8bdefb7a54
Relnotes: yes
224 lines
13 KiB
HTML
224 lines
13 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
<html>
|
|
<head>
|
|
<meta http-equiv="content-type" content="text/html;charset=iso-8859-1">
|
|
<meta name="generator" content="HTML Tidy, see www.w3.org">
|
|
<title>Authentication Support</title>
|
|
<!-- Changed by: Harlan Stenn, 24-Jul-2018 -->
|
|
<link href="scripts/style.css" type="text/css" rel="stylesheet">
|
|
<style type="text/css">
|
|
<!--
|
|
<style1 {
|
|
color: #FF0000;
|
|
font-weight: bold;
|
|
}
|
|
.style1 {color: #FF0000}
|
|
-->
|
|
</style>
|
|
</head>
|
|
<body>
|
|
<h3>Authentication Support</h3>
|
|
<img src="pic/alice44.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/%7emills/pictures.html">from <i>Alice's Adventures in Wonderland</i>, Lewis Carroll</a>
|
|
<p>Our resident cryptographer; now you see him, now you don't.</p>
|
|
<p>Last update:
|
|
<!-- #BeginDate format:En2m -->24-Jul-2018 09:12<!-- #EndDate -->
|
|
UTC</p>
|
|
<br clear="left">
|
|
<h4>Related Links</h4>
|
|
<script type="text/javascript" language="javascript" src="scripts/hand.txt"></script>
|
|
<script type="text/javascript" language="javascript" src="scripts/authopt.txt"></script>
|
|
<h4>Table of Contents</h4>
|
|
<ul>
|
|
<li class="inline"><a href="#auth">Introduction</a></li>
|
|
<li class="inline"><a href="#symm">Symmetric Key Cryptography</a></li>
|
|
<li class="inline"><a href="#windows">Microsoft Windows Authentication</a></li>
|
|
<li class="inline"><a href="#pub">Public Key Cryptography</a></li>
|
|
</ul>
|
|
<hr>
|
|
<h4 id="auth">Introduction</h4>
|
|
<p>This page describes the various cryptographic authentication
|
|
provisions in NTPv4. Authentication support allows the NTP client to
|
|
verify that servers are in fact known and trusted and not intruders
|
|
intending accidentally or intentionally to masquerade as a legitimate
|
|
server. A detailed discussion of the NTP multi-layer security model
|
|
and vulnerability analysis is in the white
|
|
paper <a href="http://www.eecis.udel.edu/~mills/security.html">NTP
|
|
Security Analysis</a>.</p>
|
|
<p>The NTPv3 specification (RFC-1305) defined an authentication scheme
|
|
properly described as <em>symmetric key cryptography</em>. It used
|
|
the Data Encryption Standard (DES) algorithm operating in cipher-block
|
|
chaining (CBC) mode. Subsequently, this algorithm was replaced by the
|
|
RSA Message Digest 5 (MD5) algorithm commonly called keyed-MD5.
|
|
Either algorithm computes a message digest or one-way hash which can
|
|
be used to verify the client has the same message digest as the
|
|
server. The MD5 message digest algorithm is included in the
|
|
distribution, so without further cryptographic support, the
|
|
distribution can be freely exported.</p>
|
|
<p>If the OpenSSL cryptographic library is installed prior to building
|
|
the distribution, all message digest algorithms included in the
|
|
library may be used, including SHA and SHA1. However, if conformance
|
|
to FIPS 140-2 is required, only a limited subset of these algorithms
|
|
can be used. This library is available
|
|
from <a href="http://www.openssl.org">http://www.openssl.org</a> and
|
|
can be installed using the procedures outlined in
|
|
the <a href="build.html">Building and Installing the Distribution</a>
|
|
page. Once installed, the configure and build process automatically
|
|
detects the library and links the library routines required.</p>
|
|
<p>In addition to the symmetric key algorithms, this distribution
|
|
includes support for the Autokey public key algorithms and protocol
|
|
specified in RFC-5906 "Network Time Protocol Version 4: Autokey
|
|
Specification". This support is available only if the OpenSSL
|
|
library has been installed and the <tt>--enable-autokey</tt> option is
|
|
used when the distribution is built.</p>
|
|
<p> Public key cryptography is generally considered more secure than
|
|
symmetric key cryptography, since the security is based on private and
|
|
public values which are generated by each participant and where the
|
|
private value is never revealed. Autokey uses X.509 public
|
|
certificates, which can be produced by commercial services, the
|
|
OpenSSL application program, or
|
|
the <a href="keygen.html"><tt>ntp-keygen</tt></a> utility program in
|
|
the NTP software distribution.</p>
|
|
<p>Note that according to US law, NTP binaries including OpenSSL library
|
|
components, including the OpenSSL library itself, cannot be exported
|
|
outside the US without license from the US Department of Commerce.
