity
+ schemes IFF, GQ, or MV, described later. If this succeeds, each
+ continues in step 4.
+
+ 4. Brenda and Denise present their certificates for signature using
+ the SIGN exchange described later. If this succeeds, either one
+ of or both Brenda and Denise can now provide these signed
+ certificates to Eileen, which may be looping in step 2. Eileen
+ can now verify the trail via either Brenda or Denise to the
+ trusted certificates for Alice and Carol. Once this is done,
+ Eileen can complete the protocol just as Brenda and Denise did.
+
+ For various reasons, it may be convenient for a server to have client
+ keys for more than one group. For example, Figure 6 shows three
+ secure groups Alice, Helen, and Carol arranged in a hierarchy. Hosts
+ A, B, C, and D belong to Alice with A and B as her THs. Hosts R and
+ S belong to Helen with R as her TH. Hosts X and Y belong to Carol
+ with X as her TH. Note that the TH for a group is always the lowest
+ stratum and that the hosts of the combined groups form an acyclic
+ graph. Note also that the certificate trail for each group
+ terminates on a TH for that group.
+
+ ***** ***** @@@@@
+ Stratum 1 * A * * B * @ R @
+ ***** ***** @@@@@
+ \ / /
+ \ / /
+ ***** @@@@@ *********
+ 2 * C * @ S @ * Alice *
+ ***** @@@@@ *********
+ / \ /
+ / \ / @@@@@@@@@
+ ***** ##### @ Helen @
+ 3 * D * # X # @@@@@@@@@
+ ***** #####
+ / \ #########
+ / \ # Carol #
+ ##### ##### #########
+ 4 # Y # # Z #
+ ##### #####
+
+ Figure 6: Hierarchical Overlapping Groups
+
+
+
+Haberman & Mills Informational [Page 18]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+ The intent of the scenario is to provide security separation, so that
+ servers cannot masquerade as clients in other groups and clients
+ cannot masquerade as servers. Assume, for example, that Alice and
+ Helen belong to national standards laboratories and their server keys
+ are used to confirm identity between members of each group. Carol is
+ a prominent corporation receiving standards products and requiring
+ cryptographic authentication. Perhaps under contract, host X
+ belonging to Carol has client keys for both Alice and Helen and
+ server keys for Carol. The Autokey protocol operates for each group
+ separately while preserving security separation. Host X can prove
+ identity in Carol to clients Y and Z, but cannot prove to anybody
+ that it belongs to either Alice or Helen.
+
+7. Identity Schemes
+
+ A digital signature scheme provides secure server authentication, but
+ it does not provide protection against masquerade, unless the server
+ identity is verified by other means. The PKI model requires a server
+ to prove identity to the client by a certificate trail, but
+ independent means such as a driver's license are required for a CA to
+ sign the server certificate. While Autokey supports this model by
+ default, in a hierarchical ad hoc network, especially with server
+ discovery schemes like NTP manycast, proving identity at each rest
+ stop on the trail must be an intrinsic capability of Autokey itself.
+
+ While the identity scheme described in [RFC2875] is based on a
+ ubiquitous Diffie-Hellman infrastructure, it is expensive to generate
+ and use when compared to others described in Appendix B. In
+ principle, an ordinary public key scheme could be devised for this
+ purpose, but the most stringent Autokey design requires that every
+ challenge, even if duplicated, results in a different acceptable
+ response.
+
+ 1. The scheme must have a relatively long lifetime, certainly longer
+ than a typical certificate, and have no specific lifetime or
+ expiration date. At the time the scheme is used, the host has
+ not yet synchronized to a proventic source, so the scheme cannot
+ depend on time.
+
+ 2. As the scheme can be used many times where the data might be
+ exposed to potential intruders, the data must be either nonces or
+ encrypted nonces.
+
+ 3. The scheme should allow designated servers to prove identity to
+ designated clients, but not allow clients acting as servers to
+ prove identity to dependent clients.
+
+
+
+
+
+Haberman & Mills Informational [Page 19]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+ 4. To the greatest extent possible, the scheme should represent a
+ zero-knowledge proof; that is, the client should be able to
+ verify that the server has the correct group key, but without
+ knowing the key itself.
+
+ There are five schemes now implemented in the NTPv4 reference
+ implementation to prove identity: (1) private certificate (PC), (2)
+ trusted certificate (TC), (3) a modified Schnorr algorithm (IFF aka
+ Identify Friendly or Foe), (4) a modified Guillou-Quisquater (GQ)
+ algorithm, and (5) a modified Mu-Varadharajan (MV) algorithm. Not
+ all of these provide the same level of protection and one, TC,
+ provides no protection but is included for comparison. The following
+ is a brief summary description of each; details are given in
+ Appendix B.
+
+ The PC scheme involves a private certificate as group key. The
+ certificate is distributed to all other group members by secure means
+ and is never revealed outside the group. In effect, the private
+ certificate is used as a symmetric key. This scheme is used
+ primarily for testing and development and is not recommended for
+ regular use and is not considered further in this memo.
+
+ All other schemes involve a conventional certificate trail as
+ described in [RFC5280]. This is the default scheme when an identity
+ scheme is not required. While the remaining identity schemes
+ incorporate TC, it is not by itself considered further in this memo.
+
+ The three remaining schemes IFF, GQ, and MV involve a
+ cryptographically strong challenge-response exchange where an
+ intruder cannot deduce the server key, even after repeated
+ observations of multiple exchanges. In addition, the MV scheme is
+ properly described as a zero-knowledge proof, because the client can
+ verify the server has the correct group key without either the server
+ or client knowing its value. These schemes start when the client
+ sends a nonce to the server, which then rolls its own nonce, performs
+ a mathematical operation and sends the results to the client. The
+ client performs another mathematical operation and verifies the
+ results are correct.
+
+8. Timestamps and Filestamps
+
+ While public key signatures provide strong protection against
+ misrepresentation of source, computing them is expensive. This
+ invites the opportunity for an intruder to clog the client or server
+ by replaying old messages or originating bogus messages. A client
+ receiving such messages might be forced to verify what turns out to
+ be an invalid signature and consume significant processor resources.
+ In order to foil such attacks, every Autokey message carries a
+
+
+
+Haberman & Mills Informational [Page 20]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+ timestamp in the form of the NTP seconds when it was created. If the
+ system clock is synchronized to a proventic source, a signature is
+ produced with a valid (nonzero) timestamp. Otherwise, there is no
+ signature and the timestamp is invalid (zero). The protocol detects
+ and discards extension fields with old or duplicate timestamps,
+ before any values are used or signatures are verified.
+
+ Signatures are computed only when cryptographic values are created or
+ modified, which is by design not very often. Extension fields
+ carrying these signatures are copied to messages as needed, but the
+ signatures are not recomputed. There are three signature types:
+
+ 1. Cookie signature/timestamp. The cookie is signed when created by
+ the server and sent to the client.
+
+ 2. Autokey signature/timestamp. The autokey values are signed when
+ the key list is created.
+
+ 3. Public values signature/timestamp. The public key, certificate,
+ and leapsecond values are signed at the time of generation, which
+ occurs when the system clock is first synchronized to a proventic
+ source, when the values have changed and about once per day after
+ that, even if these values have not changed.
+
+ The most recent timestamp received of each type is saved for
+ comparison. Once a signature with a valid timestamp has been
+ received, messages with invalid timestamps or earlier valid
+ timestamps of the same type are discarded before the signature is
+ verified. This is most important in broadcast mode, which could be
+ vulnerable to a clogging attack without this test.
+
+ All cryptographic values used by the protocol are time sensitive and
+ are regularly refreshed. In particular, files containing
+ cryptographic values used by signature and encryption algorithms are
+ regenerated from time to time. It is the intent that file
+ regenerations occur without specific advance warning and without
+ requiring prior distribution of the file contents. While
+ cryptographic data files are not specifically signed, every file is
+ associated with a filestamp showing the NTP seconds at the creation
+ epoch.
+
+ Filestamps and timestamps can be compared in any combination and use
+ the same conventions. It is necessary to compare them from time to
+ time to determine which are earlier or later. Since these quantities
+ have a granularity only to the second, such comparisons are ambiguous
+ if the values are in the same second.
+
+
+
+
+
+Haberman & Mills Informational [Page 21]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+ It is important that filestamps be proventic data; thus, they cannot
+ be produced unless the producer has been synchronized to a proventic
+ source. As such, the filestamps throughout the NTP subnet represent
+ a partial ordering of all creation epochs and serve as means to
+ expunge old data and ensure new data are consistent. As the data are
+ forwarded from server to client, the filestamps are preserved,
+ including those for certificate and leapseconds values. Packets with
+ older filestamps are discarded before spending cycles to verify the
+ signature.
+
+9. Autokey Operations
+
+ The NTP protocol has three principal modes of operation: client/
+ server, symmetric, and broadcast and each has its own Autokey
+ program, or dance. Autokey choreography is designed to be non-
+ intrusive and to require no additional packets other than for regular
+ NTP operations. The NTP and Autokey protocols operate simultaneously
+ and independently. When the dance is complete, subsequent packets
+ are validated by the autokey sequence and thus considered proventic
+ as well. Autokey assumes NTP clients poll servers at a relatively
+ low rate, such as once per minute or slower. In particular, it
+ assumes that a request sent at one poll opportunity will normally
+ result in a response before the next poll opportunity; however, the
+ protocol is robust against a missed or duplicate response.
