What's the Point of NTP Authentication?
To instigate an NTP attack a hacker hides behind their rogue host, under the pretence that they are a genuine NTP server.
Authentication is the line of defence used by NTP to thwart the tampering of timestamps logged by devices.
Contrary to common misconception, the purpose of NTP authentication is to verify a time source, not a client.
How is NTP protected?
It uses Message Digest Encryption 5 (MD5) encoded keys. MD5 is a widely used, secure encryption algorithm that utilises a 128-bit cryptographic hash feature. The algorithm works by duplicating the key (or password) provided and then allocates the key to a timestamp.
Network Time Protocol can use MD5 encoded keys to verify timestamps supplied to a time client, or server, by Network Time Servers. How? By decrypting the key (password) received and matching it with an agreed set of keys. Once verified, the server or client can then authorise any actions.
This method of authentication allows a network time client, or device, to ensure that a timestamp has been generated by a trusted source, protecting NTP from malicious activity or interception.
Authentication Explained
For LINUX or UNIX NTP servers you can find a list of trusted NTP authentication keys in the configuration file stored in the ntp.keys file.
NTP authentication
'An NTS 6001 GPS NTP Server uses a LINUX operating system.'
Each key listed consists of a key identifier, encryption identifier & a password, which can be identified as followed:
Key identifier - Is depicted by a number ranging between 1 & 99
Encryption identifier - This is used to choose the algorithm that will encode the key, often an 'M', referencing the use of the MD5 encryption.
The password - Is depicted by a set of characters in alphanumeric formation, forming 'the key'
As a collective, a key will look something like this - 8 M gaLLeoN007
The key file of an NTP time server is usually very large. If you want to reduce the number of trusted keys in use you can create a subgroup. These can be itemised using the NTP configuration file 'ntp.conf'. Using a subgroup allows you to disable compromised keys.
To implement trusted keys use the 'trusted-keys' command. From your list, select the keys you want to use. Specify the key identifier number, followed by a space until you have compiled your list. It should look something like this:
trusted-keys 4 7 14 82
Implementing this command validates key identifiers 4, 7, 14 & 82, while discounting all other keys.
Neglecting Authentication
Neglecting authentication leaves networks & devices open to numerous attacks, all of which can disrupt time synchronisation. Any one of the following could occur as a result of neglecting NTP authentication:
Replay & spoofing attacks - Whereby an intruder can intercept, delay & 'replay' messages on a client to server or server to client basis. Any message will be properly verified, resulting in delayed replies being accepted by the client.
Consequently, this could result in time synchronisation errors, which could prove difficult to detect because a similar problem could occur as result of 'normal' network behaviour.
Man-in-the-middle attacks - Unlike replay & spoofing attacks, which do not directly impact time synchronisation quality aside from increasing apparent network delays, man-in-the-middle attacks allow an intruder to not only intercept messages, but modify & replay authentic messages between a client & server or between peer servers.
This can lead to two types of attack. Firstly, a hacker can hijack a valid message from server to client, modify some fields & send it, perhaps repeating it a number of times to the client. This can cause the client to authorise the message and compute an incorrect time.
It could also dupe the client into disregarding the time provided by other servers utilised by the client.
Secondly, a hacker can hijack a valid request message from client to server, altering some fields & send it, perhaps on a repetitive basis to the client. This results in the server distributing imitation requests or supplying incorrect time to the client.
Denial of service attacks - Known as 'clogging' attacks, hackers attempt to dislodge time accuracy by overloading a network. This form of attack is quite sophisticated and does not require a hijacker to prise open genuine NTP messages, just the ability to duplicate a seemingly valid NTP package.
Source by D Waldron
Post a Comment