Re: [ntp:questions] Secure NTP
Chris Albertson wrote: > On Mon, Mar 28, 2011 at 8:56 AM, wrote: > >> >> OK, so the bad guy sets up the stuff for a GPS spoofer and parks it next >> to the targeted building where high dollar value stuff goes on in hopes >> of tweeking their system clocks and stealing a fortune. > > The best application of GPS signal spoofing would be at sea. You > could ship your jammer/spoofer as cargo and have it steer the ship off > course. After a day or two of being subtly off course the error could > add up to hundreds of miles. then you meet it at some point and even > if the ship transmits an SOS the location will be far from the real > location and the authorities will respond to some place you are not. > However a competent ships captain would periodically check GPS using > some other method, maybe even celestial navigation. For this to work, your spoofer has to spoof 4 satellites as well as know its actual position independant of GPS so the ship is steered to somewhere that you can find it. Most civilian ships these days have neither the people or equipment to do celestial navigation. And all of this is pointless as once the ship is any significant distance at sea as all you have to do is attack the ship from a faster boat that is well armed. Google Somali pirates. > For truck hijacking a simple jammer is used to disable any GPS > tracking. A spoofed gps could never fool a driver into thinking he is > 100 miles away and driving off road. Even a totally confused and lost > truck driver knows he is on a road. So GPS tracking is AFU. All that means is the trucking compay is unable to say for sure the driver didn't spend a couple of hours at the boobie bar. It doesn't do much for you unless you intend to steal the entire truck and keep it for long that the cops become involved. -- Jim Pennino Remove .spam.sux to reply. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
On Mon, Mar 28, 2011 at 8:56 AM, wrote: > > OK, so the bad guy sets up the stuff for a GPS spoofer and parks it next > to the targeted building where high dollar value stuff goes on in hopes > of tweeking their system clocks and stealing a fortune. The best application of GPS signal spoofing would be at sea. You could ship your jammer/spoofer as cargo and have it steer the ship off course. After a day or two of being subtly off course the error could add up to hundreds of miles. then you meet it at some point and even if the ship transmits an SOS the location will be far from the real location and the authorities will respond to some place you are not. However a competent ships captain would periodically check GPS using some other method, maybe even celestial navigation. For truck hijacking a simple jammer is used to disable any GPS tracking. A spoofed gps could never fool a driver into thinking he is 100 miles away and driving off road. Even a totally confused and lost truck driver knows he is on a road. The obvious case where you'd like to spoof GPS is if you are being targeted by GPS guided smart bombs or cruise missiles. The trouble is that the designers of said weapons have already figured that you might be using a jammer and have planned for that. -- = Chris Albertson Redondo Beach, California ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
Uwe Klein wrote: > j...@specsol.spam.sux.com wrote: >> At that point they start slowly changing the time to something else. >> >> Meanwhile, inside the building where NTP was set up by someone with a clue > if you go by the questions placed here on occasion that assumption is not a > given ;-) > >> that bothered to read the documentation, the target client computers notice >> that the GPS source is different than all the other sources and decide the >> GPS source has failed and ignore the GPS data. >> >> Drat that NTP voting alogorithm. > > engineering is a management of negatives ( positives is for weenies ) > > If I had that clocker job (not likely) > I would disable all but one source and spoof the remaining in advance. > my guess is that even most high profile setups won't complain > about being reduced to a single source for time. You are talking about an inside job and neither NPT authentication nor any other software based tool is able to do much about that. If you are already inside, there are easier and more direct ways to steal than messing with system clocks. I deal with an organization where the correct time is modestly (in terms of what NTP can do) important. It is important to them that all systems are within about 0.25 seconds of the real time. The local division I support has three systems set up as NTP servers and a stand alone GPS NTP box to provide time for all the division client systems. The three NTP servers get their time from the local GPS NTP box as well as other GPS NTP boxes and CDMA NTP boxes located at other corporate sites hundreds of miles away on the private corporate network and additionally from several public NTP servers on the Internet. Spoof that. -- Jim Pennino Remove .spam.sux to reply. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