+
+ The server dance was suggested by Steve Kent over lunch some time
+ ago, but considerably modified since that meal. The server keeps no
+ state for each client, but uses a fast algorithm and a 32-bit random
+ private value (server seed) to regenerate the cookie upon arrival of
+ a client packet. The cookie is calculated as the first 32 bits of
+ the autokey computed from the client and server addresses, key ID
+ zero, and the server seed as cookie. The cookie is used for the
+ actual autokey calculation by both the client and server and is thus
+ specific to each client separately.
+
+ In the server dance, the client uses the cookie and each key ID on
+ the key list in turn to retrieve the autokey and generate the MAC.
+ The server uses the same values to generate the message digest and
+ verifies it matches the MAC. It then generates the MAC for the
+ response using the same values, but with the client and server
+ addresses interchanged. The client generates the message digest and
+ verifies it matches the MAC. In order to deflect old replays, the
+ client verifies that the key ID matches the last one sent. In this
+ dance, the sequential structure of the key list is not exploited, but
+ doing it this way simplifies and regularizes the implementation while
+ making it nearly impossible for an intruder to guess the next key ID.
+
+
+
+
+
+Haberman & Mills Informational [Page 22]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+ In the broadcast dance, clients normally do not send packets to the
+ server, except when first starting up. At that time, the client runs
+ the server dance to verify the server credentials and calibrate the
+ propagation delay. The dance requires the association ID of the
+ particular server association, since there can be more than one
+ operating in the same server. For this purpose, the server packet
+ includes the association ID in every response message sent and, when
+ sending the first packet after generating a new key list, it sends
+ the autokey values as well. After obtaining and verifying the
+ autokey values, no extension fields are necessary and the client
+ verifies further server packets using the autokey sequence.
+
+ The symmetric dance is similar to the server dance and requires only
+ a small amount of state between the arrival of a request and
+ departure of the response. The key list for each direction is
+ generated separately by each peer and used independently, but each is
+ generated with the same cookie. The cookie is conveyed in a way
+ similar to the server dance, except that the cookie is a simple
+ nonce. There exists a possible race condition where each peer sends
+ a cookie request before receiving the cookie response from the other
+ peer. In this case, each peer winds up with two values, one it
+ generated and one the other peer generated. The ambiguity is
+ resolved simply by computing the working cookie as the EXOR of the
+ two values.
+
+ Once the Autokey dance has completed, it is normally dormant. In all
+ except the broadcast dance, packets are normally sent without
+ extension fields, unless the packet is the first one sent after
+ generating a new key list or unless the client has requested the
+ cookie or autokey values. If for some reason the client clock is
+ stepped, rather than slewed, all cryptographic and time values for
+ all associations are purged and the dances in all associations
+ restarted from scratch. This ensures that stale values never
+ propagate beyond a clock step.
+
+10. Autokey Protocol Messages
+
+ The Autokey protocol data unit is the extension field, one or more of
+ which can be piggybacked in the NTP packet. An extension field
+ contains either a request with optional data or a response with
+ optional data. To avoid deadlocks, any number of responses can be
+ included in a packet, but only one request can be. A response is
+ generated for every request, even if the requestor is not
+ synchronized to a proventic source, but most contain meaningful data
+ only if the responder is synchronized to a proventic source. Some
+ requests and most responses carry timestamped signatures. The
+ signature covers the entire extension field, including the timestamp
+
+
+
+
+Haberman & Mills Informational [Page 23]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+ and filestamp, where applicable. Only if the packet has correct
+ format, length, and message digest are cycles spent to verify the
+ signature.
+
+ There are currently eight Autokey requests and eight corresponding
+ responses. The NTP packet format is described in [RFC5905] and the
+ extension field format used for these messages is illustrated in
+ Figure 7.
+
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ |R|E| Code | Field Type | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Association ID |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Timestamp |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Filestamp |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Value Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ \ /
+
+ / Value \
+ \ /
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Signature Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ \ /
+ / Signature \
+ \ /
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ \ /
+ / Padding (if needed) \
+ \ /
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure 7: NTPv4 Extension Field Format
+
+ While each extension field is zero-padded to a 4-octet (word)
+ boundary, the entire extension is not word-aligned. The Length field
+ covers the entire extension field, including the Length and Padding
+ fields. While the minimum field length is 8 octets, a maximum field
+ length remains to be established. The reference implementation
+ discards any packet with a field length more than 1024 octets.
+
+
+
+
+
+
+Haberman & Mills Informational [Page 24]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+ One or more extension fields follow the NTP packet header and the
+ last followed by the MAC. The extension field parser initializes a
+ pointer to the first octet beyond the NTP packet header and
+ calculates the number of octets remaining to the end of the packet.
+ If the remaining length is 20 (128-bit digest plus 4-octet key ID) or
+ 22 (160-bit digest plus 4-octet key ID), the remaining data are the
+ MAC and parsing is complete. If the remaining length is greater than
+ 22, an extension field is present. If the remaining length is less
+ than 8 or not a multiple of 4, a format error has occurred and the
+ packet is discarded; otherwise, the parser increments the pointer by
+ the extension field length and then uses the same rules as above to
+ determine whether a MAC is present or another extension field.
+
+ In Autokey the 8-bit Field Type field is interpreted as the version
+ number, currently 2. For future versions, values 1-7 have been
+ reserved for Autokey; other values may be assigned for other
+ applications. The 6-bit Code field specifies the request or response
+ operation. There are two flag bits: bit 0 is the Response Flag (R)
+ and bit 1 is the Error Flag (E); the Reserved field is unused and
+ should be set to 0. The remaining fields will be described later.
+
+ In the most common protocol operations, a client sends a request to a
+ server with an operation code specified in the Code field and both
+ the R bit and E bit dim. The server returns a response with the same
+ operation code in the Code field and lights the R bit. The server
+ can also light the E bit in case of error. Note that it is not
+ necessarily a protocol error to send an unsolicited response with no
+ matching request. If the R bit is dim, the client sets the
+ Association ID field to the client association ID, which the server
+ returns for verification. If the two values do not match, the
+ response is discarded as if never sent. If the R bit is lit, the
+ Association ID field is set to the server association ID obtained in
+ the initial protocol exchange. If the Association ID field does not
+ match any mobilized association ID, the request is discarded as if
+ never sent.
+
+ In some cases, not all fields may be present. For requests, until a
+ client has synchronized to a proventic source, signatures are not
+ valid. In such cases, the Timestamp field and Signature Length field
+ (which specifies the length of the Signature) are zero and the
+ Signature field is absent. Some request and error response messages
+ carry no value or signature fields, so in these messages only the
+ first two words (8 octets) are present.
+
+ The Timestamp and Filestamp words carry the seconds field of an NTP
+ timestamp. The timestamp establishes the signature epoch of the data
+ field in the message, while the filestamp establishes the generation
+ epoch of the file that ultimately produced the data that is signed.
+
+
+
+Haberman & Mills Informational [Page 25]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+ A signature and timestamp are valid only when the signing host is
+ synchronized to a proventic source; otherwise, the timestamp is zero.
+ A cryptographic data file can only be generated if a signature is
+ possible; otherwise, the filestamp is zero, except in the ASSOC
+ response message, where it contains the server status word.
+
+ As in all other TCP/IP protocol designs, all data are sent in network
+ byte order. Unless specified otherwise in the descriptions to
+ follow, the data referred to are stored in the Value field. The
+ Value Length field specifies the length of the data in the Value
+ field.
+
+10.1. No-Operation
+
+ A No-operation request (Code 0) does nothing except return an empty
+ response, which can be used as a crypto-ping.
+
+10.2. Association Message (ASSOC)
+
+ An Association Message (Code 1) is used in the parameter exchange to
+ obtain the host name and status word. The request contains the
+ client status word in the Filestamp field and the Autokey host name
+ in the Value field. The response contains the server status word in
+ the Filestamp field and the Autokey host name in the Value field.
+ The Autokey host name is not necessarily the DNS host name. A valid
+ response lights the ENAB bit and possibly others in the association
+ status word.
+
+ When multiple identity schemes are supported, the host status word
+ determines which ones are available. In server and symmetric modes,
+ the response status word contains bits corresponding to the supported
+ schemes. In all modes, the scheme is selected based on the client
+ identity parameters that are loaded at startup.
+
+10.3. Certificate Message (CERT)
+
+ A Certificate Message (Code 2) is used in the certificate exchange to
+ obtain a certificate by subject name. The request contains the
+ subject name; the response contains the certificate encoded in X.509
+ format with ASN.1 syntax as described in Appendix H.
+
+ If the subject name in the response does not match the issuer name,
+ the exchange continues with the issuer name replacing the subject
+ name in the request. The exchange continues until a trusted, self-
+ signed certificate is found and lights the CERT bit in the
+ association status word.
+
+
+
+
+
+Haberman & Mills Informational [Page 26]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+10.4. Cookie Message (COOKIE)
+
+ The Cookie Message (Code 3) is used in server and symmetric modes to
+ obtain the server cookie. The request contains the host public key
+ encoded with ASN.1 syntax as described in Appendix H. The response
+ contains the cookie encrypted by the public key in the request. A
+ valid response lights the COOKIE bit in the association status word.
