A Security Analysis of A Security Analysis of Version 2 of the Network Version 2 of the Network
Time Protocol NTPTime Protocol NTP
Matt BishopMatt Bishop
Presented by Alexander GormanPresented by Alexander Gorman
Goal of PaperGoal of Paper
Examine the security requirements of Examine the security requirements of the Network Time Protocol (version 2)the Network Time Protocol (version 2)
Determine if version 2 meets Determine if version 2 meets requirementsrequirements
Suggest ImprovementsSuggest Improvements
My GoalsMy Goals
Describe version 2 of NTPDescribe version 2 of NTP Analyze attacksAnalyze attacks ImprovementsImprovements
AttacksAttacks
MasqueradeMasquerade ModificationModification ReplayReplay DoSDoS DelayDelay
AssumptionsAssumptions
Messages leave source uncorruptedMessages leave source uncorrupted Not altered on arrivalNot altered on arrival Focus on transmissionFocus on transmission
NTPNTP
NTP = Network Time ProtocolNTP = Network Time Protocol Primary time serversPrimary time servers Secondary time serversSecondary time servers Stratum NumberStratum Number
• Measure distance from primary to secondary Measure distance from primary to secondary time servertime server
NTPNTP
A B
C
Top level stratum
Level 2 stratum
Level 3 Stratum
Primary
NTP RulesNTP Rules
Primary time servers synchronized Primary time servers synchronized by external systemby external system
Secondary time servers synchronized Secondary time servers synchronized by:by:• Primary time serverPrimary time server• Another secondary time server with lower Another secondary time server with lower
stratum numberstratum number
Association ModesAssociation Modes
Non-Server sync with NTP ServerNon-Server sync with NTP Server ClientClient
• What time is it?What time is it?• Send msgs to peersSend msgs to peers
ServerServer• Created when received client msgCreated when received client msg• Responds with server’s time, terminatesResponds with server’s time, terminates
BroadcastBroadcast• Sends periodic time messagesSends periodic time messages
Association ModesAssociation Modes
Time Server sync with other Time ServersTime Server sync with other Time Servers Symmetric activeSymmetric active
• Broadcast sync msgsBroadcast sync msgs Symmetric passiveSymmetric passive
• If sender strata > receiver, reply + terminateIf sender strata > receiver, reply + terminate• Else, sender syncs host and receiver responds Else, sender syncs host and receiver responds
with time msg of its own.with time msg of its own.
Note: Normally servers with high strata run in active modeNote: Normally servers with high strata run in active mode
Smooth DataSmooth Data
Improve accuracyImprove accuracy
Algorithm 1Algorithm 1• Compute roundtrip delay and offsetCompute roundtrip delay and offset• Take sample from last 8 msgsTake sample from last 8 msgs• Choose lowest delay and use associated offset as Choose lowest delay and use associated offset as
estimated clock offsetestimated clock offset• Estimate sample dispersionEstimate sample dispersion
Offset and DelayOffset and Delay
ti-3
ti
ti-2
ti-1
Ci = ((ti-2 - ti-3) + (ti-1 – ti)) / 2Di = (ti – ti-3) + (ti-1 – ti-2)
Selection of Source PeerSelection of Source Peer
Algorithm 2Algorithm 2• Who should sync clock?Who should sync clock?• Uses Algorithm 1 Uses Algorithm 1 • List is sorted and scanned repeatedlyList is sorted and scanned repeatedly
Clock dispersion relative to peer is computedClock dispersion relative to peer is computed Highest dispersion eliminatedHighest dispersion eliminated
• Only one source leftOnly one source left
Receive and Packet ProceduresReceive and Packet Procedures
When a msg (packet) is received When a msg (packet) is received eithereither• Error: packet discarded, association deletedError: packet discarded, association deleted• Packet ProcedurePacket Procedure
Packet ProceduresPacket Proceduresif (time packet transmitted=time last received packet transmitted) thensanity := true;if (time peer received last packet from host<>time last message sent
to peer) thensanity := true;(*update association variables in Figure 3*)if (peer clock not synchronized) or (peer clock not updated for 1 day)
thensanity := true;if (not authenticated correctly) thensanity := true;if (peer not preconfigured) and (packet’s stratum>peer’s stratum) thensanity := true;if sanity then(*discard message and exit*)if (packet originate timestamp= 0) or (time last message received by
peer= 0) then(*exit; note sanity flag not set*)(*compute delay, offset, corrections, update local clock*)
Packet ProceduresPacket Procedures
CheckCheck• Eliminate re-transmitted packetsEliminate re-transmitted packets
Packet not transmitted at the same time as the Packet not transmitted at the same time as the last one received from that peerlast one received from that peer
• Ensure messages are received in orderEnsure messages are received in order The last packet received from the local host was The last packet received from the local host was