j...@specsol.spam.sux.com wrote: At that point they start slowly changing the time to something else. Meanwhile, inside the building where NTP was set up by someone with a clue if you go by the questions placed here on occasion that assumption is not a given ;-) that bothered to read the documentation, the target client computers notice that the GPS source is different than all the other sources and decide the GPS source has failed and ignore the GPS data. Drat that NTP voting alogorithm. engineering is a management of negatives ( positives is for weenies ) If I had that clocker job (not likely) I would disable all but one source and spoof the remaining in advance. my guess is that even most high profile setups won't complain about being reduced to a single source for time. Manipulating trading systems probably is high risk, high gain so "some" expenditure would be acceptable. The thing that saves us here is the same that saves us from hideously effective terrorist bombs. Criminal and ideological baddies tend to lack real engineering talent. But I wouldn't bet on that in all cases. uwe ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
Uwe Klein wrote: > j...@specsol.spam.sux.com wrote: >> Richard B. Gilbert wrote: > >>>Didn't I just see an announcement that GPS was going to be jammed in >>>order to test something or other? >> >> >> Yeah, it happens quite often on a scheduled basis in limited areas. >> > Hmm, it should not be all that difficult to set up a limited reach > GPS WAAS/EGNOS impostor. >> > elsewher: > Bruce Schneier ( security guy ): > http://www.schneier.com/blog/archives/2008/09/gps_spoofing.html > > > uwe OK, so the bad guy sets up the stuff for a GPS spoofer and parks it next to the targeted building where high dollar value stuff goes on in hopes of tweeking their system clocks and stealing a fortune. First issue; a big bucks operation is likely in a multi-story building with the GPS antenna on the roof and GPS antennas have low sensitivity looking down. Our bad guys just happen to know something about antenna patterns, so they obtained some high power RF amplifiers to make sure their signal dominates. So, after carefully syncing their spoofer to the real time, because if they don't, the time jump will just be rejected, the bad guys start cranking up the output power until their signal dominates. At that point they start slowly changing the time to something else. Meanwhile, inside the building where NTP was set up by someone with a clue that bothered to read the documentation, the target client computers notice that the GPS source is different than all the other sources and decide the GPS source has failed and ignore the GPS data. Drat that NTP voting alogorithm. -- Jim Pennino Remove .spam.sux to reply. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
j...@specsol.spam.sux.com wrote: Richard B. Gilbert wrote: Didn't I just see an announcement that GPS was going to be jammed in order to test something or other? Yeah, it happens quite often on a scheduled basis in limited areas. Hmm, it should not be all that difficult to set up a limited reach GPS WAAS/EGNOS impostor. elsewher: Bruce Schneier ( security guy ): http://www.schneier.com/blog/archives/2008/09/gps_spoofing.html uwe ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
Richard B. Gilbert wrote: > On 3/27/2011 5:45 PM, j...@specsol.spam.sux.com wrote: >> E-Mail Sent to this address will be added to the >> BlackLists wrote: >>> Richard B. Gilbert wrote: j...@specsol.spam.sux.com wrote: > Let's see you spoof the Internet, GPS, and CDMA all at the same time. Any two would be sufficient! >>> >>> GPS Jamming could take out the GPS and CDMA. >> >> Granted, but that is not "spoofing" nor would it cause the time of anything >> to become incorrect by some amount. >> >> Also, jamming both GPS and CDMA would likely greatly arouse the ire of the >> powers that be. >> >> >> > > Didn't I just see an announcement that GPS was going to be jammed in > order to test something or other? Yeah, it happens quite often on a scheduled basis in limited areas. -- Jim Pennino Remove .spam.sux to reply. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
On Sun, Mar 27, 2011 at 5:22 PM, Richard B. Gilbert wrote: >> >> Also, jamming both GPS and CDMA would likely greatly arouse the ire of the >> powers that be. I agree that jamming is not spoofing although the most sophisticated form of jamming to to spoof a signal. So the receiver gets a false signal and dose not know it i being jamed. But the units being sold out of China are just simple, low power noise makers The available cell phone jammers are very low power and only work within say one room. Same for GPS jammers. They are very low power devices. -- = Chris Albertson Redondo Beach, California ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
