xref: /freebsd/contrib/ntp/html/autokey.html (revision 02e9120893770924227138ba49df1edb3896112a)
1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
2<html>
3<head>
4<meta http-equiv="content-type" content="text/html;charset=iso-8859-1">
5<meta name="generator" content="HTML Tidy, see www.w3.org">
6<title>Autokey Public-Key Authentication</title>
7<link href="scripts/style.css" type="text/css" rel="stylesheet">
8<style type="text/css">
9<!--
10.style1 {
11	color: #FF0000
12}
13-->
14</style>
15</head>
16<body>
17<h3>Autokey Public-Key Authentication</h3>
18<p>Last update:
19  <!-- #BeginDate format:En2m -->3-Oct-2011  21:51<!-- #EndDate -->
20  UTC</p>
21<hr>
22<h4>Table of Contents</h4>
23<ul>
24  <li class="inline"><a href="#intro">Introduction</a></li>
25  <li class="inline"><a href="#subnet">Autokey Subnets</a></li>
26  <li class="inline"><a href="#names">Subnet Group Names's</a></li>
27  <li class="inline"><a href="#secure">Secure Groups</a></li>
28  <li class="inline"><a href="#cfg">Configuration - Authentication Schemes</a></li>
29  <li class="inline"><a href="#scfg">Configuration - Identity Schemes</a></li>
30  <li class="inline"><a href="#ident">Identity Schemes and Cryptotypes</a></li>
31  <li class="inline"><a href="#files">Files</a></li>
32</ul>
33<hr>
34<h4 id="intro">Introduction</h4>
35<p>This distribution includes support for the  Autokey public key algorithms and protocol specified in RFC-5906 &quot;Network Time Protocol Version 4: Autokey Specification&quot;. This support is available only if the OpenSSL library has been installed and the <tt>--enable-autokey</tt> option   is specified when the distribution is built.</p>
36<p> Public key cryptography is generally considered more secure than symmetric key cryptography. Symmetric key cryptography is based on a shared secret key which must be distributed by secure means to all participants. Public key cryptography is based on a private secret key known only to the originator and a public key known to all participants. A recipient can verify the originator has the correct private key using the public key and any of several digital signature algorithms.</p>
37<p>The Autokey Version 2 protocol described on the <a href="http://www.eecis.udel.edu/%7emills/proto.html">Autokey Protocol</a> page verifies packet integrity using  message digest algorithms, such as MD5 or SHA,  and verifies the source using   digital signature schemes, such as RSA or DSA.  As used in Autokey, message digests are exceptionally difficult to cryptanalyze, as the keys are used only once.</p>
38<p> Optional identity schemes described on the <a href="http://www.eecis.udel.edu/~mills/ident.html">Autokey Identity Schemes</a> page are based on cryptographic challenge/response exchanges.  Optional identity schemes provide strong security against  masquerade and most forms of clogging attacks. These schemes are exceptionally difficult to cryptanalyze, as the challenge/response exchange data are used only once. They  are described along with an executive summary, current status, briefing slides and reading list on the <a href="http://www.eecis.udel.edu/~mills/autokey.html">Autonomous Authentication</a> page.</p>
39<p>Autokey authenticates individual packets using cookies bound to the IP source and destination addresses. The cookies must have the same IP addresses at both the server and client. For this reason operation with network address translation schemes is not possible. This reflects the intended robust security model where government and corporate NTP servers and clients are operated outside firewall perimeters.</p>
40<p>Autokey is designed to authenticate servers to clients, not the other way around as in SSH.  An Autokey server can support an authentication scheme such as the Trusted Certificate (TC) scheme described in RFC 5906, while a client is free to choose between the various options. It is important to understand that these provisions are optional and that selection of which option is at the discretion of the client. If the client does not require authentication, it is free to ignore it, even if some other client of the same server elects to participate in either symmetric key or public key cryptography.</p>
41<p> Autokey uses industry standard X.509 public certificates, which can be produced by commercial services, utility programs in the OpenSSL software library, and the <a href="keygen.html"><tt>ntp-keygen</tt></a> utility program in the NTP software distribution.  A certificate includes the subject name of the client, the issuer name of the server, the public key of the client and the time  period over which the the  public and private keys are valid.   All Autokey hosts have  a self-signed certificate with   the  Autokey name as both the subject and issuer. During the protocol, additional certificates are produced with the Autokey host name as subject and the host that signs the certificate as issuer.</p>