+
+10.5. Autokey Message (AUTO)
+
+ The Autokey Message (Code 4) is used to obtain the autokey values.
+ The request contains no value for a client or the autokey values for
+ a symmetric peer. The response contains two 32-bit words, the first
+ is the final key ID, while the second is the index of the final key
+ ID. A valid response lights the AUTO bit in the association status
+ word.
+
+10.6. Leapseconds Values Message (LEAP)
+
+ The Leapseconds Values Message (Code 5) is used to obtain the
+ leapseconds values as parsed from the leapseconds table from the
+ National Institute of Standards and Technology (NIST). The request
+ contains no values. The response contains three 32-bit integers:
+ first the NTP seconds of the latest leap event followed by the NTP
+ seconds when the latest NIST table expires and then the TAI offset
+ following the leap event. A valid response lights the LEAP bit in
+ the association status word.
+
+10.7. Sign Message (SIGN)
+
+ The Sign Message (Code 6) requests that the server sign and return a
+ certificate presented in the request. The request contains the
+ client certificate encoded in X.509 format with ASN.1 syntax as
+ described in Appendix H. The response contains the client
+ certificate signed by the server private key. A valid response
+ lights the SIGN bit in the association status word.
+
+10.8. Identity Messages (IFF, GQ, MV)
+
+ The Identity Messages (Code 7 (IFF), 8 (GQ), or 9 (MV)) contains the
+ client challenge, usually a 160- or 512-bit nonce. The response
+ contains the result of the mathematical operation defined in
+ Appendix B. The Response is encoded in ASN.1 syntax as described in
+ Appendix H. A valid response lights the VRFY bit in the association
+ status word.
+
+
+
+
+
+
+Haberman & Mills Informational [Page 27]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+11. Autokey State Machine
+
+ This section describes the formal model of the Autokey state machine,
+ its state variables and the state transition functions.
+
+11.1. Status Word
+
+ The server implements a host status word, while each client
+ implements an association status word. These words have the format
+ and content shown in Figure 8. The low-order 16 bits of the status
+ word define the state of the Autokey dance, while the high-order 16
+ bits specify the Numerical Identifier (NID) as generated by the
+ OpenSSL library of the OID for one of the message digest/signature
+ encryption schemes defined in [RFC3279]. The NID values for the
+ digest/signature algorithms defined in RFC 3279 are as follows:
+
+ +------------------------+----------------------+-----+
+ | Algorithm | OID | NID |
+ +------------------------+----------------------+-----+
+ | pkcs-1 | 1.2.840.113549.1.1 | 2 |
+ | md2 | 1.2.840.113549.2.2 | 3 |
+ | md5 | 1.2.840.113549.2.5 | 4 |
+ | rsaEncryption | 1.2.840.113549.1.1.1 | 6 |
+ | md2WithRSAEncryption | 1.2.840.113549.1.1.2 | 7 |
+ | md5WithRSAEncryption | 1.2.840.113549.1.1.4 | 8 |
+ | id-sha1 | 1.3.14.3.2.26 | 64 |
+ | sha-1WithRSAEncryption | 1.2.840.113549.1.1.5 | 65 |
+ | id-dsa-wth-sha1 | 1.2.840.10040.4.3 | 113 |
+ | id-dsa | 1.2.840.10040.4.1 | 116 |
+ +------------------------+----------------------+-----+
+
+ Bits 24-31 are reserved for server use, while bits 16-23 are reserved
+ for client use. In the host portion, bits 24-27 specify the
+ available identity schemes, while bits 28-31 specify the server
+ capabilities. There are two additional bits implemented separately.
+
+ 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Digest / Signature NID | Client | Ident | Host |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure 8: Status Word
+
+
+
+
+
+
+
+
+Haberman & Mills Informational [Page 28]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+ The host status word is included in the ASSOC request and response
+ messages. The client copies this word to the association status word
+ and then lights additional bits as the dance proceeds. Once enabled,
+ these bits ordinarily never become dark unless a general reset occurs
+ and the protocol is restarted from the beginning.
+
+ The host status bits are defined as follows:
+
+ o ENAB (31) is lit if the server implements the Autokey protocol.
+
+ o LVAL (30) is lit if the server has installed leapseconds values,
+ either from the NIST leapseconds file or from another server.
+
+ o Bits (28-29) are reserved - always dark.
+
+ o Bits 24-27 select which server identity schemes are available.
+ While specific coding for various schemes is yet to be determined,
+ the schemes available in the reference implementation and
+ described in Appendix B include the following:
+
+ * none - Trusted Certificate (TC) Scheme (default).
+
+ * PC (27) Private Certificate Scheme.
+
+ * IFF (26) Schnorr aka Identify-Friendly-or-Foe Scheme.
+
+ * GQ (25) Guillard-Quisquater Scheme.
+
+ * MV (24) Mu-Varadharajan Scheme.
+
+ o The PC scheme is exclusive of any other scheme. Otherwise, the
+ IFF, GQ, and MV bits can be enabled in any combination.
+
+ The association status bits are defined as follows:
+
+ o CERT (23): Lit when the trusted host certificate and public key
+ are validated.
+
+ o VRFY (22): Lit when the trusted host identity credentials are
+ confirmed.
+
+ o PROV (21): Lit when the server signature is verified using its
+ public key and identity credentials. Also called the proventic
+ bit elsewhere in this memo. When enabled, signed values in
+ subsequent messages are presumed proventic.
+
+
+
+
+
+
+Haberman & Mills Informational [Page 29]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+ o COOK (20): Lit when the cookie is received and validated. When
+ lit, key lists with nonzero cookies are generated; when dim, the
+ cookie is zero.
+
+ o AUTO (19): Lit when the autokey values are received and validated.
+ When lit, clients can validate packets without extension fields
+ according to the autokey sequence.
+
+ o SIGN (18): Lit when the host certificate is signed by the server.
+
+ o LEAP (17): Lit when the leapseconds values are received and
+ validated.
+
+ o Bit 16: Reserved - always dark.
+
+ There are three additional bits: LIST, SYNC, and PEER not included in
+ the association status word. LIST is lit when the key list is
+ regenerated and dim when the autokey values have been transmitted.
+ This is necessary to avoid livelock under some conditions. SYNC is
+ lit when the client has synchronized to a proventic source and never
+ dim after that. PEER is lit when the server has synchronized, as
+ indicated in the NTP header, and never dim after that.
+
+11.2. Host State Variables
+
+ The following is a list of host state variables.
+
+ Host Name: The name of the host, by default the string
+ returned by the Unix gethostname() library
+ function. In the reference implementation, this
+ is a configurable value.
+
+ Host Status Word: This word is initialized when the host first
+ starts up. The format is described above.
+
+ Host Key: The RSA public/private key pair used to encrypt/
+ decrypt cookies. This is also the default sign
+ key.
+
+ Sign Key: The RSA or Digital Signature Algorithm (DSA)
+ public/private key pair used to encrypt/decrypt
+ signatures when the host key is not used for
+ this purpose.
+
+ Sign Digest: The message digest algorithm used to compute the
+ message digest before encryption.
+
+
+
+
+
+Haberman & Mills Informational [Page 30]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+ IFF Parameters: The parameters used in the optional IFF identity
+ scheme described in Appendix B.
+
+ GQ Parameters: The parameters used in the optional GQ identity
+ scheme described in Appendix B.
+
+ MV Parameters: The parameters used in the optional MV identity
+ scheme described in Appendix B.
+
+ Server Seed: The private value hashed with the IP addresses
+ and key identifier to construct the cookie.
+
+ CIS: Certificate Information Structure. This
+ structure includes certain information fields
+ from an X.509v3 certificate, together with the
+ certificate itself. The fields extracted
+ include the subject and issuer names, subject
+ public key and message digest algorithm
+ (pointers), and the beginning and end of the
+ valid period in NTP seconds.
+
+ The certificate itself is stored as an extension
+ field in network byte order so it can be copied
+ intact to the message. The structure is signed
+ using the sign key and carries the public values
+ timestamp at signature time and the filestamp of
+ the original certificate file. The structure is
+ used by the CERT response message and SIGN
+ request and response messages.
+
+ A flags field in the CIS determines the status
+ of the certificate. The field is encoded as
+ follows:
+
+ * TRUST (0x01) - The certificate has been
+ signed by a trusted issuer. If the
+ certificate is self-signed and contains
+ "trustRoot" in the Extended Key Usage field,
+ this bit is lit when the CIS is constructed.
+
+ * SIGN (0x02) - The certificate signature has
+ been verified. If the certificate is self-
+ signed and verified using the contained
+ public key, this bit is lit when the CIS is
+ constructed.
+
+
+
+
+
+
+Haberman & Mills Informational [Page 31]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+ * VALID (0x04) - The certificate is valid and
+ can be used to verify signatures. This bit
+ is lit when a trusted certificate has been
+ found on a valid certificate trail.
+
+ * PRIV (0x08) - The certificate is private and
+ not to be revealed. If the certificate is
+ self-signed and contains "Private" in the
+ Extended Key Usage field, this bit is lit
+ when the CIS is constructed.