On 3/27/2011 5:45 PM, j...@specsol.spam.sux.com wrote: E-Mail Sent to this address will be added to the BlackLists wrote: Richard B. Gilbert wrote: j...@specsol.spam.sux.com wrote: Let's see you spoof the Internet, GPS, and CDMA all at the same time. Any two would be sufficient! GPS Jamming could take out the GPS and CDMA. Granted, but that is not "spoofing" nor would it cause the time of anything to become incorrect by some amount. Also, jamming both GPS and CDMA would likely greatly arouse the ire of the powers that be. Didn't I just see an announcement that GPS was going to be jammed in order to test something or other? ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
Chris Albertson wrote: > On Fri, Mar 25, 2011 at 8:40 AM, wrote: > >> Let's see you spoof the Internet, GPS, and CDMA all at the same time. > > Summary of above argument: > "You can't spoof my system, therefor other systems can't be spoofed." Nope. Try reading it again, this time for comprehension. -- Jim Pennino Remove .spam.sux to reply. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
Maarten Wiltink wrote: > wrote in message > news:5lpu58-278@mail.specsol.com... >> Uwe Klein wrote: > [...] >>> The $something trading solutions that require exact timematch >>> ( remember the recent rush of ntp users >>> requiring u-second global time match ) >>> over a set of widely distributed hosts allow fraud in >>> various ways if you can manipulate the time for some select host. >> >> One more time, if time is critical to your operation you do NOT have >> one and only one NTP server. >> >> You have serveral servers with local GPS and CDMA NTP boxes. >> >> Let's see you spoof the Internet, GPS, and CDMA all at the same time. > > I'll solve (the subproblems of) the big problems just like the little > problems. One at a time. > > That there are other lines of defence is no reason to neglect any one > of them. Every single one is there in case the other ones fail. Any and > all of the other ones. > > You do not improve security by stacking the lemon meringue walls higher, > or thicker. > > Groetjes, > Maarten Wiltink You do not improve secuity by worrying about, and spending time on, imaginary threats. -- Jim Pennino Remove .spam.sux to reply. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
unruh wrote: > On 2011-03-25, j...@specsol.spam.sux.com wrote: >> Miroslav Lichvar wrote: >>> On Thu, Mar 24, 2011 at 05:01:07PM -0700, Chris Albertson wrote: Security is so that you know you are not being spoofed. Or if you are providing the time so that you can prove to your users that you are who you claim to be and are not spoofing them. There is the chance that someone might "impersonate" one of your servers or a server you use. and then make a computer's clock be set to the wrong time. Again "who cares" if you only use your computer to serf the web and read emails but what if you were a bank processing ATM or visa card transactions or worse a computer routing trans or airplanes or controlling stop lights. >>> >>> There is one important thing I haven't seen mentioned here. A MITM >>> doesn't need to modify the NTP packets to seriously degrade your >>> timekeeping. He can exploit the PLL instability when undersampled and >>> by dropping and delaying the packets (up to maxdist, 1.5s by default) >>> he can fairly quickly throw your clock off and let you drift away. >>> >>> In addition to the authentication, it's important to monitor >>> reachability of the peers. >> >> One more time, if time is critical to your operation you have several >> sources to include local GPS and CDMA NTP boxes. > > I do not understand. If you do not want to use the authentication, don't. > Noone is forcing you to. We really do not care if you have thought > through your security or not. But at this point it sounds like you are > on a crusade against having the authentication in ntpd, and that > is bizarre. If you think it adds nothing, do not use it. Or if it > offends you to have something in a program you do not use, then rewrite > ntpd to remove the sections that are offensive to you and use that. > And learn once again that you may not completely understand everyone > else in the world. You must really have your panties in a bunch if asking what good is NTP authentication becomes a "crusade" in your mind. As far as I can see, given the way NTP works and the number of available and independant sources, authentication may make you feel good about it, but has no added value. -- Jim Pennino Remove .spam.sux to reply. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
Uwe Klein wrote: > j...@specsol.spam.sux.com wrote: >> One more time, if time is critical to your operation you do NOT have one >> and only one NTP server. > > One more time, the times of well designed protocolls > and infrastructure software are gone ;-) > Today the PHB and his idiot savant minions rule. >> >> You have serveral servers with local GPS and CDMA NTP boxes. >> >> Let's see you spoof the Internet, GPS, and CDMA all at the same time. >> >> > Pfft. you don't have to. > > The GFC is not only witness to the haphazard portfolio of products traded > but also the (lack of) basic understanding brought to financial > infrastructure. > > IMHO, It is not well designed with an eye on faulttolerance, congestion, ... > > uwe Non sequitur. -- Jim Pennino Remove .spam.sux to reply. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