42<p>There are two timeouts associated with the Autokey scheme. The <em>key list timeout</em> is set by the <tt>automax</tt> command, which  specifies the interval between generating new key lists by the client or  server. The default timeout of about 1.1 hr is appropriate for the majority of configurations and ordinarily should not be changed. The <em>revoke timeout</em> is set by the <tt>revoke</tt> command, which  specifies the interval between generating new server private values. It is intended to reduce the vulnerability to cryptanalysis; however,  new values  require the server to encrypt each client cookie separately. The default timeout of about 36 hr is appropriate for most  servers, but might be too short for national time servers.</p>
43<h4 id="subnet">Autokey Subnets</h4>
44<p> An Autokey subnet consists of a collection of hosts configured as an acyclic, directed tree with roots one or more trusted hosts (THs) operating at the lowest stratum of the subnet. Note that the requirement that the NTP subnet be acyclic means that, if two hosts are configured with each other in symmetric modes, each must be a TH. The THs are synchronized  directly or indirectly to national time services via trusted means, such as radio, satellite or telephone modem, or one or more trusted agents (TAs) of a parent subnet. NTP subnets can be nested, with the THs of a child subnet configured for one or more TAs of a parent subnet.  The TAs can serve one or more child subnets, each with its own security policy and set of THs.</p>
45<p>A certificate trail is a sequence of certificates, each signed by a host  one step closer to the THs and terminating at the self-signed certificate of a TH. The requirement that the subnet be acyclic means certificate trails can never loop. NTP servers operate as certificate  authorities (CAs) to sign certificates provided by their clients.  The CAs include the TAs of the parent subnet and those subnet servers with dependent clients.</p>
46<p> In order for the signature to succeed, the client certificate valid period  must begin within the valid period  of the server certificate.  If  the server period begins later than the client period, the client certificate has expired; if the client period begins later than the server period, the server certificate has expired.</p>
47<p>The Autokey protocol runs for each association separately, During the protocol, the client recursively obtains  the certificates on the trail to a TH, saving each in a cache ordered from most recent to oldest. If an expired certificate is found, it is invalidated and marked for later replacement. As the client certificate itself is not involved in the certificate trail, it can only be declared valid or expired when the server  signs it. </p>
48<p>The certificates derived from each association are combined in the cache with duplicates suppressed. If it happens that two different associations contribute certificates to the cache, a certificate on the trail from one association  could expire before any on another trail. In this case the remaining trails  will survive until the expired certificate is replaced. Once saved in the cache, a certificate remains valid until it expires or is replaced by a new one.</p>
49<p> It is important to note that the certificate trail is validated only at startup when an association is mobilized. Once validated in this way,  the server remains valid until it  is demobilized, even if  certificates on the trail to the THs expire. While the certificate trail authenticates each host on the trail to  the THs, it does not   validate  the time values themselves. Ultimately, this is determined by the NTP on-wire protocol.</p>
50<p>Example</p>
51<div align="center"><img src="pic/flt8.gif" alt="gif">
52  <p>Figure 1. Example Configuration</p>
53</div>
54<p>Figure 1 shows an example configuration with three NTP subnets, Alice, Helen and Carol. Alice and Helen are parent groups for Carol with TA C belonging to Alice and TA S belonging to Helen.  Hosts A and B are THs of Alice, host R is the TH of Helen and host X is the TH of Carol. Assume that all associations are client/server,  child subnet TH X has two mobilized associations, one to Alice TA host C and the other to Carol TA host S. While not shown in the figure, Alice hosts A and B could configure symmetric mode associations between them for redundancy and backup.</p>
