[ntp:questions] Cryptography

Dale Worley worley at dragon.ariadne.com
Tue Dec 9 15:02:58 UTC 2003


I'm toying with the following concept.  I'm not sure how one could
implement it; on the other hand, I can't prove that it cannot be
implemented.  But it might make operating the global NTP network in a
secure way easier than it is now.  And what with the cleverness of
what has been done already (e.g., the autokey system), who am I to say
that this concept is impossible?  (Indeed, it may already have been
done.  Oops.)

The current system for distributing time is something like this:
There is a stratum 1 server, A.  There are several stratum 2 servers,
B1, B2, B3, etc. that receive time from A.  Then for each stratum 2
server, there are several stratum 3 servers, C1, C2, etc. that take
time from it.

This system has the advantage that the information from the expensive,
reliable time sources used by the stratum 1 servers is distributed to
a very large number of stratum 3 and higher servers, without burdening
any one server with too many clients.  (A consideration which can be
important, given that we want to support several billion systems.)

The current approach to making this system secure is to establish a
relationship of trust between each server-client pair:  A to B1, A to
B2, etc., and B1 to C1, B1 to C2, etc.  (Glossing over some details.)

Fortunately, a server doesn't need to trust its client, so public-key
methods can be used:  If A can securely publish an appropriate key,
then B1, B2, etc. can trust A without A needing to specifically
configure information about them.

This is still quite a management problem, and inserting and removing
intermediate stratum servers requires a lot of reconfiguration of
their subordinates.

Is it possible to do better than this?  Is it possible that C1, C2,
etc. need only trust A, while still using B1, etc. as distribution
conduits for time information?

If this could be done, managing secure time would be much easier --
all that would need to be done is publish a relatively small database
of trusted public stratum 1 servers and their keys.  Every ISP,
business, etc. could then maintain stratum 2, 3, and higher servers
without any particular concern for the security of intermediate
servers because each "leaf" NTP server could validate the time
information it was getting back to the stratum 1 server.

Something like this may not be as impossible as it seems.  Consider
that if a stratum 1 server distributes a public-key-signed message
saying "It is now 12:32."  That message can be distributed outward
through the tree of NTP servers, and each leaf server can verify that
the message is secure, without having to trust any of the intermediate
servers.  (Of course, that message only proves that the real time is
after 12:32, but it shows that we can solve "half" the problem.  Can
we solve the other half?)

Dale



More information about the questions mailing list