[ntp:hackers] Information needed in providing server's public key to client in secured NTPv4

Hal Murray hmurray at megapathdsl.net
Mon Aug 3 05:00:28 UTC 2009

Chandramohan.ba at siemens.com said:
> Client sends its public key and signature in COOKIE request. Server
> verifies the client's signature, sends COOKIE and its signature to the
> client in COOKIE response Now client has to verify server's signature
> and for this it needs server's public key. How is this information
> (server's public key) provided to the client? 

The magic word is "out of band".  How you get it is outside the NTP protocol.

Email is probably good enough.  If somebody was going to slip you the wrong 
key, they would have to intercept the mail from your clock source, substitute 
the bogus key, make it work long enough to fool you, and then use it before 
you noticed a problem.

You might find it on a web site.

If you don't trust that, you can use registered (postal) mail.  (That assumes 
the people providing the time and key will go through that effort.)  Or send 
a courier to their office...

You could use PGP or GnuPG, but that's the same problem all over again.

These are my opinions, not necessarily my employer's.  I hate spam.

More information about the hackers mailing list