David Woolley wrote: > j...@specsol.spam.sux.com wrote: > >> One more time, if time is critical to your operation you have several >> sources to include local GPS and CDMA NTP boxes. > > You missed an important point, your CEO must also have a current science > background. Most UK CEOs, at least, have an arts background, and are > quite likely to lead to solutions with no local time receivers, because > they require capital expenditure. Yeah, that is a possible scenario; total stupidity in charge. But you don't need a science background to understand that if accurate time keeping has an economic impact on your organization, you had better keep it accurate. -- Jim Pennino Remove .spam.sux to reply. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
E-Mail Sent to this address will be added to the BlackLists wrote: > Richard B. Gilbert wrote: >> j...@specsol.spam.sux.com wrote: >>> Let's see you spoof the Internet, GPS, and CDMA all at the same time. >> >> Any two would be sufficient! > > GPS Jamming could take out the GPS and CDMA. Granted, but that is not "spoofing" nor would it cause the time of anything to become incorrect by some amount. Also, jamming both GPS and CDMA would likely greatly arouse the ire of the powers that be. -- Jim Pennino Remove .spam.sux to reply. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
Richard B. Gilbert wrote: > On 3/25/2011 11:40 AM, j...@specsol.spam.sux.com wrote: >> Uwe Klein wrote: >>> j...@specsol.spam.sux.com wrote: >>> If you specify the server by IP address, how does that happen and who would bother to do it? >>> >>> The $something trading solutions that require exact timematch >>> ( remember the recent rush of ntp users >>>requiring u-second global time match ) >>> over a set of widely distributed hosts allow fraud in >>> various ways if you can manipulate the time for some select host. >> >> One more time, if time is critical to your operation you do NOT have one >> and only one NTP server. >> >> You have serveral servers with local GPS and CDMA NTP boxes. >> >> Let's see you spoof the Internet, GPS, and CDMA all at the same time. >> >> > > Any two would be sufficient! Nope, Assuming you had three independant sources of NTP information, you would have to spoof two of them identically, which is virtually impossible for anything less than a government, or two of the three would just appear to be "failed". -- Jim Pennino Remove .spam.sux to reply. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
In article , Steve Kostecke writes: >On 2011-03-24, Hal Murray wrote: >> Yes. The encryption also verifies that you are talking to the >> server you think you are talking to rather than an imposter. > >NTP Authentication adds signatures to the packets. There is no >encryption. Thanks for the correction. -- These are my opinions, not necessarily my employer's. I hate spam. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
j...@specsol.spam.sux.com wrote: One more time, if time is critical to your operation you have several sources to include local GPS and CDMA NTP boxes. You missed an important point, your CEO must also have a current science background. Most UK CEOs, at least, have an arts background, and are quite likely to lead to solutions with no local time receivers, because they require capital expenditure. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
E-Mail Sent to this address will be added to the BlackLists wrote: Richard B. Gilbert wrote: j...@specsol.spam.sux.com wrote: Let's see you spoof the Internet, GPS, and CDMA all at the same time. Any two would be sufficient! GPS Jamming could take out the GPS and CDMA. And the coarse/acquisition code that I presume is used by normal commercial GPS clocks is public knowledge, so can be spoofed. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
On 3/25/2011 11:40 AM, j...@specsol.spam.sux.com wrote: Uwe Klein wrote: j...@specsol.spam.sux.com wrote: If you specify the server by IP address, how does that happen and who would bother to do it? The $something trading solutions that require exact timematch ( remember the recent rush of ntp users requiring u-second global time match ) over a set of widely distributed hosts allow fraud in various ways if you can manipulate the time for some select host. One more time, if time is critical to your operation you do NOT have one and only one NTP server. You have serveral servers with local GPS and CDMA NTP boxes. Let's see you spoof the Internet, GPS, and CDMA all at the same time. Any two would be sufficient! ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
