A Security Analysis of A Security Analysis of Version 2 of the Network Version 2 of the Network

Time Protocol NTPTime Protocol NTP

Matt BishopMatt Bishop

Presented by Alexander GormanPresented by Alexander Gorman

Goal of PaperGoal of Paper

Examine the security requirements of Examine the security requirements of the Network Time Protocol (version 2)the Network Time Protocol (version 2)

Determine if version 2 meets Determine if version 2 meets requirementsrequirements

Suggest ImprovementsSuggest Improvements

My GoalsMy Goals

Describe version 2 of NTPDescribe version 2 of NTP Analyze attacksAnalyze attacks ImprovementsImprovements

AttacksAttacks

MasqueradeMasquerade ModificationModification ReplayReplay DoSDoS DelayDelay

AssumptionsAssumptions

Messages leave source uncorruptedMessages leave source uncorrupted Not altered on arrivalNot altered on arrival Focus on transmissionFocus on transmission

NTPNTP

NTP = Network Time ProtocolNTP = Network Time Protocol Primary time serversPrimary time servers Secondary time serversSecondary time servers Stratum NumberStratum Number

• Measure distance from primary to secondary Measure distance from primary to secondary time servertime server

NTPNTP

A B

C

Top level stratum

Level 2 stratum

Level 3 Stratum

Primary

NTP RulesNTP Rules

Primary time servers synchronized Primary time servers synchronized by external systemby external system

Secondary time servers synchronized Secondary time servers synchronized by:by:• Primary time serverPrimary time server• Another secondary time server with lower Another secondary time server with lower

stratum numberstratum number

Association ModesAssociation Modes

Non-Server sync with NTP ServerNon-Server sync with NTP Server ClientClient

• What time is it?What time is it?• Send msgs to peersSend msgs to peers

ServerServer• Created when received client msgCreated when received client msg• Responds with server’s time, terminatesResponds with server’s time, terminates

BroadcastBroadcast• Sends periodic time messagesSends periodic time messages

Association ModesAssociation Modes

Time Server sync with other Time ServersTime Server sync with other Time Servers Symmetric activeSymmetric active

• Broadcast sync msgsBroadcast sync msgs Symmetric passiveSymmetric passive

• If sender strata > receiver, reply + terminateIf sender strata > receiver, reply + terminate• Else, sender syncs host and receiver responds Else, sender syncs host and receiver responds

with time msg of its own.with time msg of its own.

Note: Normally servers with high strata run in active modeNote: Normally servers with high strata run in active mode

Smooth DataSmooth Data

Improve accuracyImprove accuracy

Algorithm 1Algorithm 1• Compute roundtrip delay and offsetCompute roundtrip delay and offset• Take sample from last 8 msgsTake sample from last 8 msgs• Choose lowest delay and use associated offset as Choose lowest delay and use associated offset as

estimated clock offsetestimated clock offset• Estimate sample dispersionEstimate sample dispersion

Offset and DelayOffset and Delay

ti-3

ti

ti-2

ti-1

Ci = ((ti-2 - ti-3) + (ti-1 – ti)) / 2Di = (ti – ti-3) + (ti-1 – ti-2)

Selection of Source PeerSelection of Source Peer

Algorithm 2Algorithm 2• Who should sync clock?Who should sync clock?• Uses Algorithm 1 Uses Algorithm 1 • List is sorted and scanned repeatedlyList is sorted and scanned repeatedly

Clock dispersion relative to peer is computedClock dispersion relative to peer is computed Highest dispersion eliminatedHighest dispersion eliminated

• Only one source leftOnly one source left

Receive and Packet ProceduresReceive and Packet Procedures

When a msg (packet) is received When a msg (packet) is received eithereither• Error: packet discarded, association deletedError: packet discarded, association deleted• Packet ProcedurePacket Procedure

Packet ProceduresPacket Proceduresif (time packet transmitted=time last received packet transmitted) thensanity := true;if (time peer received last packet from host<>time last message sent

to peer) thensanity := true;(*update association variables in Figure 3*)if (peer clock not synchronized) or (peer clock not updated for 1 day)

thensanity := true;if (not authenticated correctly) thensanity := true;if (peer not preconfigured) and (packet’s stratum>peer’s stratum) thensanity := true;if sanity then(*discard message and exit*)if (packet originate timestamp= 0) or (time last message received by

peer= 0) then(*exit; note sanity flag not set*)(*compute delay, offset, corrections, update local clock*)

Packet ProceduresPacket Procedures

CheckCheck• Eliminate re-transmitted packetsEliminate re-transmitted packets

Packet not transmitted at the same time as the Packet not transmitted at the same time as the last one received from that peerlast one received from that peer