55<p>Note that  host D certificate trail is D&rarr;C&rarr;A or D&rarr;C&rarr;B, depending on the particular order the trails are built. Host Y certificate trail is only Y&rarr;X, since X is a TH. Host X has two certificate trails X&rarr;C&rarr;A or X&rarr;C&rarr;B, and X&rarr;S&rarr;R.</p>
56<h4 id="names">Subnet Group Names</h4>
57<p>In some configurations where more than one subnet shares an Ethernet or when multiple subnets exist in a manycast or pool configuration, it is useful to isolate one subnet from another. In Autokey this can be done using  group names. An Autokey  host name is specified by the <tt>-s</tt><tt><em> host</em>@<em>group</em></tt> option of the <tt>ntp-keygen</tt> program, where <em><tt>host</tt></em> is the   host name and <em><tt>group</tt></em> is the   group name. If <em><tt>host</tt></em> is omitted, the  name defaults to the string returned by the Unix <tt>gethostname()</tt> routine, ordinarily the DNS name of the host. Thus, for host <tt>beauregard.udel.edu</tt> the option <tt>-s @red</tt> specifies the Autokey host name <tt>beauegard.udel.edu@red</tt>.</p>
58<p>A subnet host with a given group name will discard ASSOC packets from all  subnets with a different group name. This effectively disables the Autokey protocol  without additional packet overhead. For instance, one or more manycast or pool servers will not respond to ASSOC packets from  subnets  with difference group names. Groups sharing an Ethernet will be filtered in the same way.</p>
59<p>However, as shown in Figure 1, there are configurations where a TH of one group needs to listen to a TA of a different group. This is accomplished using the <tt>ident <em>group</em></tt> option of the <tt>crypto</tt> command and/or the <tt>ident <em>group</em></tt> option of the <tt>server</tt> command. The former  case applies to all hosts sharing a common broadcast, manycast or symmetric passive modes,  while the latter case applies to each individual client/server or symmetric active mode association. In either case the host listens to the specified  group name in addition to the group name specified in the <tt>-s</tt> option of the <tt>ntp-keygen</tt> program.</p>
60<h4 id="secure">Secure Groups</h4>
61<p>NTP security groups are an extension of the NTP subnets described in the previous section. They include in addition to certificate trails one or another identity schemes described on the <a href="http://www.eecis.udel.edu/~mills/ident.html">Autokey Identity Schemes</a> page. NTP secure groups are used to define cryptographic compartments and security
62  hierarchies. The identity scheme insures that the server is authentic and not victim of masquerade by an intruder acting as a middleman.</p>
63<p> An NTP secure group is an NTP subnet  configured as an acyclic tree rooted on the THs. The THs are at the lowest stratum of the secure group. They  run an identity exchange with the TAs of  parent subnets All group hosts construct an  unbroken  certificate trail from each host, possibly via intermediate hosts, and ending at a TH of that group. The TH verifies authenticity with the  TA of the parent subnet using an identity exchange.</p>
64<div align="center"><img src="pic/flt9.gif" alt="gif">
65  <p>Figure 2. Identify Scheme</p>
66</div>
67<p>The identity exchange is run between a TA acting as a server and a TH acting as a client. As shown in Figure 2, the  identity exchange involves a challenge-response protocol where a client generates a nonce and sends it to the server. The server performs a mathematical operation involving a second nonce and the secret group key, and sends the result along with a hash to the client. The client performs a another mathematical operation and verifies the result with the hash.</p>
68<p> Since each exchange involves two nonces, even after repeated observations of many exchanges, an intruder cannot learn the secret group key. It is this quality that allows the  secret group key to persist long after the longest period of certificate validity. In the Schnorr (Identify Friend or Foe - IFF) scheme, the secret group key is not divulged to the clients, so they cannot conspire to prove identity to other hosts.</p>
69<p>As described on the <a href="http://www.eecis.udel.edu/~mills/ident.html">Autokey Identity Schemes</a> page, there are five identity schemes, three of which - IFF, GQ and MV - require identity files specific to each scheme. There are two types of files for each scheme, an encrypted server keys file  and a nonencrypted client keys file, also called the parameters file, which usually contains a subset of the keys file.</p>