Richard B. Gilbert wrote: > j...@specsol.spam.sux.com wrote: >> Let's see you spoof the Internet, GPS, and CDMA all at the same time. > > Any two would be sufficient! GPS Jamming could take out the GPS and CDMA. -- E-Mail Sent to this address will be added to the BlackLists. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
On 2011-03-25, Chris Albertson wrote: >> NTP Authentication adds signatures to the packets. There is no >> encryption. > > What are "signatures"? Message Authenticator Code (MAC) > How are they generated? Search for 'hash' in: http://www.ece.udel.edu/~mills/database/reports/stime1/stime.pdf > Signatures are typically encrypted hashes of the message. See section 4 (which starts on page 10). "NTPv3 and NTPv4 symmetric key cryptography uses keyed-MD5 message digests with a 128- bit private key and 32-bit key ID. In order to retain backward compatibility with NTPv3, the NTPv4 key ID space is partitioned in two subspaces at a pivot point of 65536. Symmetric key IDs have values less than the pivot and indefinite lifetime. Autokey key IDs have pseudo-random values equal to or greater than the pivot and are expunged immediately after use. Both symmetric key and public key cryptography authenticate as shown in Figure 1. The server looks up the key associated with the key ID and calculates the message digest from the NTP header and extension fields together with the key value. The key ID and digest form the message authentication code (MAC) included with the message. The client does the same computation using its local copy of the key and compares the result with the digest in the MAC. If the values agree, the message is assumed authentic." -- Steve Kostecke NTP Public Services Project - http://support.ntp.org/ ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
On Fri, Mar 25, 2011 at 8:40 AM, wrote: > Let's see you spoof the Internet, GPS, and CDMA all at the same time. Summary of above argument: "You can't spoof my system, therefor other systems can't be spoofed." So far all the arguments seem to be equivalent to either (1) "I don't need this therefor others should not need it." or, (2) "I cannot see how X could happen, therefore X cannot happen." The trouble with universal statements like "X can't happen" or "no one would,..." is that they can be shown to be false with only one counter example. Of course some universal statements are in fact true. One way you can show a universal to be true is to assume it is false and then show that some law of mathematics or physics would be violated. But any number of examples or statistics will never work. -- = Chris Albertson Redondo Beach, California ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
On 2011-03-25, j...@specsol.spam.sux.com wrote: > Miroslav Lichvar wrote: >> On Thu, Mar 24, 2011 at 05:01:07PM -0700, Chris Albertson wrote: >>> Security is so that you know you are not being spoofed. Or if you are >>> providing the time so that you can prove to your users that you are >>> who you claim to be and are not spoofing them. >>> >>> There is the chance that someone might "impersonate" one of your >>> servers or a server you use. and then make a computer's clock be set >>> to the wrong time. Again "who cares" if you only use your computer >>> to serf the web and read emails but what if you were a bank processing >>> ATM or visa card transactions or worse a computer routing trans or >>> airplanes or controlling stop lights. >> >> There is one important thing I haven't seen mentioned here. A MITM >> doesn't need to modify the NTP packets to seriously degrade your >> timekeeping. He can exploit the PLL instability when undersampled and >> by dropping and delaying the packets (up to maxdist, 1.5s by default) >> he can fairly quickly throw your clock off and let you drift away. >> >> In addition to the authentication, it's important to monitor >> reachability of the peers. > > One more time, if time is critical to your operation you have several > sources to include local GPS and CDMA NTP boxes. I do not understand. If you do not want to use the authentication, don't. Noone is forcing you to. We really do not care if you have thought through your security or not. But at this point it sounds like you are on a crusade against having the authentication in ntpd, and that is bizarre. If you think it adds nothing, do not use it. Or if it offends you to have something in a program you do not use, then rewrite ntpd to remove the sections that are offensive to you and use that. And learn once again that you may not completely understand everyone else in the world. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