+
+ * ERROR (0x80) - The certificate is defective
+ and not to be used in any way.
+
+ Certificate List: CIS structures are stored on the certificate
+ list in order of arrival, with the most recently
+ received CIS placed first on the list. The list
+ is initialized with the CIS for the host
+ certificate, which is read from the host
+ certificate file. Additional CIS entries are
+ added to the list as certificates are obtained
+ from the servers during the certificate
+ exchange. CIS entries are discarded if
+ overtaken by newer ones.
+
+ The following values are stored as an extension
+ field structure in network byte order so they
+ can be copied intact to the message. They are
+ used to send some Autokey requests and
+ responses. All but the Host Name Values
+ structure are signed using the sign key and all
+ carry the public values timestamp at signature
+ time.
+
+ Host Name Values: This is used to send ASSOC request and response
+ messages. It contains the host status word and
+ host name.
+
+ Public Key Values: This is used to send the COOKIE request message.
+ It contains the public encryption key used for
+ the COOKIE response message.
+
+ Leapseconds Values: This is used to send the LEAP response message.
+ It contains the leapseconds values in the LEAP
+ message description.
+
+
+
+
+
+
+Haberman & Mills Informational [Page 32]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+11.3. Client State Variables (all modes)
+
+ The following is a list of state variables used by the various dances
+ in all modes.
+
+ Association ID: The association ID used in responses. It
+ is assigned when the association is
+ mobilized.
+
+ Association Status Word: The status word copied from the ASSOC
+ response; subsequently modified by the
+ state machine.
+
+ Subject Name: The server host name copied from the ASSOC
+ response.
+
+ Issuer Name: The host name signing the certificate. It
+ is extracted from the current server
+ certificate upon arrival and used to
+ request the next host on the certificate
+ trail.
+
+ Server Public Key: The public key used to decrypt signatures.
+ It is extracted from the server host
+ certificate.
+
+ Server Message Digest: The digest/signature scheme determined in
+ the parameter exchange.
+
+ Group Key: A set of values used by the identity
+ exchange. It identifies the cryptographic
+ compartment shared by the server and
+ client.
+
+ Receive Cookie Values: The cookie returned in a COOKIE response,
+ together with its timestamp and filestamp.
+
+ Receive Autokey Values: The autokey values returned in an AUTO
+ response, together with its timestamp and
+ filestamp.
+
+ Send Autokey Values: The autokey values with signature and
+ timestamps.
+
+
+
+
+
+
+
+
+Haberman & Mills Informational [Page 33]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+ Key List: A sequence of key IDs starting with the
+ autokey seed and each pointing to the next.
+ It is computed, timestamped, and signed at
+ the next poll opportunity when the key list
+ becomes empty.
+
+ Current Key Number: The index of the entry on the Key List to
+ be used at the next poll opportunity.
+
+11.4. Protocol State Transitions
+
+ The protocol state machine is very simple but robust. The state is
+ determined by the client status word bits defined above. The state
+ transitions of the three dances are shown below. The capitalized
+ truth values represent the client status bits. All bits are
+ initialized as dark and are lit upon the arrival of a specific
+ response message as detailed above.
+
+11.4.1. Server Dance
+
+ The server dance begins when the client sends an ASSOC request to the
+ server. The clock is updated when PREV is lit and the dance ends
+ when LEAP is lit. In this dance, the autokey values are not used, so
+ an autokey exchange is not necessary. Note that the SIGN and LEAP
+ requests are not issued until the client has synchronized to a
+ proventic source. Subsequent packets without extension fields are
+ validated by the autokey sequence. This example and others assumes
+ the IFF identity scheme has been selected in the parameter exchange.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Haberman & Mills Informational [Page 34]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+1 while (1) {
+2 wait_for_next_poll;
+3 make_NTP_header;
+4 if (response_ready)
+5 send_response;
+6 if (!ENB) /* parameter exchange */
+7 ASSOC_request;
+8 else if (!CERT) /* certificate exchange */
+9 CERT_request(Host_Name);
+10 else if (!IFF) /* identity exchange */
+11 IFF_challenge;
+12 else if (!COOK) /* cookie exchange */
+13 COOKIE_request;
+14 else if (!SYNC) /* wait for synchronization */
+15 continue;
+16 else if (!SIGN) /* sign exchange */
+17 SIGN_request(Host_Certificate);
+18 else if (!LEAP) /* leapsecond values exchange */
+19 LEAP_request;
+20 send packet;
+21 }
+
+ Figure 9: Server Dance
+
+ If the server refreshes the private seed, the cookie becomes invalid.
+ The server responds to an invalid cookie with a crypto-NAK message,
+ which causes the client to restart the protocol from the beginning.
+
+11.4.2. Broadcast Dance
+
+ The broadcast dance is similar to the server dance with the cookie
+ exchange replaced by the autokey values exchange. The broadcast
+ dance begins when the client receives a broadcast packet including an
+ ASSOC response with the server association ID. This mobilizes a
+ client association in order to proventicate the source and calibrate
+ the propagation delay. The dance ends when the LEAP bit is lit,
+ after which the client sends no further packets. Normally, the
+ broadcast server includes an ASSOC response in each transmitted
+ packet. However, when the server generates a new key list, it
+ includes an AUTO response instead.
+
+ In the broadcast dance, extension fields are used with every packet,
+ so the cookie is always zero and no cookie exchange is necessary. As
+ in the server dance, the clock is updated when PREV is lit and the
+
+
+
+
+
+
+
+Haberman & Mills Informational [Page 35]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+ dance ends when LEAP is lit. Note that the SIGN and LEAP requests
+ are not issued until the client has synchronized to a proventic
+ source. Subsequent packets without extension fields are validated by
+ the autokey sequence.
+1 while (1) {
+2 wait_for_next_poll;
+3 make_NTP_header;
+4 if (response_ready)
+5 send_response;
+6 if (!ENB) /* parameters exchange */
+7 ASSOC_request;
+8 else if (!CERT) /* certificate exchange */
+9 CERT_request(Host_Name);
+10 else if (!IFF) /* identity exchange */
+11 IFF_challenge;
+12 else if (!AUT) /* autokey values exchange */
+13 AUTO_request;
+14 else if (!SYNC) /* wait for synchronization */
+15 continue;
+16 else if (!SIGN) /* sign exchange */
+17 SIGN_request(Host_Certificate);
+18 else if (!LEAP) /* leapsecond values exchange */
+19 LEAP_request;
+20 send NTP_packet;
+21 }
+
+ Figure 10: Broadcast Dance
+
+ If a packet is lost and the autokey sequence is broken, the client
+ hashes the current autokey until either it matches the previous
+ autokey or the number of hashes exceeds the count given in the
+ autokey values. If the latter, the client sends an AUTO request to
+ retrieve the autokey values. If the client receives a crypto-NAK
+ during the dance, or if the association ID changes, the client
+ restarts the protocol from the beginning.
+
+11.4.3. Symmetric Dance
+
+ The symmetric dance is intricately choreographed. It begins when the
+ active peer sends an ASSOC request to the passive peer. The passive
+ peer mobilizes an association and both peers step a three-way dance
+ where each peer completes a parameter exchange with the other. Until
+ one of the peers has synchronized to a proventic source (which could
+ be the other peer) and can sign messages, the other peer loops
+ waiting for a valid timestamp in the ensuing CERT response.
+
+
+
+
+
+
+Haberman & Mills Informational [Page 36]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+1 while (1) {
+2 wait_for_next_poll;
+3 make_NTP_header;
+4 if (!ENB) /* parameters exchange */
+5 ASSOC_request;
+6 else if (!CERT) /* certificate exchange */
+7 CERT_request(Host_Name);
+8 else if (!IFF) /* identity exchange */
+9 IFF_challenge;
+10 else if (!COOK && PEER) /* cookie exchange */
+11 COOKIE_request);
+12 else if (!AUTO) /* autokey values exchange */
+13 AUTO_request;
+14 else if (LIST) /* autokey values response */
+15 AUTO_response;
+16 else if (!SYNC) /* wait for synchronization */
+17 continue;
+18 else if (!SIGN) /* sign exchange */
+19 SIGN_request;
+20 else if (!LEAP) /* leapsecond values exchange */
+21 LEAP_request;
+22 send NTP_packet;
+23 }
+
+ Figure 11: Symmetric Dance
+
+ Once a peer has synchronized to a proventic source, it includes
+ timestamped signatures in its messages. The other peer, which has
+ been stalled waiting for valid timestamps, now mates the dance. It
+ retrieves the now nonzero cookie using a cookie exchange and then the
+ updated autokey values using an autokey exchange.
+
+ As in the broadcast dance, if a packet is lost and the autokey
+ sequence broken, the peer hashes the current autokey until either it
+ matches the previous autokey or the number of hashes exceeds the
+ count given in the autokey values. If the latter, the client sends
+ an AUTO request to retrieve the autokey values. If the peer receives
+ a crypto-NAK during the dance, or if the association ID changes, the
+ peer restarts the protocol from the beginning.
+
+11.5. Error Recovery
+
+ The Autokey protocol state machine includes provisions for various
+ kinds of error conditions that can arise due to missing files,
+ corrupted data, protocol violations, and packet loss or misorder, not
+ to mention hostile intrusion. This section describes how the
+ protocol responds to reachability and timeout events that can occur
+ due to such errors.
