[cryptography] Authenticated Time Synchronization

Stephen Röttger stephen.roettger at gmail.com
Sun Sep 1 12:45:46 EDT 2013

Hi Everyone,

We're currently working on a new RFC for authenticated time
synchronization (NTP/PTP) since the current approach has major security
vulnerabilities and would like to have some feedback.

You can find the most recent version of the draft here:

And the previous discussion on the mailing list of the working group:

I would be especially interested in feedback for the client-server
synchronization and will outline the protocol shortly.
The major requirements for this protocol are as follows:
 * the server should not keep a state about the clients
 * it shouldn't be a cpu hog (in order to not influence the
synchronization precision)

That's why we came up with the following protocol:
The server keeps a 128 bit secret S_s and has a public key and a
certificate signed by some certificate authority.

C -> S: request a shared secret (cookie request)
 The client sends his public rsa key C_pub to the server
C <- S: cookie response
 The server calculates a secret, unique to the client:
  C_cookie = MSB_128(S_s || H(C_pub))
 And sends it back to the client, encrypted with C_pub and signed

C -> S: Time request
 The time request again includes C_pub (or H(C_pub)) and a 128 bit nonce
C <- S: Time response
 The server calculates C_cookie (using C_pub) and uses it to append a
MAC to the time response (which again includes the client's nonce)
  MAC = HMAC(C_cookie, time_response)

The hash function H in this case should be at least sha2.
Note that the nonce in the time requests/responses is not in the current
draft yet.


More information about the cryptography mailing list