[ntp:questions] Re: Cryptography

Ulrich Windl Ulrich.Windl at RZ.Uni-Regensburg.DE
Tue Feb 3 11:55:08 UTC 2004


Dale,

if I got your right, your want some Bx provide the time it got from
some Ay in authentically. That means Bx can only pass the time message
unmodified. So Bx would be just a packet store and distribute rather
than a time server. If Bx sends it's own packets (with its own time),
Bx must either lie about the authenticity of its packets regarding Ay,
or you must trust Bx.

Did I overlook something?

Regards,
Ulrich

Dale Worley <worley at dragon.ariadne.com> writes:

> I'm toying with the following concept.  I'm not sure how one could
> implement it; on the other hand, I can't prove that it cannot be
> implemented.  But it might make operating the global NTP network in a
> secure way easier than it is now.  And what with the cleverness of
> what has been done already (e.g., the autokey system), who am I to say
> that this concept is impossible?  (Indeed, it may already have been
> done.  Oops.)
> 
> The current system for distributing time is something like this:
> There is a stratum 1 server, A.  There are several stratum 2 servers,
> B1, B2, B3, etc. that receive time from A.  Then for each stratum 2
> server, there are several stratum 3 servers, C1, C2, etc. that take
> time from it.
> 
> This system has the advantage that the information from the expensive,
> reliable time sources used by the stratum 1 servers is distributed to
> a very large number of stratum 3 and higher servers, without burdening
> any one server with too many clients.  (A consideration which can be
> important, given that we want to support several billion systems.)
> 
> The current approach to making this system secure is to establish a
> relationship of trust between each server-client pair:  A to B1, A to
> B2, etc., and B1 to C1, B1 to C2, etc.  (Glossing over some details.)
> 
> Fortunately, a server doesn't need to trust its client, so public-key
> methods can be used:  If A can securely publish an appropriate key,
> then B1, B2, etc. can trust A without A needing to specifically
> configure information about them.
> 
> This is still quite a management problem, and inserting and removing
> intermediate stratum servers requires a lot of reconfiguration of
> their subordinates.
> 
> Is it possible to do better than this?  Is it possible that C1, C2,
> etc. need only trust A, while still using B1, etc. as distribution
> conduits for time information?
> 
> If this could be done, managing secure time would be much easier --
> all that would need to be done is publish a relatively small database
> of trusted public stratum 1 servers and their keys.  Every ISP,
> business, etc. could then maintain stratum 2, 3, and higher servers
> without any particular concern for the security of intermediate
> servers because each "leaf" NTP server could validate the time
> information it was getting back to the stratum 1 server.
> 
> Something like this may not be as impossible as it seems.  Consider
> that if a stratum 1 server distributes a public-key-signed message
> saying "It is now 12:32."  That message can be distributed outward
> through the tree of NTP servers, and each leaf server can verify that
> the message is secure, without having to trust any of the intermediate
> servers.  (Of course, that message only proves that the real time is
> after 12:32, but it shows that we can solve "half" the problem.  Can
> we solve the other half?)
> 
> Dale



More information about the questions mailing list