[ntp:questions] using IFF, GQ, MV keys for authentication at the same time

Steve Kostecke kostecke at ntp.org
Thu Jan 23 04:13:42 UTC 2014

On 2014-01-22, ardi <peter.knezel at gmail.com> wrote:

> Is it possible to generate and use all types of authentication keys
> (IFF,GQ,MV) at the same time on ntp server and client ? Will usage of
> all these keys give more secure protection than usage of only one type
> of them?

tl,dr: no.

Autokey is an NTP authentication system which allows an ntpd to verify
the identify of the ntpd answering its polls. To put it another way,
Autokey authenticates the server to the client.

>From http://www.eecis.udel.edu/~mills/autokey.html

"The Autokey security model is based on multiple overlapping security
compartments or groups. Each group is assigned a group key by a trusted
authority and is then deployed to all group members by secure means.
Autokey uses conventional IPSEC certificate trails to provide secure
host authentication, but this does not provide protection against
masquerade, unless the host identity is verified by other means. Autokey
includes a suite of identity verification schemes based in part on
zero-knowledge proofs. There are five schemes now implemented to prove
identity: (1) private certificates (PC), (2) trusted certificates (TC),
(3) a modified Schnorr algorithm (IFF aka Identify Friendly or Foe), (4)
a modified Guillou-Quisquater algorithm (GQ), and (5) a modified
Mu-Varadharajan algorithm (MV). These are described on the Identity
Schemes page."

>From http://www.eecis.udel.edu/~mills/ident.html

"Each of the five schemes is intended for specific use."

"The PC scheme is intended for one-way broadcast configurations where
clients cannot run a duplex protocol."

"The IFF scheme is intended for servers operated by national

"The GQ scheme is intended for exceptionally hostile scenarios where it
is necessary to change the client key at relatively frequent intervals."

"The MV scheme is intended for the most challenging scenarios where it
is neccesary to protect against both server and client masquerade."

More at the above URLs and:


Steve Kostecke <kostecke at ntp.org>
NTP Public Services Project - http://support.ntp.org/

More information about the questions mailing list