[ntp:questions] NTP autokey and the "private certificate" scheme

Stephane lasagni stephanelasagni at hotmail.com
Wed Dec 20 09:00:58 UTC 2017

Hi Dave,

Thank you for your quick reply! yes the autokey protocol is not very new...:)

I am looking at how to make NTP more secure for an industrial product that my company is developing. We have identified the autokey protocol as the best solution available today. I had heard there was some work going on to define some new security proposals in the future but the milestones we have to deliver our product don’t allow us to wait for these new security proposals unfortunately! I know the autokey protocol has some weaknesses but this is OK to us as a first step (we are doing it step by step so we accept the fact it might not be perfect at first and implementing autokey is still better than not having any NTP security implemented at all!).

Coming back to the “private certificate” scheme, we considered it at first because we thought the principle was close to what we will need to do in order to secure other protocols that our product will support (HTTPS notably with the TLS security protocol): for TLS, we will need indeed to store TA certificates containing the TA public key in order to be able to identify whether the public key given by the server is a known public key coming from an independent TA. We could use the same TA certificate for both the NTP (as a private certificate) and TLS protocol since they use the same format: X.509. But when looking at the NTP autokey documentation, I am not sure the TA certiifcate of the TLS protocol corresponds to the "private certificate" of the NTP autokey protocol. Do you remember by any chance what this private certificate contains exactly (contain the public key that will be used to encrypt/decrypt the cookie? Or is it still the job of the auto-signed certificate? ) and how it is used in the autokey protocol?

Thanks again for your help!

Best regards


De : David L. Mills <mills at udel.edu>
Envoyé : mardi 19 décembre 2017 21:40
À : Stephane lasagni
Cc : questions at lists.ntp.org
Objet : Re: [ntp:questions] NTP autokey and the "private certificate" scheme

Stephane lasagni wrote:

>I apologize in advance if my questions further below seem basic to some of you: I am very new to NTP and Cybersecurity (a whole new world for me!). I am trying to work out out NTP autokey works when using the “private certificate” scheme, I thought you might be able to help me to understand it better. I know this scheme is not recommended by RFC 5906 (only for testing purposes). However in my application, this scheme could be appropriate. I think I understood how the other schemes (TC, IFF,..) worked but for some reasons I’m struggling to understand the “private certificate” scheme. I have the following questions (which I numbered to make the reading easier):
>1.       I understand the “private certificate” scheme is not recommended for general use (only for testing and development) only because, with this scheme, it is difficult to renew the certificate for all hosts in a secure way, is it correct?
>I understand that the TA (Trusted Authority) generates this private certificate off-line (signed by the TA) and provides it in a secure way to all hosts of the NTP group but what I am struggling to understand is what this private certificate contains exactly and how it is used:
>2.       Does the private certificate replace the self-signed certificate which is generated by each host at the beginning of the protocol? ie each host knows they can use the public key in that certificate (and the associated private key : see question 3) for the cookie encryption/de-encryption, etc..?
>3.       If answer to question 2 is yes, does it mean that, in addition with the certificate, the TA has to provide each host with the associated private key which goes with the public key of the certificate?
>4.       If answer to question 3 is no, does it mean each host has 2 certificates: the self-signed non-trusted certificate generated at the beginning of protocol + the private certificate? How the private certificate is then used exactly?
>5.       From RFC 5906, I understand that in case the private certificate scheme is used, then the certificate trail and the identification steps are not necessary. What about the SIGN exchange? The SIGN exchange only has sense with a non-trusted self-signed certificate so this brings me back to the previous questions
>6.       Last question (beginner lever I think...sorry!) and I am sure I probably forgot some 😊: what does this private certificate contain in terms of subject name (the issuer is clearly the TA but is the subject name exactly the same for all hosts, ie the certificate is identical for all hosts? maybe it does not matter?) and how long is it valid for (1 year by default I guess which makes this scheme difficult to use in practice for the reasons given above?)?
>Thank you very much in advance for your help!
> Best regards
>questions mailing list
>questions at lists.ntp.org
questions Info Page - Network Time Protocol<http://lists.ntp.org/listinfo/questions>
This is a mailing list that has been set up for people who are new to NTP to ask questions. It is gatewayed to the USENET newsgroup comp.protocols.time.ntp, and is ...


Golly. You are the first person in 20 years to have asked about the
private certificate scheme.  Frankly, I don't remember all the tiny
details you mentioned.  However, the Autokey scheme is about to be
replaced by  new security proposals, so it is probably better to wait
until the dust clears.


More information about the questions mailing list