Network Time Security (NTS) Support for NTP
NTS provides cryptographic security for network time synchronization and supports client-server mode of NTP.
NTS Overview
NTS provides cryptographic security for network time synchronization and supports client-server mode of NTP. NTS uses Transport Layer Security (TLS) protocol and Authenticated Encryption with Associated Data (AEAD) to obtain network time in an authenticated manner to the users. NTS also provides support for encryption of NTP extension fields.
The most important security processes are dependent on accurate time. Network time synchronization from a malicious source leads to serious consequences. Enabling NTS ensures accurate network time synchronization on your device.
Starting Junos OS Evolved release version 24.2R1, supports RFC 8915 compliance for Network Time Security (NTS) using Network Time Protocol (NTP) on ACX-Series, QFX-Series and PTX-Series devices. NTS provides cryptographic security for network time synchronization and supports the client/server mode of NTP.
This RFC 8915 compliance feature supports:
- Configuration of local-certificate for server and certificate verification options for client.
- Verification of x.509 certificates to establish a TLS channel between client and server.
- TLS NTS-KE protocol support.
- Support for NTS secured client-server NTP communication at server and client.
Benefits of NTS
- Provides strong cryptographic protection against wide range of security attacks such as packet manipulation, spoofing, DDOS amplification attacks, and replay attacks
- Ensures accurate network time synchronization from a reliable source
- Provides scalability: Servers can serve several clients without manually pre-configuring any client-specific configuration. Because of the usage of cookies the server does not need to locally store the client specific data such as keys and AEAD algorithm
- Prevents tracking of mobile devices
Network Time Synchronization with NTS
NTS consists of two protocols, the NTS Key Establishment protocol (NTS-KE) and the NTP time synchronization using NTS extension fields.
NTS-KE Protocol
The NTS Key Establishment protocol (NTS-KE) uses TLS protocol to manage the initial authentication of the server, NTS parameter negotiation, and key establishment over TLS in the following order:
- The client performs a TLS handshake with the NTS-KE server and successfully verify the certificates.
-
The client performs the NTS parameters negotiation with the server over the TLS-protected channel. The cryptographic algorithms negotiated are AEAD methods, which protects the NTP packets in the second phase.
-
The client and the server successfully establish the key material for communication.
-
The server also sends a supply of initial cookies to the client to use in next phase.
-
The TLS channel closes and NTP proceeds to the next phase where actual exchange of time data happens.
NTS supports only the TLS version 1.3. The older TLS versions get rejected during the NTS-KE protocol phase.
NTP Time Synchronization Using NTS Extension Fields
This phase manages the encryption and authentication during NTP time synchronization through the extension fields in the NTP packets in the following order:
-
The client queries the NTP server about time with NTS extension fields. These extension fields include cookies and an authentication tag computed using negotiated AEAD algorithm and key material extracted from the NTS-KE handshake.
An NTS-secured NTP client request contains the following NTS extension fields:
-
Unique Identifier Extension Field: Contains randomly generated data and provides the means for replay protection at the NTS level.
-
NTS Cookie Extension Field: Contains the information about the key material, which establishes during NTS-KE phase, and the negotiated cryptographic algorithm. A cookie is only used once in a request to prevent tracking.
-
NTS Cookie Placeholder Extension Field: (Optional) Communicates to the server that the client wants to receive additional cookies in the response packet.
-
NTS Authenticator and Encrypted Extension Fields: Generated using AEAD Algorithm and key established during NTS-KE. This field provides the integrity protection for the NTP header and all the previous extension fields.
Constant refreshing of cookies protects a device from tracking when it changes network addresses. For example a mobile device moving across different networks. The lack of any recognizable data prevents an adversary from determining that two packets sent over different network addresses came from the same client.
-
-
When the server receives an NTS-secured request from the client, the server decrypts the cookie with a master key.
-
The server extracts the negotiated AEAD algorithm and the keys that are available in the cookie. Using this key, the server checks the integrity of the NTP packet to ensure no manipulations to the packet.
-
The server generates one or more new cookies and creates the NTP response packet. The server generates at least one new cookie and one additional cookie for each Cookie Placeholder Extension Field that the client added in the request packet.
The response packet contains two NTS extension fields:
- The Unique Identifier Extension Field, which has the same contents from the Unique Identifier field in request packet.
- The NTS Authenticator and Encrypted Extension Field, which secures the NTP header and the previous extension fields using the extracted keys.
-
The server also encrypts the cookies and includes them in the NTS Authenticator and Encrypted Extension Fields. This procedure also protects the client from tracking because an attacker cannot extract the cookies from a response message.
-
The server finalizes the response packet and sends the packet to the client.
-
The client receives the response packet.
-
The client checks the Unique Identifier field and verifies that the Unique Identifier matches with an outstanding request.
-
The client successfully performs the integrity check of the packet using the key and the AEAD algorithm.
-
The client decrypts the cookies and adds them to its pool and processes the time information received from server.