|
|
Builders outside the US are advised to obtain the OpenSSL library
|
|
directly from OpenSSL, which is outside the US, and build outside the
|
|
US.</p>
|
|
<p>Authentication is configured separately for each association using
|
|
the <tt>key</tt> or <tt>autokey</tt> option of the <tt>server</tt>
|
|
configuration command, as described in
|
|
the <a href="confopt.html">Server Options</a> page.
|
|
The <a href="keygen.html">ntp-keygen</a> page describes the files
|
|
required for the various authentication schemes. Further details are
|
|
in the briefings, papers and reports at the NTP project page linked
|
|
from <a href="http://www.ntp.org">www.ntp.org</a>.</p>
|
|
<p>By default, the client sends non-authenticated packets and the server
|
|
responds with non-authenticated packets. If the client sends
|
|
authenticated packets, the server responds with authenticated packets
|
|
if correct, or a crypto-NAK packet if not. In the case of unsolicited
|
|
packets which might consume significant resources, such as broadcast
|
|
or symmetric mode packets, authentication is required, unless
|
|
overridden by a <tt>disable auth</tt> command. In the current climate
|
|
of targeted broadcast or "letterbomb" attacks, defeating
|
|
this requirement would be decidedly dangerous. In any case,
|
|
the <tt>notrust </tt>flag, described on
|
|
the <a href="authopt.html">Access Control Options</a> page, can be
|
|
used to disable access to all but correctly authenticated clients.</p>
|
|
<h4 id="symm">Symmetric Key Cryptography</h4>
|
|
<p>The original NTPv3 specification (RFC-1305), as well as the current
|
|
NTPv4 specification (RFC-5905), allows any one of possibly 65,535
|
|
message digest keys (excluding zero), each distinguished by a 32-bit
|
|
key ID, to authenticate an association. The servers and clients
|
|
involved must agree on the key ID, key type and key to authenticate
|
|
NTP packets.</p>
|
|
<p>The message digest is a cryptographic hash computed by an algorithm
|
|
such as MD5, SHA, or AES-128 CMAC. When authentication is specified,
|
|
a message authentication code (MAC) is appended to the NTP packet
|
|
header. The MAC consists of a 32-bit key identifier (key ID) followed
|
|
by a 128- or 160-bit message digest. The algorithm computes the
|
|
digest as the hash of a 128- or 160- bit message digest key
|
|
concatenated with the NTP packet header fields with the exception of
|
|
the MAC. On transmit, the message digest is computed and inserted in
|
|
the MAC. On receive, the message digest is computed and compared with
|
|
the MAC. The packet is accepted only if the two MACs are identical.
|
|
If a discrepancy is found by the client, the client ignores the
|
|
packet, but raises an alarm. If this happens at the server, the
|
|
server returns a special message called a <em>crypto-NAK</em>. Since
|
|
the crypto-NAK is protected by the loopback test, an intruder cannot
|
|
disrupt the protocol by sending a bogus crypto-NAK.</p>
|
|
<p>Keys and related information are specified in a keys file, which must
|
|
be distributed and stored using secure means beyond the scope of the
|
|
NTP protocol itself. Besides the keys used for ordinary NTP
|
|
associations, additional keys can be used as passwords for
|
|
the <tt><a href="ntpq.html">ntpq</a></tt>
|
|
and <tt><a href="ntpdc.html">ntpdc</a></tt> utility programs.
|
|
Ordinarily, the <tt>ntp.keys</tt> file is generated by
|
|
the <tt><a href="keygen.html">ntp-keygen</a></tt> program, but it can
|
|
be constructed and edited using an ordinary text editor.</p>
|
|
<p> Each line of the keys file consists of three or four fields: a key
|
|
ID in the range 1 to 65,535, inclusive, a key type, a message digest
|
|
key consisting of a printable ASCII string less than 40 characters or
|
|
a 40-character hex digit string, and an optional comma-separated list
|
|
of IPs that are allowed to serve time. If the OpenSSL library is
|
|
installed, the key type can be any message digest algorithm supported
|
|
by the library. If the OpenSSL library is not installed, the only
|
|
permitted key type is MD5.</p>
|
|
<table>
|
|
<caption style="caption-side: bottom;">
|
|
Figure 1. Typical Symmetric Key File
|
|
</caption>
|
|
