Contributed by tbert on from the stuck-with-the-MitM-with-you dept.
Reyk Flöter (reyk@) wrote in to tech@, talking about some work he'd done at s2k15:
Hi!
Theo, Henning, and me developed an idea to utilize TLS in some way for authenticated time in ntpd(8). We are not intending to use it as a direct time source, but as a "constraint" to verify the NTP responses. I came up with an implementation that has been designed to be an optional, non-intrusive feature that is now part of OpenBSD -current.
From the ntpd.conf(5) man page: "ntpd(8) can be configured to query the `Date' from trusted HTTPS servers via TLS. This time information is not used for precision but acts as an authenticated constraint, thereby reducing the impact of unauthenticated NTP `Man-In-The-Middle' attacks. Received NTP packets with time information falling outside of a range near the constraint will be discarded and such NTP servers will be marked as invalid."
The standardized attempts to add authentication to NTP are a) fairly horrible (ASN.1 etc.) and b) rarely deployed. HTTPS is most widely deployed and provides a reference time in the Date: header. The resolution is not good enough as a time source, only seconds and it does not consider network and I/O delays, but it is good enough to provide bounds that can be used to verify the NTP responses. We only use the time from the HTTPS header, and not the TLS timestamp, as the latter is most possibly randomized in modern SSL/TLS implementations.
To test it, you can configure one or more HTTPS URLs or hosts in your ntpd.conf that will be queried upon startup of ntpd. Any HTTPS URL would work and the path is fully optional. The server certificate is currently verified against the CA certificates in /etc/ssl/cert.pem; a self-signed certificate would not work unless you add your own CA to the file.
---snip--- servers pool.ntp.org constraints from "https://www.google.com/search?q=openntpd" constraints from www.twitter.com constraint from www.apple.com ---snap---The feature is still experimental and we're continuing to improve the semantics. But it is already fully functional and ready to be tested. The HTTPS client requests are executed in independent processes that are fully isolated from each other and from the NTP processes - a strict separation protects the daemon from any potential failures in the TLS execution.
Related commit:
http://marc.info/?l=openbsd-cvs&m=142355043928397&w=2Have fun with catching the "outliars"!
Reyk
(Comments are closed)
By Anonymous Coward (212.136.9.4) on
Comments
By Theo de Raadt (130.102.96.33) on
No. Like the server & servers keywords, there are constraint & constraint keywords. The singular selects one address. The plurals expand to all the addresses identified (by a DNS lookup or such).
Comments
By Anonymous Coward (212.136.9.4) on
>
> No. Like the server & servers keywords, there are constraint & constraint keywords. The singular selects one address. The plurals expand to all the addresses identified (by a DNS lookup or such).
Just noticed that from the mail related to commit message, thanks for the clarification anyway.
By reyk (130.102.96.33) on
No, as I mentioned on tech@ (http://marc.info/?l=openbsd-tech&m=142356742801119&w=2):
"Yes, it is valid. As mentioned in the man page, it works like the existing server vs. servers for NTP peers.
When a hostname or URL is specified, ntpd(8) will resolve the host. The singular version will use only one of the returned IP addresses and the plural version will use it as a pool and use all of the returned IP addresses.
Following the example, a "dig A" on www.google.com or www.apple.com will typically show you a number of addresses, while the Akamai-hosted www.apple.com only returns one address near you. You're free to use any host, and some people might prefer to use their own trusted servers, I just picked some examples with good availability and seemingly good time."
By Anonymous Coward (2601:6:5182:4595:e5af:b6bd:5833:2d49) on
By Christian Neukirchen (138.246.2.57) chneukirchen@gmail.com on http://chneukirchen.org/
Comments
By Gwyllion (83.101.69.36) on
This is mentioned explicitly in the tech@ post:
"We only use the time from the HTTPS header, and not the TLS timestamp, as the latter is most possibly randomized in modern SSL/TLS implementations."
By Anonymous Coward (209.181.89.124) on
Comments
By phessler (phessler) on http://www.openbsdfoundation.org/donations.html
For now, this is an experiment. If it turns out to be a useful experiment, an RFC will be considered.
By henning (130.102.96.33) on
good luck with that process! let us know how it goes.
By Martin Seener (2a02:8109:8000:14:b7:8824:4aeb:c6dd) on
Also why not adding the possibility on the NTP server side? I could not just serve the date via NTP but also via a super simple HTTPS/TLS only "webserver" on 443 or another port for direct verfification of the ntp responses. Because you know the RTT to a specific ntp server you can also better calculate the boundaries of the TLS response and you don't have to use a 3rd party HTTPS Server for this.
And in this regard: Is it possible to do this? "constraints www.mydomain.com:8443" for example?
By n1000 (2601:9:7d80:ced:301a:8984:b597:f395) natex84@gmail.com on
Comments
By n1000 (2601:9:7d80:ced:301a:8984:b597:f395) natex84@gmail.com on
"...hosts in your ntpd.conf that will be queried upon startup of ntpd."
Ah, so this is just for the initial time setting, that makes more sense now... sorry for the spam.