• Ensure messages are received in orderEnsure messages are received in order The last packet received from the local host was The last packet received from the local host was

indeed the one the local host sent to the peerindeed the one the local host sent to the peer• Peer clock is synchronized correctlyPeer clock is synchronized correctly• Packet is authenticated correctlyPacket is authenticated correctly• Packet is preconfigured correctly andPacket is preconfigured correctly and• Packet’s stratum level > peer’s stratum Packet’s stratum level > peer’s stratum

level FAILlevel FAIL

Packet ProcedurePacket Procedure

If successfulIf successful• Resets internal variablesResets internal variables• Adjusts local clock if necessaryAdjusts local clock if necessary• Possibly select new peer as clock sourcePossibly select new peer as clock source

Security MechanismsSecurity Mechanisms

Delay CompensationDelay Compensation Access ControlAccess Control AuthenticationAuthentication

Delay CompensationDelay Compensation

Compensate for network delaysCompensate for network delays Algorithm calculates roundtrip Algorithm calculates roundtrip

delay and clock offset relative to delay and clock offset relative to peerpeer

Applies statistical procedure to Applies statistical procedure to update clock update clock

(see book Network Time Protocol (Version 2) Specification (see book Network Time Protocol (Version 2) Specification and Implementation)and Implementation)

Access ControlAccess Control

All hosts partitioned into 3 groupsAll hosts partitioned into 3 groups• TrustedTrusted

Allowed to synchronize the local clockAllowed to synchronize the local clock Either preconfigured or based on trusted ticket Either preconfigured or based on trusted ticket

service (Kerberos)service (Kerberos)

• FriendlyFriendly Sent NTP msgs and timestamps when neededSent NTP msgs and timestamps when needed Cannot change local clockCannot change local clock

• OthersOthers Messages from this group are ignoredMessages from this group are ignored

AuthenticationAuthentication

Covers Authentication and integrityCovers Authentication and integrity Packet in authenticated modePacket in authenticated mode

• TransmittedTransmitted NTP packet (except for authenticator) is NTP packet (except for authenticator) is

checksummed using active peer’s keychecksummed using active peer’s key Key depends on modeKey depends on mode

AuthenticationAuthenticationif peer.config = 0 then

if(authenticator in message data) thenpeer.authenable := 1

elsepeer.authenable := 0;

if peer.authenable =1 then beginpeer.authentic := 0;if (authenticator in message data) then begin

peer.keyid := packet.keyid;compute_mac(mac, peer.keyid, packet);if peer.keyid <> 0 and mac = packet.check then

peer.authentic := 1;end;

end;(*if peer.authenable is 0, authentication is not done;*)(*otherwise if peer.authentic is 0, the integrity of the *)(*packet’s contents are suspect*)

AuthenticationAuthentication

• Packet ReceivedPacket Received If msg contains authentication infoIf msg contains authentication info

• Index # of peer’s key reset to that in packetIndex # of peer’s key reset to that in packet• Checksum recomputed and compared to Checksum recomputed and compared to

transmitted checksumtransmitted checksum• If checksums match check succeedsIf checksums match check succeeds

If packet has no authentication infoIf packet has no authentication info• Check fails, routine exitsCheck fails, routine exits

Analysis of SecurityAnalysis of Security

Analyze the following:Analyze the following:• Access ControlAccess Control• AuthenticationAuthentication

Access ControlAccess Control

Relies completely on an Relies completely on an unauthenticated source address (in unauthenticated source address (in the absence of an integrity checking the absence of an integrity checking mechanism)mechanism)

Solution: routing infoSolution: routing info IP record routeIP record route

AuthenticationAuthentication

• Key index can be alteredKey index can be altered• Check is only 64bitsCheck is only 64bits• No key distribution mechanism No key distribution mechanism

defineddefined• Keys used on a per host basisKeys used on a per host basis

Could lead to a compromise of all hosts Could lead to a compromise of all hosts that peer synchronizesthat peer synchronizes

AttacksAttacks

GoalGoal AttackAttack EffectEffect CountermeasureCountermeasure

MasqueradeMasquerade

GoalGoal Convince timekeeper that attacker is authorized to Convince timekeeper that attacker is authorized to

synchronize itsynchronize it AttackAttack

Send a victim packets with source address of timekeeperSend a victim packets with source address of timekeeper EffectsEffects

If host is knownIf host is known• None if change is drasticNone if change is drastic• Drift created if timestamps changed graduallyDrift created if timestamps changed gradually

