[ntp:questions] Re: Secure W32Time

Patrice Renard Renard.Dehenau at telenet.be
Tue Mar 21 06:59:15 UTC 2006

Dear Richard,

I received yesterday a mail with a possible solution to configure Autokey with the NTP version 4.2.0b (see http://ntp.isc.org/Support/ConfiguringAutokey).

But I have some troubles to configure Autokey on my Windows machine.

When I use the nt-keygen on my test server, it creates 2 files:  - C:\WINDOWS\system32\drivers\etc\ntpkey_cert_wdmcswxp001
                                                                                           - C:\WINDOWS\system32\drivers\etc\ntpkey_host_wdmcswxp001
Use the ntpd service this 2 files to transmit a secure NTP package to the public time servers? 
I generate a crypto file from the website https://ntp.isc.org/crypto.php. The file size is 0KB and it contains nothing. Is that correct?

NTP.log file:
20 Mar 23:39:11 ntpd.exe[4412]: logging to file C:\Program Files\NTP\etc\ntp.log 
20 Mar 23:39:11 ntpd.exe[4412]: precision = 0.798 usec 
20 Mar 23:39:11 ntpd.exe[4412]: Listening on interface wildcard, Disabled 
20 Mar 23:39:11 ntpd.exe[4412]: Listening on interface IP Interface 1, Enabled 
20 Mar 23:39:11 ntpd.exe[4412]: Listening on interface Loopback Interface 2, Enabled 
20 Mar 23:39:11 ntpd.exe[4412]: frequency initialized 10.211 PPM from C:\Program Files\NTP\etc\ntp.drift 
20 Mar 23:39:11 ntpd.exe[4412]: frequency initialized 10.211 PPM from C:\Program Files\NTP\etc\ntp.drift 
20 Mar 23:39:11 ntpd.exe[4412]: crypto_key error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt
20 Mar 23:39:11 ntpd.exe[4412]: crypto_setup: host key file ntpkey_host_wdmcswxp001 not found or corrupt 20 Mar 23:39:11 ntpd.exe[4412]: The Network Time Protocol Service has stopped.

NTP.conf file:
# NTP Network Time Protocol
# Configuration File created by Windows Binary Distribution Installer Rev.: 1.16  mbg # please check http://www.ntp.org for additional documentation and background information crypto pw Cindy33Patrice keysdir "C:\Windows\System32\Drivers\etc"

# Use drift file 
driftfile "C:\Program Files\NTP\etc\ntp.drift"

# your local system clock, should be used as a backup
# (this is only useful if you need to distribute time no matter how good or bad it is)
# but it operates at a high stratum level to let the clients know and force them to
# use any other timesource they may have.
#fudge stratum 12

# Use a NTP server from the ntp pool project (see http://www.pool.ntp.org)
# Please note that you need at least four different servers to be at least protected against
# one falseticker. If you only rely on internet time, it is highly recommended to add
# additional servers here. 
# The 'iburst' keyword speeds up initial synchronization, please check the documentation for more details!
 server be.pool.ntp.org autokey
 server nl.pool.ntp.org autokey
 server fr.pool.ntp.org autokey

# End of generated ntp.conf --- Please edit this to suite your needs

What's wrong with my configuration; Can you help me?



"Richard B. Gilbert" <rgilbert88 at comcast.net> wrote in message news:tdidnQnEPZ8np4LZnZ2dnUVZ_tmdnZ2d at comcast.com...
> news.telenet.be wrote:
>> Dear Dr. Mills
>> I installed the NTP version 4.2.0 from the meinberg.de website. This Time 
>> syncronization service works fine on a test server. Thank you David for your 
>> reply.
>> Unfortunatly, I didn't find information about the configuration of a secure 
>> connection to the public time servers with ESP, AH or MD5. You suggest on 
>> the website of the University of Delaware to use the Autokey security 
>> Architecture, Protocol and Algorithms 
>> (http://www.eecis.udel.edu/~mills/database/reports/stime1/stime.pdf).
>> But I'm a bit confused about Autokey! How do I use this application with the 
>> NTP version 4.2.0 for Windows to transmit secure NTP requests to the public 
>> time servers? Where can I find this application?
>> Best regards,
>> Patrice
> I think you may misunderstand Autokey security.
> All Autokey, or any of the other encryption systems does for you, is to 
> authenticate the server to the client.  It gives you some assurance that 
> the server sending the packet really is who he claims to be.  The packet 
> has an encrypted signature.  Anybody can read the request packet and 
> anybody can read the reply packet.  After all, there is nothing secret 
> about the correct time, your IP address, the server's IP address, etc.

More information about the questions mailing list