70<p> Figure 2 shows how keys and parameters are distributed to servers and clients. A TA constructs the encrypted keys file and the nonencrypted parameters file. Hosts with no dependent clients can retrieve client parameter files from an
71  archive or web page. The <tt>ntp-keygen</tt> program can export parameter files using the <tt>-e</tt> option. By convention, the file name is the name of the secure group and must match the <tt>ident</tt> option of the <tt>crypto</tt> command or the <tt>ident</tt> option of the <tt>server</tt> command.</p>
72<p> When more than one TH Is involved in the secure group, it is convenient for the TAs and THs to use the same   encrypted key files. To do this, one of the parent TAs includes the <tt>-i <em>group</em></tt> option  on the <tt>ntp-keygen</tt> command line, where <em><tt>group</tt></em> is the name of the child secure group.   The <tt>ntp-keygen</tt> program can export server keys files using the <tt>-q</tt> option and a chosen remote password. The files are installed  on the TAs and then renamed using the name given as the first line in the file, but without the filestamp. The secure group name  must match the <tt>ident</tt> option  for all TAs.</p>
73<dl>
74  <dd><span class="style1">In the latest Autokey version, the host name and group name are independent of each other and the <tt>host</tt> option of the <tt>crypto</tt> command is deprecated. When compatibility with older versions is required, specify the same name for both the <tt>-s</tt> and <tt>-i</tt> options.</span></dd>
75</dl>
76<p>In special circumstances the Autokey message digest algorithm can be changed using the <tt>digest</tt> option of the <tt>crypto</tt> command. The  digest algorithm is separate and distinct from the symmetric
77  key message digest algorithm.   If compliance with FIPS 140-2 is required,
78  the algorithm must be ether <tt>SHA</tt> or <tt>SHA1</tt>. The Autokey message digest algorithm must be the same for  all participants in the NTP subnet.</p>
79<p>Example</p>
80<p>Returning to the example of Figure 1, Alice, Helen and Carol run run the Trusted Certificate (TC) scheme, internally, as the environment is secure and without threat from external attack, in particular a middleman masquerade. However,  TH X of Carol is vulnerable to masquerade on the links between X and C and between X and  S. Therefore, both parent subnet TAs C and S   run an identity exchange with child subnet TH X. Both have the same encrypted keys file and X the common parameters file.</p>
81<h4 id="cfg">Configuration - Authentication Schemes</h4>
82<p>Autokey has an intimidating number of  options, most of which are not necessary in typical scenarios. However, the  Trusted Certificate (TC) scheme is recommended for  national NTP time services, such as those operated by NIST and USNO. Configuration for TC is very simple.</p>
83<p> Referring to Figure 1, for  each  TH, A, B, R and X, as root:</p>
84<p><tt># cd /usr/local/etc<br>
85  # ntp-keygen -T</tt></p>
86<p>and for the other hosts the same commands without the <tt>-T</tt> option. This generates an RSA private/public host key file and a self-signed certificate file for  the RSA digital signature algorithm  with  the MD5 message digest algorithm. For the THs  a  trusted certificate is generated; for the others a nontreusted certificate is generated. Include in the <tt>ntp.conf</tt> configuration file for all hosts other than  the primary servers, A, B and R, something like</p>
87<p><tt>  # server <em>host</em> autokey<br>
88  # crypto<br>
89  # driftfile /etc/ntp.drift</tt></p>
90<p>where <em><tt>host</tt></em> is the selected server name as shown in the figure.  Servers A, B and R are configured for local reference clocks or trusted remoter servers as required.</p>
91<p>In the above configuration examples, the default  host name is the string  returned by the Unix <tt>gethostname()</tt> routine, ordinarily the   DNS name of the host. This  name is used as the subject and issuer names on the certificate, as well as the default  password for the encrypted keys file. The   host name can be changed using the <tt>-s</tt> option of the <tt>ntp-keygen</tt> program. The default password can be changed using the <tt>-p</tt> option of the <tt>ntp-keygen</tt> program and the <tt>pw</tt> option of the <tt>crypto</tt> configuration command.</p>
