[ntp:questions] SSL time request

Chris Albertson albertson.chris at gmail.com
Sun May 22 04:37:21 UTC 2011


On Sat, May 21, 2011 at 9:07 PM, Danny Mayer <mayer at ntp.org> wrote:

> That does not make a lot of sense. Putting an NTP server into your own
> code would be an extremely difficult thing to do.

No, not that hard given that NTP source code is available.  Just way
to much work.  And not needed.

The problem to be solved here is NOT setting a clock.  The demo
software needs to stop working after 90 days.  He is looking for a
secure way to know that a certain number of days has past.  Looking at
the local clock is not going to work because the user could simply
re-set it to 90 days in the past.   Using NTP to set the clock is no
help either because the program could not know if the local clock is
being set by NTP.

What the OP is looking for is a way for a program to know the time and
date to within a few hours in a secure way that can not be spoofed.
I still think he could ask his own server using SSL.
>>
>
> As I said before SSL depends on accurate time in the first place so you
> cannot use it for verifying time.

He really does not need to verify time.  He only needs to know the date.
He does not want to discipline the clock.  He only needs to know that
90 days have gone by.  Accuracy requirement is "about an hour" more of
less.  "Time" is good enough for that.
>
>
> Having access to the source code is unlikely unless it is publicly
> available which is rather unlikely and if the attacker can get in to
> patch the software

He does not have to "get in" to the computer.  In this case he owns
the computer and already has full access.  He would not need source
code.  If I were doing this hack I'd use a machine level debugger and
single step the program to find the conditional branch that needed to
be patched.   In this case the "hacker" owns the computer and wants to
modify the program so it will not expire after 90 days.  I claim this
is easy to do.  Not by most people.    I doubt there is any way to
make this 100% secure, not if your user knows what a machine level
debugger is.
-- 
=====
Chris Albertson
Redondo Beach, California



More information about the questions mailing list