+
+
+
+Haberman & Mills Informational [Page 37]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+ A persistent NTP association is mobilized by an entry in the
+ configuration file, while an ephemeral association is mobilized upon
+ the arrival of a broadcast or symmetric active packet with no
+ matching association. Subsequently, a general reset reinitializes
+ all association variables to the initial state when first mobilized.
+ In addition, if the association is ephemeral, the association is
+ demobilized and all resources acquired are returned to the system.
+
+ Every NTP association has two variables that maintain the liveness
+ state of the protocol, the 8-bit reach register and the unreach
+ counter defined in [RFC5905]. At every poll interval, the reach
+ register is shifted left, the low order bit is dimmed and the high
+ order bit is lost. At the same time, the unreach counter is
+ incremented by one. If an arriving packet passes all authentication
+ and sanity checks, the rightmost bit of the reach register is lit and
+ the unreach counter is set to zero. If any bit in the reach register
+ is lit, the server is reachable; otherwise, it is unreachable.
+
+ When the first poll is sent from an association, the reach register
+ and unreach counter are set to zero. If the unreach counter reaches
+ 16, the poll interval is doubled. In addition, if association is
+ persistent, it is demobilized. This reduces the network load for
+ packets that are unlikely to elicit a response.
+
+ At each state in the protocol, the client expects a particular
+ response from the server. A request is included in the NTP packet
+ sent at each poll interval until a valid response is received or a
+ general reset occurs, in which case the protocol restarts from the
+ beginning. A general reset also occurs for an association when an
+ unrecoverable protocol error occurs. A general reset occurs for all
+ associations when the system clock is first synchronized or the clock
+ is stepped or when the server seed is refreshed.
+
+ There are special cases designed to quickly respond to broken
+ associations, such as when a server restarts or refreshes keys.
+ Since the client cookie is invalidated, the server rejects the next
+ client request and returns a crypto-NAK packet. Since the crypto-NAK
+ has no MAC, the problem for the client is to determine whether it is
+ legitimate or the result of intruder mischief. In order to reduce
+ the vulnerability in such cases, the crypto-NAK, as well as all
+ responses, is believed only if the result of a previous packet sent
+ by the client and not a replay, as confirmed by the NTP on-wire
+ protocol. While this defense can be easily circumvented by a man-in-
+ the-middle, it does deflect other kinds of intruder warfare.
+
+ There are a number of situations where some event happens that causes
+ the remaining autokeys on the key list to become invalid. When one
+ of these situations happens, the key list and associated autokeys in
+
+
+
+Haberman & Mills Informational [Page 38]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+ the key cache are purged. A new key list, signature, and timestamp
+ are generated when the next NTP message is sent, assuming there is
+ one. The following is a list of these situations:
+
+ 1. When the cookie value changes for any reason.
+
+ 2. When the poll interval is changed. In this case, the calculated
+ expiration times for the keys become invalid.
+
+ 3. If a problem is detected when an entry is fetched from the key
+ list. This could happen if the key was marked non-trusted or
+ timed out, either of which implies a software bug.
+
+12. Security Considerations
+
+ This section discusses the most obvious security vulnerabilities in
+ the various Autokey dances. In the following discussion, the
+ cryptographic algorithms and private values themselves are assumed
+ secure; that is, a brute force cryptanalytic attack will not reveal
+ the host private key, sign private key, cookie value, identity
+ parameters, server seed or autokey seed. In addition, an intruder
+ will not be able to predict random generator values.
+
+12.1. Protocol Vulnerability
+
+ While the protocol has not been subjected to a formal analysis, a few
+ preliminary assertions can be made. In the client/server and
+ symmetric dances, the underlying NTP on-wire protocol is resistant to
+ lost, duplicate, and bogus packets, even if the clock is not
+ synchronized, so the protocol is not vulnerable to a wiretapper
+ attack. The on-wire protocol is resistant to replays of both the
+ client request packet and the server reply packet. A man-in-the-
+ middle attack, even if it could simulate a valid cookie, could not
+ prove identity.
+
+ In the broadcast dance, the client begins with a volley in client/
+ server mode to obtain the autokey values and signature, so has the
+ same protection as in that mode. When continuing in receive-only
+ mode, a wiretapper cannot produce a key list with valid signed
+ autokey values. If it replays an old packet, the client will reject
+ it by the timestamp check. The most it can do is manufacture a
+ future packet causing clients to repeat the autokey hash operations
+ until exceeding the maximum key number. If this happens the
+ broadcast client temporarily reverts to client mode to refresh the
+ autokey values.
+
+
+
+
+
+
+Haberman & Mills Informational [Page 39]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+ By assumption, a man-in-the-middle attacker that intercepts a packet
+ cannot break the wire or delay an intercepted packet. If this
+ assumption is removed, the middleman could intercept a broadcast
+ packet and replace the data and message digest without detection by
+ the clients.
+
+ As mentioned previously in this memo, the TC identity scheme is
+ vulnerable to a man-in-the-middle attack where an intruder could
+ create a bogus certificate trail. To foil this kind of attack,
+ either the PC, IFF, GQ, or MV identity schemes must be used.
+
+ A client instantiates cryptographic variables only if the server is
+ synchronized to a proventic source. A server does not sign values or
+ generate cryptographic data files unless synchronized to a proventic
+ source. This raises an interesting issue: how does a client generate
+ proventic cryptographic files before it has ever been synchronized to
+ a proventic source? (Who shaves the barber if the barber shaves
+ everybody in town who does not shave himself?) In principle, this
+ paradox is resolved by assuming the primary (stratum 1) servers are
+ proventicated by external phenomenological means.
+
+12.2. Clogging Vulnerability
+
+ A self-induced clogging incident cannot happen, since signatures are
+ computed only when the data have changed and the data do not change
+ very often. For instance, the autokey values are signed only when
+ the key list is regenerated, which happens about once an hour, while
+ the public values are signed only when one of them is updated during
+ a dance or the server seed is refreshed, which happens about once per
+ day.
+
+ There are two clogging vulnerabilities exposed in the protocol
+ design: an encryption attack where the intruder hopes to clog the
+ victim server with needless cryptographic calculations, and a
+ decryption attack where the intruder attempts to clog the victim
+ client with needless cryptographic calculations. Autokey uses public
+ key cryptography and the algorithms that perform these functions
+ consume significant resources.
+
+ In client/server and peer dances, an encryption hazard exists when a
+ wiretapper replays prior cookie request messages at speed. There is
+ no obvious way to deflect such attacks, as the server retains no
+ state between requests. Replays of cookie request or response
+ messages are detected and discarded by the client on-wire protocol.
+
+ In broadcast mode, a decryption hazard exists when a wiretapper
+ replays autokey response messages at speed. Once synchronized to a
+ proventic source, a legitimate extension field with timestamp the
+
+
+
+Haberman & Mills Informational [Page 40]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+ same as or earlier than the most recently received of that type is
+ immediately discarded. This foils a man-in-the-middle cut-and-paste
+ attack using an earlier response, for example. A legitimate
+ extension field with timestamp in the future is unlikely, as that
+ would require predicting the autokey sequence. However, this causes
+ the client to refresh and verify the autokey values and signature.
+
+ A determined attacker can destabilize the on-wire protocol or an
+ Autokey dance in various ways by replaying old messages before the
+ client or peer has synchronized for the first time. For instance,
+ replaying an old symmetric mode message before the peers have
+ synchronize will prevent the peers from ever synchronizing.
+ Replaying out of order Autokey messages in any mode during a dance
+ could prevent the dance from ever completing. There is nothing new
+ in these kinds of attack; a similar vulnerability even exists in TCP.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Haberman & Mills Informational [Page 41]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+13. IANA Consideration
+
+ The IANA has added the following entries to the NTP Extensions Field
+ Types registry:
+
+ +------------+------------------------------------------+
+ | Field Type | Meaning |
+ +------------+------------------------------------------+
+ | 0x0002 | No-Operation Request |
+ | 0x8002 | No-Operation Response |
+ | 0xC002 | No-Operation Error Response |
+ | 0x0102 | Association Message Request |
+ | 0x8102 | Association Message Response |
+ | 0xC102 | Association Message Error Response |
+ | 0x0202 | Certificate Message Request |
+ | 0x8202 | Certificate Message Response |
+ | 0xC202 | Certificate Message Error Response |
+ | 0x0302 | Cookie Message Request |
+ | 0x8302 | Cookie Message Response |
+ | 0xC302 | Cookie Message Error Response |
+ | 0x0402 | Autokey Message Request |
+ | 0x8402 | Autokey Message Response |
+ | 0xC402 | Autokey Message Error Response |
+ | 0x0502 | Leapseconds Value Message Request |
+ | 0x8502 | Leapseconds Value Message Response |
+ | 0xC502 | Leapseconds Value Message Error Response |
+ | 0x0602 | Sign Message Request |
+ | 0x8602 | Sign Message Response |
+ | 0xC602 | Sign Message Error Response |
+ | 0x0702 | IFF Identity Message Request |
+ | 0x8702 | IFF Identity Message Response |
+ | 0xC702 | IFF Identity Message Error Response |
+ | 0x0802 | GQ Identity Message Request |
+ | 0x8802 | GQ Identity Message Response |
+ | 0xC802 | GQ Identity Message Error Response |
+ | 0x0902 | MV Identity Message Request |
+ | 0x8902 | MV Identity Message Response |
+ | 0xC902 | MV Identity Message Error Response |
+ +------------+------------------------------------------+
+
+14. References
+
+14.1. Normative References
+
+ [RFC5905] Mills, D., Martin, J., Ed., Burbank, J., and W. Kasch,
+ "Network Time Protocol Version 4: Protocol and Algorithms
+ Specification", RFC 5905, June 2010.
