APPENDIX B
NTP AUTHENTICATION
B.0 GENERAL
NTP authentication provides a mechanism which allows a ntp client to ensure that the timestamp
received has come from a trusted source and has not been modified in transit. We have extended
the authentication mechanism so that it can also be used to deny service to those clients who
submit ntp timestamp requests without valid authentication information. The ntp protocol
includes space for two variables related to authentication; an authentication key identifier field
and a cryptochecksum field.
B.1 AUTHENTICATION MECHANISM
The mechanism used to generate the authentication data must be shared by both the client and
the server. The popular public domain implementation of ntp, known as xntp, allows for the use
of either DES (Digital Encryption Standard) or MD5 (Message Digest version 5). Due to export
restrictions on cryptographic techniques, the TS2000 supports only the MD5 encryption
algorithm. MD5 provides an adequate level of security for ntp transmissions.
MD5 is a one-way hash function which processes the input data and produces 128 bits (16 bytes)
of hash value. This cryptochecksum is then placed in the packet. Since the data itself is not
encrypted, anyone could theoretically capture the packet, modify the data and put a new
cryptochecksum into the packet. What makes the cryptochecksum secure is that a mutually
agreed upon, secret key is loaded into the MD5 algorithm before the ntp data is loaded. This
produces a cryptochecksum which cannot be reproduced without knowledge of the secret key.
B.2 PROGRAMMING AND STORAGE OF KEY IDENTIFIER/KEY PAIR
The TS2000 allows for the programming and storage of one key identifier/key pair. Although it
is possible to have over 4 billion keys, one is sufficient for the TS2000 as it only has 1 level of
access, requesting timestamps. While there is only 1 key identifier/key pair, the key identifier
itself can have any value from 1- 4,294,967,296. The format of the MD5 secret key is based on
the approach taken by the public domain xntp package. The key is an 8 character alphanumeric
string. This key identifier/key pair is stored in a flash eprom and need only be programmed from
the front panel once.
To Next Page
Loading...
General