[ntp:hackers] A stop-gap authenticated time service
stenn at ntp.org
Mon Nov 16 02:50:54 UTC 2015
Terje Mathisen writes:
> Hal Murray wrote:
>>> (This obviously requires pool.ntp.org to support DNSSEC!)
>> I think DNSSEC requires time. Is anybody who understands this area
>> willing to explain it to me/us?
> DNSSEC does require time, at (approximately?) the same accuracy as
> Kerberos, i.e. 5 min.
Certificates are good for a period of time.
> This means two things:
> a) Secure NTP servers cannot use DNSSEC services to pick up all their
> sources, they must have at least one source which is a local refclock or
> IP only, alternatively you fall back on DNS only and leave an opening
> for an attacker to MITM you.
Yes, and there are other scenarios as well.
This goes to "monitor your ntpd instances".
> b) DNSSEC servers likewise needs to have at least one local
> (refclock/IP-only) NTP reference in order to be able to verify their
> local clocks before they can serve authenticated data.
See above, and also think about what should happen when the time is
> > Does the full blown HTTPS stuff depend upon knowing the time?
> Obviously not, with the widely varying times phk is seeing, but in order
> for the server certificate to be valid, the server time has at least to
> be somewhere within the validity period for said certificate, and
> keeping the clock at least approximately correct is a requirement for
> any server which runs Kerberos for local authentication, which is
> probably a very significant subset.
Certainly for Windows environments that use AD.
Harlan Stenn <stenn at ntp.org>
http://networktimefoundation.org - be a member!
More information about the hackers