indeed the one the local host sent to the peerindeed the one the local host sent to the peer• Peer clock is synchronized correctlyPeer clock is synchronized correctly• Packet is authenticated correctlyPacket is authenticated correctly• Packet is preconfigured correctly andPacket is preconfigured correctly and• Packet’s stratum level > peer’s stratum Packet’s stratum level > peer’s stratum
level FAILlevel FAIL
Packet ProcedurePacket Procedure
If successfulIf successful• Resets internal variablesResets internal variables• Adjusts local clock if necessaryAdjusts local clock if necessary• Possibly select new peer as clock sourcePossibly select new peer as clock source
Security MechanismsSecurity Mechanisms
Delay CompensationDelay Compensation Access ControlAccess Control AuthenticationAuthentication
Delay CompensationDelay Compensation
Compensate for network delaysCompensate for network delays Algorithm calculates roundtrip Algorithm calculates roundtrip
delay and clock offset relative to delay and clock offset relative to peerpeer
Applies statistical procedure to Applies statistical procedure to update clock update clock
(see book Network Time Protocol (Version 2) Specification (see book Network Time Protocol (Version 2) Specification and Implementation)and Implementation)
Access ControlAccess Control
All hosts partitioned into 3 groupsAll hosts partitioned into 3 groups• TrustedTrusted
Allowed to synchronize the local clockAllowed to synchronize the local clock Either preconfigured or based on trusted ticket Either preconfigured or based on trusted ticket
service (Kerberos)service (Kerberos)
• FriendlyFriendly Sent NTP msgs and timestamps when neededSent NTP msgs and timestamps when needed Cannot change local clockCannot change local clock
• OthersOthers Messages from this group are ignoredMessages from this group are ignored
AuthenticationAuthentication
Covers Authentication and integrityCovers Authentication and integrity Packet in authenticated modePacket in authenticated mode
• TransmittedTransmitted NTP packet (except for authenticator) is NTP packet (except for authenticator) is
checksummed using active peer’s keychecksummed using active peer’s key Key depends on modeKey depends on mode
AuthenticationAuthenticationif peer.config = 0 then
if(authenticator in message data) thenpeer.authenable := 1
elsepeer.authenable := 0;
if peer.authenable =1 then beginpeer.authentic := 0;if (authenticator in message data) then begin
peer.keyid := packet.keyid;compute_mac(mac, peer.keyid, packet);if peer.keyid <> 0 and mac = packet.check then
peer.authentic := 1;end;
end;(*if peer.authenable is 0, authentication is not done;*)(*otherwise if peer.authentic is 0, the integrity of the *)(*packet’s contents are suspect*)
AuthenticationAuthentication
• Packet ReceivedPacket Received If msg contains authentication infoIf msg contains authentication info
• Index # of peer’s key reset to that in packetIndex # of peer’s key reset to that in packet• Checksum recomputed and compared to Checksum recomputed and compared to
transmitted checksumtransmitted checksum• If checksums match check succeedsIf checksums match check succeeds
If packet has no authentication infoIf packet has no authentication info• Check fails, routine exitsCheck fails, routine exits
Analysis of SecurityAnalysis of Security
Analyze the following:Analyze the following:• Access ControlAccess Control• AuthenticationAuthentication
Access ControlAccess Control
Relies completely on an Relies completely on an unauthenticated source address (in unauthenticated source address (in the absence of an integrity checking the absence of an integrity checking mechanism)mechanism)
Solution: routing infoSolution: routing info IP record routeIP record route
AuthenticationAuthentication
• Key index can be alteredKey index can be altered• Check is only 64bitsCheck is only 64bits• No key distribution mechanism No key distribution mechanism
defineddefined• Keys used on a per host basisKeys used on a per host basis
Could lead to a compromise of all hosts Could lead to a compromise of all hosts that peer synchronizesthat peer synchronizes
AttacksAttacks
GoalGoal AttackAttack EffectEffect CountermeasureCountermeasure
MasqueradeMasquerade
GoalGoal Convince timekeeper that attacker is authorized to Convince timekeeper that attacker is authorized to
synchronize itsynchronize it AttackAttack
Send a victim packets with source address of timekeeperSend a victim packets with source address of timekeeper EffectsEffects
If host is knownIf host is known• None if change is drasticNone if change is drastic• Drift created if timestamps changed graduallyDrift created if timestamps changed gradually
Unknown hostUnknown host• Compromise server by sending 8 uninterrupted messagesCompromise server by sending 8 uninterrupted messages• Send msgs claiming low stratum numberSend msgs claiming low stratum number
