Posted by Daniel Waldron on February 9th, 2015
Synchronising time across a network is fraught with security risks and Network Time Protocol is a target for exploitation. However, NTP has a way of stopping hackers from messing with your network’s time synchronisation. Discover secure authentication and the role it plays in protecting NTP.
What’s the Point of NTP Authentication?
To instigate an NTP attack a hacker hides behind their rogue host, under the pretence that they are a genuine NTP server.
Authentication is the line of defence used by NTP to thwart the tampering of timestamps logged by devices.
Contrary to common misconception, the purpose of NTP authentication is to verify a time source, not a client.
How is NTP protected?
NTP uses Message Digest Encryption 5 (MD5) encoded keys. MD5 is a widely used, secure encryption algorithm that utilises a 128-bit cryptographic hash feature. The algorithm works by duplicating the key (or password) provided and then allocates the key to a timestamp.
Network Time Protocol can use MD5 encoded keys to verify timestamps supplied to a time client, or server, by Network Time Servers. How? By decrypting the key (password) received and matching it with an agreed set of keys. Once verified, the server or client can then authorise any actions.
This method of NTP authentication allows a network time client, or device, to ensure that a timestamp has been generated by a trusted source, protecting NTP from malicious activity or interception.
For LINUX or UNIX NTP servers you can find a list of trusted NTP authentication keys in the configuration file stored in the ntp.keys file.
Each key listed consists of a key identifier, encryption identifier & a password, which can be identified as followed:
- Key identifier – Is depicted by a number ranging between 1 & 99
- Encryption identifier – This is used to choose the algorithm that will encode the key, often an ‘M’, referencing the use of the MD5 encryption.
- The password – Is depicted by a set of characters in alphanumeric formation, forming ‘the key’
As a collective, a key will look something like this – 8 M gaLLeoN007
The key file of an NTP time server is usually very large. If you want to reduce the number of trusted keys in use you can create a subgroup. These can be itemised using the NTP configuration file ‘ntp.conf’. Using a subgroup allows you to disable compromised keys.
To implement trusted keys use the ‘trusted-keys’ command. From your list, select the keys you want to use. Specify the key identifier number, followed by a space until you have compiled your list. It should look something like this:
trusted-keys 4 7 14 82
Implementing this command validates key identifiers 4, 7, 14 & 82, while discounting all other keys.
Neglecting NTP authentication leaves networks & devices open to numerous attacks, all of which can disrupt time synchronisation. Any one of the following could occur as a result of neglecting NTP authentication:
Replay & spoofing attacks – Whereby an intruder can intercept, delay & ‘replay’ messages on a client to server or server to client basis. Any message will be properly verified, resulting in delayed replies being accepted by the client.
Consequently, this could result in time synchronisation errors, which could prove difficult to detect because a similar problem could occur as result of ‘normal’ network behaviour.
Man-in-the-middle attacks – Unlike replay & spoofing attacks, which do not directly impact time synchronisation quality aside from increasing apparent network delays, man-in-the-middle attacks allow an intruder to not only intercept messages, but modify & replay authentic messages between a client & server or between peer servers.
This can lead to two types of attack. Firstly, a hacker can hijack a valid message from server to client, modify some fields & send it, perhaps repeating it a number of times to the client. This can cause the client to authorise the message and compute an incorrect time.
It could also dupe the client into disregarding the time provided by other servers utilised by the client.
Secondly, a hacker can hijack a valid request message from client to server, altering some fields & send it, perhaps on a repetitive basis to the client. This results in the server distributing imitation requests or supplying incorrect time to the client.
Denial of service attacks – Known as ‘clogging’ attacks, hackers attempt to dislodge time accuracy by overloading a network. This form of attack is quite sophisticated and does not require a hijacker to prise open genuine NTP messages, just the ability to duplicate a seemingly valid NTP package.
Protect Your Network
The installation of a Galleon Systems time server allows you to authenticate NTP messages. Operational from behind your firewall, an NTP time server gives you increased network & device security, reducing the risk of hacker attacks that could wreak havoc on your time critical systems.
Visit the home of time synchronisation now and invest in protection for your network. Alternatively, call 0121 608 7230 to speak to a time lord.
For all the latest updates from Galleon Systems, including alerts regarding MSF and GPS signals, tune into our social media channels.