Unknown hostUnknown host• Compromise server by sending 8 uninterrupted messagesCompromise server by sending 8 uninterrupted messages• Send msgs claiming low stratum numberSend msgs claiming low stratum number

CountermeasureCountermeasure Use authenticationUse authentication Do not allow non-preconfigured peer to become clock Do not allow non-preconfigured peer to become clock

sourcesource

Message ModificationMessage Modification

GoalGoal• Alter msgs from one timekeeper to Alter msgs from one timekeeper to

another to cause incorrect another to cause incorrect synchronizationsynchronization

AttackAttack• Alter packets sent to victimAlter packets sent to victim

Different types of attacksDifferent types of attacks

Modification AttacksModification Attacks

Integrity the recipient’s clockIntegrity the recipient’s clock• pkt.rec, pkt.xmt, pkt.precisionpkt.rec, pkt.xmt, pkt.precision

Change round trip delayChange round trip delay

Modification AttackModification Attack

pkt.versionpkt.version DoSDoS

pkt.modepkt.mode Disconnection of associationDisconnection of association

pkt.stratumpkt.stratum Lower stratumLower stratum

pkt.ppollpkt.ppoll Affects polling intervalAffects polling interval

pkt.distancepkt.distance Affects roundtrip delay, effect choice of Affects roundtrip delay, effect choice of clock source and frequency of pollingclock source and frequency of polling

pkt.dispersionpkt.dispersion Affects estimated dispersionAffects estimated dispersion

ModificationModification

CountermeasuresCountermeasures• Use Authentication!Use Authentication!• Stratum level used only Stratum level used only

if checks passif checks pass• Access controls indicate Access controls indicate

if connection is trustedif connection is trusted

ReplayReplay

GoalGoal• Intercept + resend NTP msgs to cause recipient to incorrectly Intercept + resend NTP msgs to cause recipient to incorrectly

resynchronizeresynchronize• Disable active associationDisable active association

AttackAttack• Record msgs + replay them laterRecord msgs + replay them later

EffectsEffects• Alternate and replayAlternate and replay• Reset local clock to earlier timeReset local clock to earlier time

CounterCounter• Reject any msg with a timestamp older last msg receivedReject any msg with a timestamp older last msg received• Create a special msg when clock needs to be changed Create a special msg when clock needs to be changed

backwardsbackwards• Route basedRoute based

DelayDelay GoalGoal

• Cause incorrect resynchronizationCause incorrect resynchronization• Disable active associationDisable active association

AttackAttack• Artificially increase the roundtrip delay of an associationArtificially increase the roundtrip delay of an association

EffectsEffects• Delay packets in sampleDelay packets in sample• Peer sending packets not sourcePeer sending packets not source• Results in having no source, DoSResults in having no source, DoS

CounterCounter• Redundancy of clock sourcesRedundancy of clock sources

DoSDoS

GoalGoal• Prevent NTP msgs from one timekeeper to Prevent NTP msgs from one timekeeper to

anotheranother AttackAttack

• Prevent packets from clock sources from Prevent packets from clock sources from reaching an NTP hostreaching an NTP host

EffectsEffects• Forces NTP to run under its own clock, high Forces NTP to run under its own clock, high

drift!drift! CounterCounter

• Redundancy of clock sourcesRedundancy of clock sources

Combined AttackCombined Attack

Very effectiveVery effective E.g. Deny a secondary server from all E.g. Deny a secondary server from all

but one source, and delay packets but one source, and delay packets from source from source

To counter, deal with each component To counter, deal with each component attack separatelyattack separately

SuggestionsSuggestions

Internal MechanismsInternal Mechanisms• Assume no underlying security mechanismAssume no underlying security mechanism

Always use AuthenticationAlways use Authentication Keys used per-path not per-hostKeys used per-path not per-host Base Access Control on recorded routesBase Access Control on recorded routes Change variables Change variables afterafter packet passes checks packet passes checks Further restrict values of variablesFurther restrict values of variables Increase sample sizeIncrease sample size Require special packet to set clock backwardsRequire special packet to set clock backwards Redundancy, server should have many sourcesRedundancy, server should have many sources

SuggestionsSuggestions

ExternalExternal• Secure transmissionSecure transmission• Run into problems with this schemeRun into problems with this scheme

Public-key checksum - Too slow!Public-key checksum - Too slow! IP does not provide sufficient securityIP does not provide sufficient security

• Strict source does not work!Strict source does not work!

ConclusionConclusion

NTP has some weaknesses, but well NTP has some weaknesses, but well designeddesigned

Remember, security analyst’s viewRemember, security analyst’s view• May or may not impact goals of protocolMay or may not impact goals of protocol

Questions?Questions?