CountermeasureCountermeasure Use authenticationUse authentication Do not allow non-preconfigured peer to become clock Do not allow non-preconfigured peer to become clock
sourcesource
Message ModificationMessage Modification
GoalGoal• Alter msgs from one timekeeper to Alter msgs from one timekeeper to
another to cause incorrect another to cause incorrect synchronizationsynchronization
AttackAttack• Alter packets sent to victimAlter packets sent to victim
Different types of attacksDifferent types of attacks
Modification AttacksModification Attacks
Integrity the recipient’s clockIntegrity the recipient’s clock• pkt.rec, pkt.xmt, pkt.precisionpkt.rec, pkt.xmt, pkt.precision
Change round trip delayChange round trip delay
Modification AttackModification Attack
pkt.versionpkt.version DoSDoS
pkt.modepkt.mode Disconnection of associationDisconnection of association
pkt.stratumpkt.stratum Lower stratumLower stratum
pkt.ppollpkt.ppoll Affects polling intervalAffects polling interval
pkt.distancepkt.distance Affects roundtrip delay, effect choice of Affects roundtrip delay, effect choice of clock source and frequency of pollingclock source and frequency of polling
pkt.dispersionpkt.dispersion Affects estimated dispersionAffects estimated dispersion
ModificationModification
CountermeasuresCountermeasures• Use Authentication!Use Authentication!• Stratum level used only Stratum level used only
if checks passif checks pass• Access controls indicate Access controls indicate
if connection is trustedif connection is trusted
ReplayReplay
GoalGoal• Intercept + resend NTP msgs to cause recipient to incorrectly Intercept + resend NTP msgs to cause recipient to incorrectly
resynchronizeresynchronize• Disable active associationDisable active association
AttackAttack• Record msgs + replay them laterRecord msgs + replay them later
EffectsEffects• Alternate and replayAlternate and replay• Reset local clock to earlier timeReset local clock to earlier time
CounterCounter• Reject any msg with a timestamp older last msg receivedReject any msg with a timestamp older last msg received• Create a special msg when clock needs to be changed Create a special msg when clock needs to be changed
backwardsbackwards• Route basedRoute based
DelayDelay GoalGoal
• Cause incorrect resynchronizationCause incorrect resynchronization• Disable active associationDisable active association
AttackAttack• Artificially increase the roundtrip delay of an associationArtificially increase the roundtrip delay of an association
EffectsEffects• Delay packets in sampleDelay packets in sample• Peer sending packets not sourcePeer sending packets not source• Results in having no source, DoSResults in having no source, DoS
CounterCounter• Redundancy of clock sourcesRedundancy of clock sources
DoSDoS
GoalGoal• Prevent NTP msgs from one timekeeper to Prevent NTP msgs from one timekeeper to
anotheranother AttackAttack
• Prevent packets from clock sources from Prevent packets from clock sources from reaching an NTP hostreaching an NTP host
EffectsEffects• Forces NTP to run under its own clock, high Forces NTP to run under its own clock, high
drift!drift! CounterCounter
• Redundancy of clock sourcesRedundancy of clock sources
Combined AttackCombined Attack
Very effectiveVery effective E.g. Deny a secondary server from all E.g. Deny a secondary server from all
but one source, and delay packets but one source, and delay packets from source from source
To counter, deal with each component To counter, deal with each component attack separatelyattack separately
SuggestionsSuggestions
Internal MechanismsInternal Mechanisms• Assume no underlying security mechanismAssume no underlying security mechanism
Always use AuthenticationAlways use Authentication Keys used per-path not per-hostKeys used per-path not per-host Base Access Control on recorded routesBase Access Control on recorded routes Change variables Change variables afterafter packet passes checks packet passes checks Further restrict values of variablesFurther restrict values of variables Increase sample sizeIncrease sample size Require special packet to set clock backwardsRequire special packet to set clock backwards Redundancy, server should have many sourcesRedundancy, server should have many sources
SuggestionsSuggestions
ExternalExternal• Secure transmissionSecure transmission• Run into problems with this schemeRun into problems with this scheme
Public-key checksum - Too slow!Public-key checksum - Too slow! IP does not provide sufficient securityIP does not provide sufficient security
• Strict source does not work!Strict source does not work!
ConclusionConclusion
NTP has some weaknesses, but well NTP has some weaknesses, but well designeddesigned
Remember, security analyst’s viewRemember, security analyst’s view• May or may not impact goals of protocolMay or may not impact goals of protocol
Questions?Questions?
Top Related