Using NTP Authentication


Visitors: 342

NTP or Network Time Protocol to give it its full name is an internet protocol designed to distribute precise time around a network. NTP is a UDP based protocol used to synchronize system time on network infrastructure, such as servers, workstations and network equipment . This article describes how to utilise the Network Time Protocol authentication features to authenticate time references when synchronizing clients to a NTP server.

NTP Server Security

Network Time Protocol is used to provide a precise time reference for time critical applications. Therefore, NTP can pose a security risk if malicious users attempt to corrupt a NTP timestamp to create a false time on network equipment.

NTP provides increased security in the form of authentication. Authentication is intended to overcome security risks by ensuring that any response received from an NTP time server has come from the intended reference. The client sends a request for time to a NTP server. The server then responds to the client with a precise timestamp along with one of a number of agreed encrypted keys. On receipt of the timestamp, the client un-encrypts the key and verifies it against a list of trusted keys. The client can then be sure that the received timestamp was indeed transmitted from the intended time reference. NTP utilises MD5 encryption (Message Digest Encryption 5), which is a 128-bit cryptographic hash function, which outputs a fingerprint of the key. MD5 is a highly secure encryption algorithm, widely used on the internet for authentication and security purposes.

NTP Authentication Keys

NTP authentication keys are codes that are encrypted on both the server and client that are used to identify the NTP time server. NTP authentication keys are stored in a file usually called ‘ntp. keys’. Each authentication key consists of a key number, an encryption code and the key itself.

E. g. NTP server keys:

2 M VisioN
5 M SeRvEr
7 M TiMeLy
12 M TiDy
14 M MaGic

The authenication key number acts as a reference to the specified authentication key. The encryption code specifies the type of encryption to be utilised, e. g. ‘M’ for MD5 encryption. The actual keys must be identical on both the client and the NTP time server. The client may utilise a sub-set of the authentication keys specified on the NTP Server. The keys are case sensitive.

E. g. client keys:

5 M SeRvEr
7 M TiMeLy
14 M MaGic

Trusted Authentication Keys

Trusted authentication keys are specified in the NTP server configuration file, ‘ntp. conf’. Trusted keys specify which subset of keys are currently activeand can be used by the NTP server. This allows a sub-set of trusted keys to be selected from a potentially large keys file. The trusted keys specifier allows key references to be changed easily without editing the keys file. Trusted keys are selected using the ‘trusted-keys’ configuration command.

E. g.

trusted-keys 7 10 14

This specifies that authentication keys with the key references of 7, 10 and 14 are trusted and can be used by the NTP installation.

NTP Security Summary

Essentially, authentication is used by the client to authenticate that the NTP server is who he says he is, and that no rogue server intervenes. The key is encrypted and sent to the client by the server where it is unencrypted and checked against the client keys to ensure a match. Authenication provides NTP with a high level of security to prevent malicous tampering of timestamp information.

The author, David Evans, develops SNTP and NTP server time synchronization solutions that ensure accurate time on computers and computer networks. Dave has been heavily involved in the development of dedicated time server systems, Ethernet NTP digital wall clock systems and atomic clock products. Click here to find out more about SNTP and Linux NTP Server solutions.


Article Source:

Rate this Article: 
Cisco CCNP / BCSI Exam Tutorial: Configuring EIGRP Packet Authentication
Rated 4 / 5
based on 5 votes

Related Articles:

NTP Vandalism Solutions to the Misuse and Abuse of NTP Servers

by: Richard N Williams (July 07, 2008) 
(Computers and Technology)

NTP Servers Basic NTP Configuration

by: Richard N Williams (June 18, 2008) 
(Computers and Technology)

Authentication Methods

by: Reggie Andersen (November 01, 2005) 
(Internet and Businesses Online/Security)

The Problem with Autograph Authentication

by: Adam McFarland (September 28, 2005) 
(Home and Family/Crafts Hobbies)

Two Factor Authentication Saved The Day

by: Roberter Date (August 21, 2014) 
(Computers and Technology/iPhone Applications)

Identity Authentication Through Fingerprint Biometric Verification

by: Michelle Thiel (April 04, 2008) 
(Computers and Technology/Hardware)

First Atlantic Commerce provides MITec with authentication-only fraud ..

by: Neil Tug (October 03, 2009) 

IPv6 (Cisco) Training - Using the "(IKE) Policy "authentication" Command

by: Charles E Ross (August 21, 2008) 
(Computers and Technology)

Verified by Visa Card Authentication Merchant ECommerce Security Service

by: Joe Cole (July 10, 2008) 
(Internet and Businesses Online/Ecommerce)

Cisco CCNP / BCSI Exam Tutorial: Configuring EIGRP Packet Authentication

by: Chris Bryant (March 29, 2006) 
(Computers and Technology/Certification Tests)