The Network Time Protocol (NTP) synchronizes computer systems across the Internet and is ubiquitously deployed. Many applications, including security protocols and mechanisms such as TLS certificates, DNS (and DNSSEC), BGP security mechanisms (namely, RPKI), Kerberos, and HTTP Strict Transport Security (HSTS), crucially rely on NTP for both correctness and safety.
NTP is based on a client-server architecture: an NTP client periodically selects servers to sync to from a pool of NTP servers, which are put through a sequence of ‘tests’ to establish their reliability and accuracy. The NTP client syncs its internal clock to the clock readings from these servers using an algorithm that mitigates the effects of variability in network latency.
Similarly to other components of the Internet’s infrastructure (for example, TCP/IP, BGP, DNS), NTP was designed without security in mind. NTP’s design thus reflects the need to achieve correctness in the presence of inaccurate clocks (‘falsetickers’), assumed to be fairly rare, as opposed to designated attacks by powerful and strategic adversaries. Consequently, NTP is alarmingly vulnerable to attacks, ranging from time shifting attacks that stealthily shift clocks on victim clients to denial-of-service attacks.
In particular, man-in-the-middle (MitM) attackers, capable of intercepting traffic between a client and server, can wreak havoc on time synchronization.
Read: Is the Internet running late?
Recently introduced patches to NTP’s implementation eliminate/mitigate some off-path attacks and implementation flaws, yet MitM attackers are often deemed too strong to protect against. Importantly, while the cure to some of NTP’s ailments may lie in encrypting NTP traffic between clients and servers, even ubiquitous encryption and authentication is insufficient for fully protecting NTP time synchronization from a MitM attacker capable merely of delaying and replaying packets.
There are two crucial aspects of today’s NTP clients that make them particularly susceptible to MitM attackers:
- The client’s (typical) reliance on a small server pool.
- The algorithm used for selecting the servers to sync to.
Chronos takes away attackers’ time shifting capabilities
At the Hebrew University of Jerusalem, we recently presented Chronos, a new NTP client that is secure against time shifting by MitM attackers.
Chronos replaces the two elements in the NTP client that give rise to NTP’s vulnerabilities to MitM (see above), in doing so achieving:
- Provable security guarantees even against powerful MitM attackers or attackers capable of compromising authenticated NTP servers.
- Backwards-compatibility with today’s NTP. Chronos involves software changes to the NTP client side only, and no changes to NTP servers.
- Low computational and communication overhead. Overloading NTP servers can result in slower response times and thus degraded synchronization. Chronos avoids excessive overhead for both clients and servers.
A Chronos-client periodically queries small subsets of a large pool (100s) of NTP servers to solicit timing information, and then applies a theory-informed algorithm to remove outliers and average over the remaining responses.
We proved that this crowdsourcing scheme guarantees that the client’s internal clock remains close (time-wise) to the universal time (UTC), and that the clocks of any two Chronos-clients remain close to each other, even if the attacker controls a large fraction of the NTP server pool. Thus, Chronos provides meaningful security guarantees for adopters even under very partial deployment — see our paper [PDF 1.5MB] (published at NDSS 2018) for further details on its security guarantees.
We evaluated a prototype implementation of Chronos through a combination of theoretical and empirical analyses. Our results indicate that to succeed in shifting time at a Chronos client by over 100ms from the UTC, even a powerful MitM attacker requires over 20 years of effort in expectation.
While we view Chronos as a promising approach to securing NTP, naturally, more implementation, experimentation, and standardization efforts are needed before Chronos can be safely deployed at scale (see the most recent IETF draft). We call upon the community to take part in these efforts.
Chronos was recently awarded the IETF/IRTF Applied Networking Research Prize.
Contributor: Michael Schapira (Hebrew University of Jerusalem)
Neta Rozen Schiff is a research associate at the School of Computer Science and Engineering of the Hebrew University of Jerusalem
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.