92<p>Group names can be added to this configuration by including the <tt>-s <em>host</em>@<em>group</em></tt> option with the <tt>ntp-keygen</tt> program. For the purpose of illustration, the <tt><em>host</em></tt> string is empty, signifying the default host name.  For example,  @<tt>yellow</tt>  can be used for the Alice group,  @<tt>orange</tt> for the Helen group and  @<tt>blue</tt> for the Carol group.  In addition, for TH X the <tt>ident yellow</tt> option should be added to the  <tt>server</tt> command for the Alice group and the <tt>ident orange</tt> option should be added to the <tt>server</tt> command for the Helen group.</p>
93<h4 id="scfg">Configuration - Identity Schemes</h4>
94<p> The example in this section uses the IFF identity scheme, but others, including GQ and MV, can be used as well.  It's best to start with a functioning TC configuration and add  commands as necessary. We start with the subnets of Figure 1 configured as in the previous section. Recall that the parent subnet TA for Alice is C and for Helen is S. Each  of the TAs generates an encrypted server keys file and nonencrypted client parameters file for the IFF identity scheme using the <tt>-I</tt> option of the <tt>ntp-keygen</tt> program. Note the TAs are not necessarily trusted hosts, so may not need the <tt>-T</tt> option.</p>
95<p>The   nonencrypted client parameters     can be exported using the  command</p>
96<p><tt>ntp-keygen -e &gt;<i>file</i></tt>,</p>
97<p>where the <tt>-e</tt> option redirects the  client parameters to <em><tt>file</tt></em> via the standard output stream for a mail application or stored locally for later distribution to one or more THs.   In a similar fashion the  encrypted keys file can be exported using the command</p>
98<p><tt>ntp-keygen -q <em>passw2</em> &gt;<i>file</i></tt>,</p>
99<p>where <em><tt>passwd2</tt></em> is the read password for another TA. We won't need this file here.</p>
100<p> While the file names used for the exported files are arbitrary, it is common practice to use the name given as the first line in the file with the filestamp suppressed. Thus, the nonencryted parameters file from each TA  is copied to X with this name.</p>
101<p>To complete the configuration, the TH includes the client parameters file name in the <tt>ident</tt> option of the  the <tt>server</tt> command for the TA association</p>
102<p><tt>server 1.2.3.4 ident <em>group</em>,</tt></p>
103<p> where <em><tt>group</tt></em> is the file name given above. </p>
104<h4 id="ident">Identity Schemes and Cryptotypes</h4>
105<p>A specific combination of authentication and identity schemes is called a <em>cryptotype</em>, which applies to clients and servers separately. A group can be configured using more than one cryptotype combination, although not all combinations are interoperable. Note however that some cryptotype combinations may successfully intemperate with each other, but may not represent good security practice. The server and client cryptotypes are defined by the the following codes.</p>
106<dl>
107  <dt>NONE</dt>
108  <dd>A client or server is type NONE if authentication is not available or not configured. Packets exchanged between client and server have no MAC.</dd>
109  <dt>AUTH</dt>
110  <dd>A client or server is type AUTH&nbsp;if the <tt>key</tt> option is specified with the <tt>server</tt> configuration command and the client and server keys are compatible. Packets exchanged between clients and servers have a MAC.</dd>
111  <dt>PC</dt>
112  <dd>A client or server is type PC if the <tt>autokey</tt> option is specified with the <tt>server</tt> configuration command and compatible host key and private certificate files are present. Packets exchanged between clients and servers have a MAC.</dd>
113  <dt>TC</dt>
114  <dd>A client or server is type TC  if the <tt>autokey</tt> option is specified with the <tt>server</tt> configuration command and compatible host key and public certificate files are present. Packets exchanged between clients and servers have a MAC.</dd>
115  <dt>IDENT</dt>
116  <dd>A client or server is type IDENT  if the <tt>autokey</tt> option is specified with the <tt>server</tt> configuration command and compatible host key, public certificate and identity scheme files are present. Packets exchanged between clients and servers have a MAC.</dd>
117</dl>
118<p>The compatible cryptotypes for clients and servers are listed in the following table.</p>
119<table width="100%" border="1" cellpadding="4">
120  <tr>
121    <td rowspan="2" align="center">Client</td>
122    <td colspan="5" align="center">Server</td>
123  </tr>
124  <tr>
125    <td align="center">NONE</td>
126    <td align="center">AUTH</td>
