[ntp:hackers] A stop-gap authenticated time service

Poul-Henning Kamp phk at phk.freebsd.dk
Tue Nov 10 07:58:05 UTC 2015

In message <5641443B.2040808 at rubidium.dyndns.org>, Magnus Danielson writes:

>The problem is really not with RTT, it's actually the only sane value 
>you can get.
>As I said, it's good to have multiple methods, and this is one to 
>contribute, but there is limits to how much magic you get from any of them.

The "magic" isn't magic, but simply that I know the contents hasn't
been tampered with.

The only variable left for the attacker to tamper with is the RTT
which I can reliably measure and thus detect said tampering.

This is where Judahs observation comes in:  If we detect somebody
f**ks with our measurements, we can stop kicking our clock.

If the clock was already suitably disciplined, it will take days
before the accumulated phase error becomes prohibitive, and that
is plenty of time to raise an alarm where it matters.

And if we cannot get a good reliable time estimate during startup,
we can fail startup if time is that critical.

In total this eliminates all the "drive-by" attacks on your time.

Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.

More information about the hackers mailing list