<tr><td style="border: 1px solid black; border-spacing: 0;">
|
|
<pre style="color:grey;">
|
|
# ntpkey_MD5key_bk.ntp.org.3595864945
|
|
# Thu Dec 12 19:22:25 2013
|
|
|
|
1 MD5 L";Nw<`.I<f4U0)247"i # MD5 key
|
|
2 MD5 &>l0%XXK9O'51VwV<xq~ # MD5 key
|
|
3 MD5 lb4zLW~d^!K:]RsD'qb6 # MD5 key
|
|
4 MD5 Yue:tL[+vR)M`n~bY,'? # MD5 key
|
|
5 MD5 B;fxlKgr/&4ZTbL6=RxA # MD5 key
|
|
6 MD5 4eYwa`o}3i@@V@..R9!l # MD5 key
|
|
7 MD5 `A.([h+;wTQ|xfi%Sn_! # MD5 key
|
|
8 MD5 45:V,r4]l6y^JH6"Sh?F # MD5 key
|
|
9 MD5 3-5vcn*6l29DS?Xdsg)* # MD5 key
|
|
10 MD5 2late4Me # MD5 key
|
|
11 SHA1 a27872d3030a9025b8446c751b4551a7629af65c # SHA1 key
|
|
12 SHA1 21bc3b4865dbb9e920902abdccb3e04ff97a5e74 # SHA1 key
|
|
13 SHA1 2b7736fe24fef5ba85ae11594132ab5d6f6daba9 # SHA1 key
|
|
14 SHA a5332809c8878dd3a5b918819108a111509aeceb # SHA key
|
|
15 MD2 2fe16c88c760ff2f16d4267e36c1aa6c926e6964 # MD2 key
|
|
16 MD4 b2691811dc19cfc0e2f9bcacd74213f29812183d # MD4 key
|
|
17 MD5 e4d6735b8bdad58ec5ffcb087300a17f7fef1f7c # MD5 key
|
|
18 MDC2 a8d5e2315c025bf3a79174c87fbd10477de2eabc # MDC2 key
|
|
19 RIPEMD160 77ca332cafb30e3cafb174dcd5b80ded7ba9b3d2 # RIPEMD160 key
|
|
20 AES128CMAC f92ff73eee86c1e7dc638d6489a04e4e555af878 # AES128CMAC key
|
|
21 MD5 sampo 10.1.2.3/24
|
|
</pre></td></tr></table>
|
|
<p>Figure 1 shows a typical symmetric keys file used by the reference
|
|
implementation when the OpenSSL library is installed. Each line of
|
|
the file contains three or four fields. The first field is an integer
|
|
between 1 and 65535, inclusive, representing the key identifier. The
|
|
second field is the digest algorithm, which in the absence of the
|
|
OpenSSL library must be <tt>MD5</tt>, which designates the MD5 message
|
|
digest algorithm. The third field is the key. The optional fourth
|
|
field is one or more comma-separated IPs. An IP may end with an
|
|
optional <tt>/subnetbits</tt> suffix, which limits the acceptance of
|
|
the key identifier to packets claiming to be from the described IP
|
|
space. In this example, for the key IDs in the range 1-10 the key is
|
|
interpreted as a printable ASCII string. For the key IDs in the range
|
|
11-20, the key is a 40-character hex digit string. In either case,
|
|
the key is truncated or zero-filled internally to either 128 or 160
|
|
bits, depending on the key type. The line can be edited later or new
|
|
lines can be added to change any field. The key can be changed to a
|
|
password, such as <tt>2late4Me</tt> for key ID 10. Note that two or
|
|
more keys files can be combined in any order as long as the key IDs
|
|
are distinct.</p>
|
|
<p>When <tt>ntpd</tt> is started, it reads the keys file specified by
|
|
the <tt>keys</tt> command and installs the keys in the key cache.
|
|
However, individual keys must be activated with
|
|
the <tt>trustedkey</tt> configuration command before use. This
|
|
allows, for instance, the installation of possibly several batches of
|
|
keys and then activating a key remotely using <tt>ntpq</tt>
|
|
or <tt>ntpdc</tt>. The <tt>requestkey</tt> command selects the key ID
|
|
used as the password for the <tt>ntpdc</tt> utility, while
|
|
the <tt>controlkey</tt> command selects the key ID used as the
|
|
password for the <tt>ntpq</tt> utility.</p>
|
|
<h4 id="windows">Microsoft Windows Authentication</h4>
|
|
<p>In addition to the above means, <tt>ntpd</tt> now supports Microsoft
|
|
Windows MS-SNTP authentication using Active Directory services. This
|
|
support was contributed by the Samba Team and is still in development.
|
|
It is enabled using the <tt>mssntp</tt> flag of the <tt>restrict</tt>
|
|
command described on the <a href="accopt.html#restrict">Access Control
|
|
Options</a> page. <span class="style1">Note: Potential users should
|
|
be aware that these services involve a TCP connection to another
|
|
process that could potentially block, denying services to other users.
|
|
Therefore, this flag should be used only for a dedicated server with
|
|
no clients other than MS-SNTP.</span></p>
|
|
<h4 id="pub">Public Key Cryptography</h4>
|
|
<p>See the <a href="autokey.html">Autokey Public-Key Authentication</a>
|
|
page.</p>
|
|
<hr>
|
|
<script type="text/javascript" language="javascript" src="scripts/footer.txt"></script>
|
|
</body>
|
|
</html>
|