+
+
+
+
+Haberman & Mills Informational [Page 42]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+14.2. Informative References
+
+ [DASBUCH] Mills, D., "Computer Network Time Synchronization - the
+ Network Time Protocol", 2006.
+
+ [GUILLOU] Guillou, L. and J. Quisquatar, "A "paradoxical" identity-
+ based signature scheme resulting from zero-knowledge",
+ 1990.
+
+ [MV] Mu, Y. and V. Varadharajan, "Robust and secure
+ broadcasting", 2001.
+
+ [RFC1305] Mills, D., "Network Time Protocol (Version 3)
+ Specification, Implementation", RFC 1305, March 1992.
+
+ [RFC2412] Orman, H., "The OAKLEY Key Determination Protocol",
+ RFC 2412, November 1998.
+
+ [RFC2522] Karn, P. and W. Simpson, "Photuris: Session-Key Management
+ Protocol", RFC 2522, March 1999.
+
+ [RFC2875] Prafullchandra, H. and J. Schaad, "Diffie-Hellman Proof-
+ of-Possession Algorithms", RFC 2875, July 2000.
+
+ [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and
+ Identifiers for the Internet X.509 Public Key
+ Infrastructure Certificate and Certificate Revocation List
+ (CRL) Profile", RFC 3279, April 2002.
+
+ [RFC4210] Adams, C., Farrell, S., Kause, T., and T. Mononen,
+ "Internet X.509 Public Key Infrastructure Certificate
+ Management Protocol (CMP)", RFC 4210, September 2005.
+
+ [RFC4302] Kent, S., "IP Authentication Header", RFC 4302,
+ December 2005.
+
+ [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)",
+ RFC 4303, December 2005.
+
+ [RFC4306] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol",
+ RFC 4306, December 2005.
+
+ [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
+ Housley, R., and W. Polk, "Internet X.509 Public Key
+ Infrastructure Certificate and Certificate Revocation List
+ (CRL) Profile", RFC 5280, May 2008.
+
+
+
+
+
+Haberman & Mills Informational [Page 43]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+ [SCHNORR] Schnorr, C., "Efficient signature generation for smart
+ cards", 1991.
+
+ [STINSON] Stinson, D., "Cryptography - Theory and Practice", 1995.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Haberman & Mills Informational [Page 44]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+Appendix A. Timestamps, Filestamps, and Partial Ordering
+
+ When the host starts, it reads the host key and host certificate
+ files, which are required for continued operation. It also reads the
+ sign key and leapseconds values, when available. When reading these
+ files, the host checks the file formats and filestamps for validity;
+ for instance, all filestamps must be later than the time the UTC
+ timescale was established in 1972 and the certificate filestamp must
+ not be earlier than its associated sign key filestamp. At the time
+ the files are read, the host is not synchronized, so it cannot
+ determine whether the filestamps are bogus other than by using these
+ simple checks. It must not produce filestamps or timestamps until
+ synchronized to a proventic source.
+
+ In the following, the relation A --> B is Lamport's "happens before"
+ relation, which is true if event A happens before event B. When
+ timestamps are compared to timestamps, the relation is false if A
+ <--> B; that is, false if the events are simultaneous. For
+ timestamps compared to filestamps and filestamps compared to
+ filestamps, the relation is true if A <--> B. Note that the current
+ time plays no part in these assertions except in (6) below; however,
+ the NTP protocol itself ensures a correct partial ordering for all
+ current time values.
+
+ The following assertions apply to all relevant responses:
+
+ 1. The client saves the most recent timestamp T0 and filestamp F0
+ for the respective signature type. For every received message
+ carrying timestamp T1 and filestamp F1, the message is discarded
+ unless T0 --> T1 and F0 --> F1. The requirement that T0 --> T1
+ is the primary defense against replays of old messages.
+
+ 2. For timestamp T and filestamp F, F --> T; that is, the filestamp
+ must happen before the timestamp. If not, this could be due to a
+ file generation error or a significant error in the system clock
+ time.
+
+ 3. For sign key filestamp S, certificate filestamp C, cookie
+ timestamp D and autokey timestamp A, S --> C --> D --> A; that
+ is, the autokey must be generated after the cookie, the cookie
+ after the certificate, and the certificate after the sign key.
+
+ 4. For sign key filestamp S and certificate filestamp C specifying
+ begin time B and end time E, S --> C--> B --> E; that is, the
+ valid period must not be retroactive.
+
+
+
+
+
+
+Haberman & Mills Informational [Page 45]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+ 5. A certificate for subject S signed by issuer I and with filestamp
+ C1 obsoletes, but does not necessarily invalidate, another
+ certificate with the same subject and issuer but with filestamp
+ C0, where C0 --> C1.
+
+ 6. A certificate with begin time B and end time E is invalid and
+ cannot be used to verify signatures if t --> B or E --> t, where
+ t is the current proventic time. Note that the public key
+ previously extracted from the certificate continues to be valid
+ for an indefinite time. This raises the interesting possibility
+ where a truechimer server with expired certificate or a
+ falseticker with valid certificate are not detected until the
+ client has synchronized to a proventic source.
+
+Appendix B. Identity Schemes
+
+ There are five identity schemes in the NTPv4 reference
+ implementation: (1) private certificate (PC), (2) trusted certificate
+ (TC), (3) a modified Schnorr algorithm (IFF - Identify Friend or
+ Foe), (4) a modified Guillou-Quisquater (GQ) algorithm, and (5) a
+ modified Mu-Varadharajan (MV) algorithm.
+
+ The PC scheme is intended for testing and development and not
+ recommended for general use. The TC scheme uses a certificate trail,
+ but not an identity scheme. The IFF, GQ, and MV identity schemes use
+ a cryptographically strong challenge-response exchange where an
+ intruder cannot learn the group key, even after repeated observations
+ of multiple exchanges. These schemes begin when the client sends a
+ nonce to the server, which then rolls its own nonce, performs a
+ mathematical operation and sends the results to the client. The
+ client performs a second mathematical operation to prove the server
+ has the same group key as the client.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Haberman & Mills Informational [Page 46]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+Appendix C. Private Certificate (PC) Scheme
+
+ The PC scheme shown in Figure 12 uses a private certificate as the
+ group key.
+
+ Trusted
+ Authority
+ Secure +-------------+ Secure
+ +--------------| Certificate |-------------+
+ | +-------------+ |
+ | |
+ \|/ \|/
+ +-------------+ +-------------+
+ | Certificate | | Certificate |
+ +-------------+ +-------------+
+ Server Client
+
+ Figure 12: Private Certificate (PC) Identity Scheme
+
+ A certificate is designated private when the X.509v3 Extended Key
+ Usage extension field is present and contains "Private". The private
+ certificate is distributed to all other group members by secret
+ means, so in fact becomes a symmetric key. Private certificates are
+ also trusted, so there is no need for a certificate trail or identity
+ scheme.
+
+Appendix D. Trusted Certificate (TC) Scheme
+
+ All other schemes involve a conventional certificate trail as shown
+ in Figure 13.
+ Trusted
+ Host Host Host
+ +-----------+ +-----------+ +-----------+
+ +--->| Subject | +--->| Subject | +--->| Subject |
+ | +-----------+ | +-----------+ | +-----------+
+ ...---+ | Issuer |---+ | Issuer |---+ | Issuer |
+ +-----------+ +-----------+ +-----------+
+ | Signature | | Signature | | Signature |
+ +-----------+ +-----------+ +-----------+
+
+ Figure 13: Trusted Certificate (TC) Identity Scheme
+
+ As described in RFC 4210 [RFC4210], each certificate is signed by an
+ issuer one step closer to the trusted host, which has a self-signed
+ trusted certificate. A certificate is designated trusted when an
+ X.509v3 Extended Key Usage extension field is present and contains
+ "trustRoot". If no identity scheme is specified in the parameter
+ exchange, this is the default scheme.
+
+
+
+Haberman & Mills Informational [Page 47]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+Appendix E. Schnorr (IFF) Identity Scheme
+
+ The IFF scheme is useful when the group key is concealed, so that
+ client keys need not be protected. The primary disadvantage is that
+ when the server key is refreshed all hosts must update the client
+ key. The scheme shown in Figure 14 involves a set of public
+ parameters and a group key including both private and public
+ components. The public component is the client key.
