[ntpwg] Autokey-Protocol Analysis

Stephen Röttger s.roettger at tu-bs.de
Tue Aug 2 20:11:55 UTC 2011

Hello everyone,

Since the discussion about the Autokey-Protocol in June ended abruptly,
we want to inform you, that we finished our analysis of the protocol and
found several weaknesses, that render it completely useless.
Our analysis is in German, but if you are interested in it, we can
summarize the weaknesses for you.

In addition, we came up with some changes to the protocol, that mitigate
the vulnerabilities and would like to present you a revised
The changes are:

-Use the Clients Public Key used for cookie-encryption as input to the
cookie calculation. For example, calculate the Cookie as
  C = H(PubKey, ServerSeed).

-Change the length of Cookie and Server Seed from 32 to 128 bit.

-Replace the Identity Schemes with a common X.509 PKI, where the Clients
are in possession of certificates of Trusted Authorities

-Let the Signature included in extension fields cover the whole NTP-packet

-(optional) use HMAC for MAC-calculation and switch the used
Hash-Algorithms to SHA-256

Dieter Sibold and Stephen Röttger

More information about the ntpwg mailing list