127    <td align="center">PC</td>
128    <td align="center">TC</td>
129    <td align="center">IDENT</td>
130  </tr>
131  <tr>
132    <td align="center">NONE</td>
133    <td align="center">yes</td>
134    <td align="center">yes*</td>
135    <td align="center">yes*</td>
136    <td align="center">yes*</td>
137    <td align="center">yes*</td>
138  </tr>
139  <tr>
140    <td align="center">AUTH</td>
141    <td align="center">no</td>
142    <td align="center">yes</td>
143    <td align="center">no</td>
144    <td align="center">no</td>
145    <td align="center">no</td>
146  </tr>
147  <tr>
148    <td align="center">PC</td>
149    <td align="center">no</td>
150    <td align="center">no</td>
151    <td align="center">yes</td>
152    <td align="center">no</td>
153    <td align="center">no</td>
154  </tr>
155  <tr>
156    <td align="center">TC</td>
157    <td align="center">no</td>
158    <td align="center">no</td>
159    <td align="center">no</td>
160    <td align="center">yes</td>
161    <td align="center">yes</td>
162  </tr>
163  <tr>
164    <td align="center">IDENT</td>
165    <td align="center">no</td>
166    <td align="center">no</td>
167    <td align="center">no</td>
168    <td align="center">no</td>
169    <td align="center">yes</td>
170  </tr>
171</table>
172<p>* These combinations are not valid if the restriction list includes the <tt>notrust</tt> option.</p>
173<h4 id="err">Error Codes</h4>
174<p>Errors can occur due to mismatched configurations, unexpected protocol restarts, expired certificates and unfriendly people. In most cases the protocol state machine recovers automatically by retransmission, timeout and restart, where necessary. Some errors are due to mismatched keys, digest schemes or identity schemes and must be corrected by installing the correct media and/or correcting the configuration file. One of the most common errors is expired certificates, which must be regenerated and signed at least once per year using the <a href="keygen.html"><tt>ntp-keygen</tt> - generate public and private keys</a> program.</p>
175<p>The following error codes are reported via the NTP control and monitoring protocol trap mechanism and to the <tt>cryptostats</tt> monitoring file if configured.</p>
176<dl>
177  <dt>101 bad field format or length</dt>
178  <dd>The packet has invalid version, length or format.</dd>
179  <dt>102 bad timestamp</dt>
180  <dd>The packet timestamp is the same or older than the most recent received. This could be due to a replay or a server clock time step.</dd>
181  <dt>103 bad filestamp</dt>
182  <dd>The packet filestamp is the same or older than the most recent received. This could be due to a replay or a key file generation error.</dd>
183  <dt>104 bad or missing public key</dt>
184  <dd>The public key is missing, has incorrect format or is an unsupported type.</dd>
185  <dt>105 unsupported digest type</dt>
186  <dd>The server requires an unsupported digest/signature scheme.</dd>
187  <dt>106 unsupported identity type</dt>
188  <dd>The client or server has requested an identity scheme the other does not support.</dd>
189  <dt>107 bad signature length</dt>
190  <dd>The signature length does not match the current public key.</dd>
191  <dt>108 signature not verified</dt>
192  <dd>The message fails the signature check. It could be bogus or signed by a different private key.</dd>
193  <dt>109 certificate not verified</dt>
194  <dd>The certificate is invalid or signed with the wrong key.</dd>
195  <dt>110 host certificate expired</dt>
196  <dd>The old server certificate has expired.</dd>
197  <dt>111 bad or missing cookie</dt>
198  <dd>The cookie is missing, corrupted or bogus.</dd>
199  <dt>112 bad or missing leapseconds table</dt>
200  <dd>The leapseconds table is missing, corrupted or bogus.</dd>
201  <dt>113 bad or missing certificate</dt>
202  <dd>The certificate is missing, corrupted or bogus.</dd>
203  <dt>114 bad or missing group key</dt>
204  <dd>The identity key is missing, corrupt or bogus.</dd>
205  <dt>115 protocol error</dt>
206  <dd>The protocol state machine has wedged due to unexpected restart.</dd>
207</dl>
208<h4 id="files">Files</h4>
209<p>See the <a href="keygen.html"><tt>ntp-keygen</tt></a> page. Note that provisions to load leap second values from the NIST files have been removed. These provisions are now available whether or not the OpenSSL library is available. However, the functions that can download these values from servers remains available.</p>
210<hr>
211<p>
212  <script type="text/javascript" language="javascript" src="scripts/footer.txt"></script>
213</p>
214</body>
215</html>
216