+
+ Trusted
+ Authority
+ +------------+
+ | Parameters |
+ Secure +------------+ Insecure
+ +-------------| Group Key |-----------+
+ | +------------+ |
+ \|/ \|/
+ +------------+ Challenge +------------+
+ | Parameters |<------------------------| Parameters |
+ +------------+ +------------+
+ | Group Key |------------------------>| Client Key |
+ +------------+ Response +------------+
+ Server Client
+
+ Figure 14: Schnorr (IFF) Identity Scheme
+
+ By happy coincidence, the mathematical principles on which IFF is
+ based are similar to DSA. The scheme is a modification an algorithm
+ described in [SCHNORR] and [STINSON] (p. 285). The parameters are
+ generated by routines in the OpenSSL library, but only the moduli p,
+ q and generator g are used. The p is a 512-bit prime, g a generator
+ of the multiplicative group Z_p* and q a 160-bit prime that divides
+ (p-1) and is a qth root of 1 mod p; that is, g^q = 1 mod p. The TA
+ rolls a private random group key b (0 < b < q), then computes public
+ client key v = g^(q-b) mod p. The TA distributes (p, q, g, b) to all
+ servers using secure means and (p, q, g, v) to all clients not
+ necessarily using secure means.
+
+ The TA hides IFF parameters and keys in an OpenSSL DSA cuckoo
+ structure. The IFF parameters are identical to the DSA parameters,
+ so the OpenSSL library can be used directly. The structure shown in
+ Figure 15 is written to a file as a DSA private key encoded in PEM.
+ Unused structure members are set to one.
+
+
+
+
+
+
+
+
+Haberman & Mills Informational [Page 48]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+ +----------------------------------+-------------+
+ | IFF | DSA | Item | Include |
+ +=========+==========+=============+=============+
+ | p | p | modulus | all |
+ +---------+----------+-------------+-------------+
+ | q | q | modulus | all |
+ +---------+----------+-------------+-------------+
+ | g | g | generator | all |
+ +---------+----------+-------------+-------------+
+ | b | priv_key | group key | server |
+ +---------+----------+-------------+-------------+
+ | v | pub_key | client key | client |
+ +---------+----------+-------------+-------------+
+
+ Figure 15: IFF Identity Scheme Structure
+
+ Alice challenges Bob to confirm identity using the following protocol
+ exchange.
+
+ 1. Alice rolls random r (0 < r < q) and sends to Bob.
+
+ 2. Bob rolls random k (0 < k < q), computes y = k + br mod q and x =
+ g^k mod p, then sends (y, hash(x)) to Alice.
+
+ 3. Alice computes z = g^y * v^r mod p and verifies hash(z) equals
+ hash(x).
+
+ If the hashes match, Alice knows that Bob has the group key b.
+ Besides making the response shorter, the hash makes it effectively
+ impossible for an intruder to solve for b by observing a number of
+ these messages. The signed response binds this knowledge to Bob's
+ private key and the public key previously received in his
+ certificate.
+
+Appendix F. Guillard-Quisquater (GQ) Identity Scheme
+
+ The GQ scheme is useful when the server key must be refreshed from
+ time to time without changing the group key. The NTP utility
+ programs include the GQ client key in the X.509v3 Subject Key
+ Identifier extension field. The primary disadvantage of the scheme
+ is that the group key must be protected in both the server and
+ client. A secondary disadvantage is that when a server key is
+ refreshed, old extension fields no longer work. The scheme shown in
+ Figure 16 involves a set of public parameters and a group key used to
+ generate private server keys and client keys.
+
+
+
+
+
+
+Haberman & Mills Informational [Page 49]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+ Trusted
+ Authority
+ +------------+
+ | Parameters |
+ Secure +------------+ Secure
+ +-------------| Group Key |-----------+
+ | +------------+ |
+ \|/ \|/
+ +------------+ Challenge +------------+
+ | Parameters |<------------------------| Parameters |
+ +------------+ +------------+
+ | Group Key | | Group Key |
+ +------------+ Response +------------+
+ | Server Key |------------------------>| Client Key |
+ +------------+ +------------+
+ Server Client
+
+ Figure 16: Schnorr (IFF) Identity Scheme
+
+ By happy coincidence, the mathematical principles on which GQ is
+ based are similar to RSA. The scheme is a modification of an
+ algorithm described in [GUILLOU] and [STINSON] (p. 300) (with
+ errors). The parameters are generated by routines in the OpenSSL
+ library, but only the moduli p and q are used. The 512-bit public
+ modulus is n=pq, where p and q are secret large primes. The TA rolls
+ random large prime b (0 < b < n) and distributes (n, b) to all group
+ servers and clients using secure means, since an intruder in
+ possession of these values could impersonate a legitimate server.
+ The private server key and public client key are constructed later.
+
+ The TA hides GQ parameters and keys in an OpenSSL RSA cuckoo
+ structure. The GQ parameters are identical to the RSA parameters, so
+ the OpenSSL library can be used directly. When generating a
+ certificate, the server rolls random server key u (0 < u < n) and
+ client key its inverse obscured by the group key v = (u^-1)^b mod n.
+ These values replace the private and public keys normally generated
+ by the RSA scheme. The client key is conveyed in a X.509 certificate
+ extension. The updated GQ structure shown in Figure 17 is written as
+ an RSA private key encoded in PEM. Unused structure members are set
+ to one.
+
+
+
+
+
+
+
+
+
+
+
+Haberman & Mills Informational [Page 50]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+ +---------------------------------+-------------+
+ | GQ | RSA | Item | Include |
+ +=========+==========+============+=============+
+ | n | n | modulus | all |
+ +---------+----------+------------+-------------+
+ | b | e | group key | all |
+ +---------+----------+------------+-------------+
+ | u | p | server key | server |
+ +---------+----------+------------+-------------+
+ | v | q | client key | client |
+ +---------+----------+------------+-------------+
+
+ Figure 17: GQ Identity Scheme Structure
+
+ Alice challenges Bob to confirm identity using the following
+ exchange.
+
+ 1. Alice rolls random r (0 < r < n) and sends to Bob.
+
+ 2. Bob rolls random k (0 < k < n) and computes y = ku^r mod n and x
+ = k^b mod n, then sends (y, hash(x)) to Alice.
+
+ 3. Alice computes z = (v^r)*(y^b) mod n and verifies hash(z) equals
+ hash(x).
+
+ If the hashes match, Alice knows that Bob has the corresponding
+ server key u. Besides making the response shorter, the hash makes it
+ effectively impossible for an intruder to solve for u by observing a
+ number of these messages. The signed response binds this knowledge
+ to Bob's private key and the client key previously received in his
+ certificate.
+
+Appendix G. Mu-Varadharajan (MV) Identity Scheme
+
+ The MV scheme is perhaps the most interesting and flexible of the
+ three challenge/response schemes, but is devilishly complicated. It
+ is most useful when a small number of servers provide synchronization
+ to a large client population where there might be considerable risk
+ of compromise between and among the servers and clients. The client
+ population can be partitioned into a modest number of subgroups, each
+ associated with an individual client key.
+
+ The TA generates an intricate cryptosystem involving encryption and
+ decryption keys, together with a number of activation keys and
+ associated client keys. The TA can activate and revoke individual
+ client keys without changing the client keys themselves. The TA
+ provides to the servers an encryption key E, and partial decryption
+ keys g-bar and g-hat which depend on the activated keys. The servers
+
+
+
+Haberman & Mills Informational [Page 51]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+ have no additional information and, in particular, cannot masquerade
+ as a TA. In addition, the TA provides to each client j individual
+ partial decryption keys x-bar_j and x-hat_j, which do not need to be
+ changed if the TA activates or deactivates any client key. The
+ clients have no further information and, in particular, cannot
+ masquerade as a server or TA.
+
+ The scheme uses an encryption algorithm similar to El Gamal
+ cryptography and a polynomial formed from the expansion of product
+ terms (x-x_1)(x-x_2)(x-x_3)...(x-x_n), as described in [MV]. The
+ paper has significant errors and serious omissions. The cryptosystem
+ is constructed so that, for every encryption key E its inverse is
+ (g-bar^x-hat_j)(g-hat^x-bar_j) mod p for every j. This remains true
+ if both quantities are raised to the power k mod p. The difficulty
+ in finding E is equivalent to the discrete log problem.
+
+ The scheme is shown in Figure 18. The TA generates the parameters,
+ group key, server keys, and client keys, one for each client, all of
+ which must be protected to prevent theft of service. Note that only
+ the TA has the group key, which is not known to either the servers or
+ clients. In this sense, the MV scheme is a zero-knowledge proof.
+
+ Trusted
+ Authority
+ +------------+
+ | Parameters |
+ +------------+
+ | Group Key |
+ +------------+
+ | Server Key |
+ Secure +------------+ Secure
+ +-------------| Client Key |-----------+
+ | +------------+ |
+ \|/ \|/
+ +------------+ Challenge +------------+
+ | Parameters |<------------------------| Parameters |
+ +------------+ +------------+
+ | Server Key |------------------------>| Client Key |
+ +------------+ Response +------------+
+ Server Client
+
+ Figure 18: Mu-Varadharajan (MV) Identity Scheme
+
+ The TA hides MV parameters and keys in OpenSSL DSA cuckoo structures.
+ The MV parameters are identical to the DSA parameters, so the OpenSSL
+ library can be used directly. The structure shown in the figures
+ below are written to files as a the fkey encoded in PEM. Unused
+ structure members are set to one. The Figure 19 shows the data
+
+
+
+Haberman & Mills Informational [Page 52]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+ structure used by the servers, while Figure 20 shows the client data
+ structure associated with each activation key.
