[ntp:questions] SSL time request

Danny Mayer mayer at ntp.org
Sat May 21 22:18:45 UTC 2011


On 5/19/2011 12:06 PM, Kevin Coulombe wrote:
> Hi,
> 
> I'm looking into producing a 15 days demonstration version of an application
> for a client. I'm considering the use of an internet clock to validate this
> demo's duration, but a simple http request would be too easy to hack.
> 
> Is there any way to request time in a secure manner such as an SSL
> connection. What I need is to validate that we are actually communicating
> with the "real" time server and that the message isn't tampered with.
> 

The proper way to do this with NTP is to use the autokey protocol which
will authenticate the servers. Note that the basic way that NTP works is
to use 3 or more NTP servers which allows it to select only consistent
truechimers and that are close enough to each other timewise that it can
choose one of them to synch to. It is actually quite hard to tamper with
an NTP packet and have it not be noticed, mainly because it does not
rely on a single NTP server. Add autokey for each of the servers and
just about nothing can be tampered with.

Note that SSL is *not* secure when it comes to time since the SSL
certificate is in turn dependent on time. The autokey protocol deals
with that issue.

Danny




More information about the questions mailing list