[ntp:questions] Re: Secure W32Time

David Woolley david at djwhome.demon.co.uk
Tue Mar 21 21:24:32 UTC 2006


In article <MRYTf.329576$1G5.10382386 at phobos.telenet-ops.be>,
Patrice Renard <Renard.Dehenau at telenet.be> wrote:

> What do you mean with "If you wish to use NTP Authentication you must obtain 
> the Identity

The impression I get is that you understand security issues sufficiently
poorly that you will not be able to make a system secure without 
employing (paid) outside consultants.  Security is not something that
can be done without understanding - a lot of users of e-commerce systems
could actually be sending their account details to almost anyone because
they don't understand how SSL works and nor does the e-commerce site
operator.

One key point to remember is that you need to understand what sorts
of attacks you are protecting against.

> Scheme Paramters (e.g. the IFF Public Key) from each time server with which 
> you wish to have an authenticated association."?
> How can I receive the IFF Public Key from a public time server?

Firstly you need to find public servers that are prepared to give you
public keys - I doubt that there are many.  Then you have to treat them
like any other public key material, i.e. transfer them over a trusted,
but not necessarily secure, channel.  If the server has an associated
https web site and you obtained your browser via a trusted channel
and trust the organisation that countersigned thier SSL certificate,
you might just be able to get it over the web, but typical transport
mechanisms for key material include the use of courier services.

I'm not sure if NTP transmits the public key itself, but if it does, 
you might be able to compromise and take it on trust that you are 
initially talking to the right server then use the key to confirm that
the situation hasn't changed, but that is always a risky procedure when
security really matters.




More information about the questions mailing list