+
+ +---------------------------------+-------------+
+ | MV | DSA | Item | Include |
+ +=========+==========+============+=============+
+ | p | p | modulus | all |
+ +---------+----------+------------+-------------+
+ | q | q | modulus | server |
+ +---------+----------+------------+-------------+
+ | E | g | private | server |
+ | | | encrypt | |
+ +---------+----------+------------+-------------+
+ | g-bar | priv_key | public | server |
+ | | | decrypt | |
+ +---------+----------+------------+-------------+
+ | g-hat | pub_key | public | server |
+ | | | decrypt | |
+ +---------+----------+------------+-------------+
+
+ Figure 19: MV Scheme Server Structure
+
+
+ +---------------------------------+-------------+
+ | MV | DSA | Item | Include |
+ +=========+==========+============+=============+
+ | p | p | modulus | all |
+ +---------+----------+------------+-------------+
+ | x-bar_j | priv_key | public | client |
+ | | | decrypt | |
+ +---------+----------+------------+-------------+
+ | x-hat_j | pub_key | public | client |
+ | | | decrypt | |
+ +---------+----------+------------+-------------+
+
+ Figure 20: MV Scheme Client Structure
+
+ The devil is in the details, which are beyond the scope of this memo.
+ The steps in generating the cryptosystem activating the keys and
+ generating the partial decryption keys are in [DASBUCH] (page 170
+ ff).
+
+ Alice challenges Bob to confirm identity using the following
+ exchange.
+
+ 1. Alice rolls random r (0 < r < q) and sends to Bob.
+
+
+
+
+
+Haberman & Mills Informational [Page 53]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+ 2. Bob rolls random k (0 < k < q) and computes the session
+ encryption key E-prime = E^k mod p and partial decryption keys
+ g-bar-prime = g-bar^k mod p and g-hat-prime = g-hat^k mod p. He
+ encrypts x = E-prime * r mod p and sends (x, g-bar-prime, g-hat-
+ prime) to Alice.
+
+ 3. Alice computes the session decryption key E^-1 = (g-bar-prime)^x-
+ hat_j (g-hat-prime)^x-bar_j mod p and verifies that r = E^-1 x.
+
+Appendix H. ASN.1 Encoding Rules
+
+ Certain value fields in request and response messages contain data
+ encoded in ASN.1 distinguished encoding rules (DER). The BNF grammar
+ for each encoding rule is given below along with the OpenSSL routine
+ used for the encoding in the reference implementation. The object
+ identifiers for the encryption algorithms and message digest/
+ signature encryption schemes are specified in [RFC3279]. The
+ particular algorithms required for conformance are not specified in
+ this memo.
+
+Appendix I. COOKIE Request, IFF Response, GQ Response, MV Response
+
+ The value field of the COOKIE request message contains a sequence of
+ two integers (n, e) encoded by the i2d_RSAPublicKey() routine in the
+ OpenSSL distribution. In the request, n is the RSA modulus in bits
+ and e is the public exponent.
+
+ RSAPublicKey ::= SEQUENCE {
+ n ::= INTEGER,
+ e ::= INTEGER
+ }
+
+ The IFF and GQ responses contain a sequence of two integers (r, s)
+ encoded by the i2d_DSA_SIG() routine in the OpenSSL distribution. In
+ the responses, r is the challenge response and s is the hash of the
+ private value.
+
+ DSAPublicKey ::= SEQUENCE {
+ r ::= INTEGER,
+ s ::= INTEGER
+ }
+
+ The MV response contains a sequence of three integers (p, q, g)
+ encoded by the i2d_DSAparams() routine in the OpenSSL library. In
+ the response, p is the hash of the encrypted challenge value and (q,
+ g) is the client portion of the decryption key.
+
+
+
+
+
+Haberman & Mills Informational [Page 54]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+ DSAparameters ::= SEQUENCE {
+ p ::= INTEGER,
+ q ::= INTEGER,
+ g ::= INTEGER
+ }
+
+Appendix J. Certificates
+
+ Certificate extension fields are used to convey information used by
+ the identity schemes. While the semantics of these fields generally
+ conform with conventional usage, there are subtle variations. The
+ fields used by Autokey version 2 include:
+
+ o Basic Constraints. This field defines the basic functions of the
+ certificate. It contains the string "critical,CA:TRUE", which
+ means the field must be interpreted and the associated private key
+ can be used to sign other certificates. While included for
+ compatibility, Autokey makes no use of this field.
+
+ o Key Usage. This field defines the intended use of the public key
+ contained in the certificate. It contains the string
+ "digitalSignature,keyCertSign", which means the contained public
+ key can be used to verify signatures on data and other
+ certificates. While included for compatibility, Autokey makes no
+ use of this field.
+
+ o Extended Key Usage. This field further refines the intended use
+ of the public key contained in the certificate and is present only
+ in self-signed certificates. It contains the string "Private" if
+ the certificate is designated private or the string "trustRoot" if
+ it is designated trusted. A private certificate is always
+ trusted.
+
+ o Subject Key Identifier. This field contains the client identity
+ key used in the GQ identity scheme. It is present only if the GQ
+ scheme is in use.
+
+ The value field contains an X.509v3 certificate encoded by the
+ i2d_X509() routine in the OpenSSL distribution. The encoding follows
+ the rules stated in [RFC5280], including the use of X.509v3 extension
+ fields.
+
+ Certificate ::= SEQUENCE {
+ tbsCertificate TBSCertificate,
+ signatureAlgorithm AlgorithmIdentifier,
+ signatureValue BIT STRING
+ }
+
+
+
+
+Haberman & Mills Informational [Page 55]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+ The signatureAlgorithm is the object identifier of the message
+ digest/signature encryption scheme used to sign the certificate. The
+ signatureValue is computed by the certificate issuer using this
+ algorithm and the issuer private key.
+
+ TBSCertificate ::= SEQUENCE {
+ version EXPLICIT v3(2),
+ serialNumber CertificateSerialNumber,
+ signature AlgorithmIdentifier,
+ issuer Name,
+ validity Validity,
+ subject Name,
+ subjectPublicKeyInfo SubjectPublicKeyInfo,
+ extensions EXPLICIT Extensions OPTIONAL
+ }
+
+ The serialNumber is an integer guaranteed to be unique for the
+ generating host. The reference implementation uses the NTP seconds
+ when the certificate was generated. The signature is the object
+ identifier of the message digest/signature encryption scheme used to
+ sign the certificate. It must be identical to the
+ signatureAlgorithm.
+
+ CertificateSerialNumber
+ SET { ::= INTEGER
+ Validity ::= SEQUENCE {
+ notBefore UTCTime,
+ notAfter UTCTime
+ }
+ }
+
+ The notBefore and notAfter define the period of validity as defined
+ in Appendix B.
+
+ SubjectPublicKeyInfo ::= SEQUENCE {
+ algorithm AlgorithmIdentifier,
+ subjectPublicKey BIT STRING
+ }
+
+ The AlgorithmIdentifier specifies the encryption algorithm for the
+ subject public key. The subjectPublicKey is the public key of the
+ subject.
+
+
+
+
+
+
+
+
+
+Haberman & Mills Informational [Page 56]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+ Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
+ Extension ::= SEQUENCE {
+ extnID OBJECT IDENTIFIER,
+ critical BOOLEAN DEFAULT FALSE,
+ extnValue OCTET STRING
+ }
+
+ SET {
+ Name ::= SEQUENCE {
+ OBJECT IDENTIFIER commonName
+ PrintableString HostName
+ }
+ }
+
+ For trusted host certificates, the subject and issuer HostName is the
+ NTP name of the group, while for all other host certificates the
+ subject and issuer HostName is the NTP name of the host. In the
+ reference implementation, if these names are not explicitly
+ specified, they default to the string returned by the Unix
+ gethostname() routine (trailing NUL removed). For other than self-
+ signed certificates, the issuer HostName is the unique DNS name of
+ the host signing the certificate.
+
+ It should be noted that the Autokey protocol itself has no provisions
+ to revoke certificates. The reference implementation is purposely
+ restarted about once a week, leading to the regeneration of the
+ certificate and a restart of the Autokey protocol. This restart is
+ not enforced for the Autokey protocol but rather for NTP
+ functionality reasons.
+
+ Each group host operates with only one certificate at a time and
+ constructs a trail by induction. Since the group configuration must
+ form an acyclic graph, with roots at the trusted hosts, it does not
+ matter which, of possibly several, signed certificates is used. The
+ reference implementation chooses a single certificate and operates
+ with only that certificate until the protocol is restarted.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Haberman & Mills Informational [Page 57]
+
+RFC 5906 NTPv4 Autokey June 2010
+
+
+Authors' Addresses
+
+ Brian Haberman (editor)
+ The Johns Hopkins University Applied Physics Laboratory
+ 11100 Johns Hopkins Road
+ Laurel, MD 20723-6099
+ US
+
+ Phone: +1 443 778 1319
+ EMail: brian@innovationslab.net
+
+
+ Dr. David L. Mills
+ University of Delaware
+ Newark, DE 19716
+ US
+
+ Phone: +1 302 831 8247
+ EMail: mills@udel.edu
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Haberman & Mills Informational [Page 58]
+