Miroslav Lichvar wrote: > On Thu, Mar 24, 2011 at 05:01:07PM -0700, Chris Albertson wrote: >> Security is so that you know you are not being spoofed. Or if you are >> providing the time so that you can prove to your users that you are >> who you claim to be and are not spoofing them. >> >> There is the chance that someone might "impersonate" one of your >> servers or a server you use. and then make a computer's clock be set >> to the wrong time. Again "who cares" if you only use your computer >> to serf the web and read emails but what if you were a bank processing >> ATM or visa card transactions or worse a computer routing trans or >> airplanes or controlling stop lights. > > There is one important thing I haven't seen mentioned here. A MITM > doesn't need to modify the NTP packets to seriously degrade your > timekeeping. He can exploit the PLL instability when undersampled and > by dropping and delaying the packets (up to maxdist, 1.5s by default) > he can fairly quickly throw your clock off and let you drift away. > > In addition to the authentication, it's important to monitor > reachability of the peers. One more time, if time is critical to your operation you have several sources to include local GPS and CDMA NTP boxes. -- Jim Pennino Remove .spam.sux to reply. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
wrote in message news:5lpu58-278@mail.specsol.com... > Uwe Klein wrote: [...] >> The $something trading solutions that require exact timematch >> ( remember the recent rush of ntp users >> requiring u-second global time match ) >> over a set of widely distributed hosts allow fraud in >> various ways if you can manipulate the time for some select host. > > One more time, if time is critical to your operation you do NOT have > one and only one NTP server. > > You have serveral servers with local GPS and CDMA NTP boxes. > > Let's see you spoof the Internet, GPS, and CDMA all at the same time. I'll solve (the subproblems of) the big problems just like the little problems. One at a time. That there are other lines of defence is no reason to neglect any one of them. Every single one is there in case the other ones fail. Any and all of the other ones. You do not improve security by stacking the lemon meringue walls higher, or thicker. Groetjes, Maarten Wiltink ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
j...@specsol.spam.sux.com wrote: One more time, if time is critical to your operation you do NOT have one and only one NTP server. One more time, the times of well designed protocolls and infrastructure software are gone ;-) Today the PHB and his idiot savant minions rule. You have serveral servers with local GPS and CDMA NTP boxes. Let's see you spoof the Internet, GPS, and CDMA all at the same time. Pfft. you don't have to. The GFC is not only witness to the haphazard portfolio of products traded but also the (lack of) basic understanding brought to financial infrastructure. IMHO, It is not well designed with an eye on faulttolerance, congestion, ... uwe ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
Uwe Klein wrote: > j...@specsol.spam.sux.com wrote: > >> If you specify the server by IP address, how does that happen and who >> would bother to do it? > > The $something trading solutions that require exact timematch > ( remember the recent rush of ntp users > requiring u-second global time match ) > over a set of widely distributed hosts allow fraud in > various ways if you can manipulate the time for some select host. One more time, if time is critical to your operation you do NOT have one and only one NTP server. You have serveral servers with local GPS and CDMA NTP boxes. Let's see you spoof the Internet, GPS, and CDMA all at the same time. -- Jim Pennino Remove .spam.sux to reply. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
j...@specsol.spam.sux.com wrote: If you specify the server by IP address, how does that happen and who would bother to do it? The $something trading solutions that require exact timematch ( remember the recent rush of ntp users requiring u-second global time match ) over a set of widely distributed hosts allow fraud in various ways if you can manipulate the time for some select host. IP hijacking will disrupt a lot more than just NTP. Elegance and not being caught out is everything. uwe ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
On Thu, Mar 24, 2011 at 05:01:07PM -0700, Chris Albertson wrote: > Security is so that you know you are not being spoofed. Or if you are > providing the time so that you can prove to your users that you are > who you claim to be and are not spoofing them. > > There is the chance that someone might "impersonate" one of your > servers or a server you use. and then make a computer's clock be set > to the wrong time. Again "who cares" if you only use your computer > to serf the web and read emails but what if you were a bank processing > ATM or visa card transactions or worse a computer routing trans or > airplanes or controlling stop lights. There is one important thing I haven't seen mentioned here. A MITM doesn't need to modify the NTP packets to seriously degrade your timekeeping. He can exploit the PLL instability when undersampled and by dropping and delaying the packets (up to maxdist, 1.5s by default) he can fairly quickly throw your clock off and let you drift away. In addition to the authentication, it's important to monitor reachability of the peers. -- Miroslav Lichvar ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
Steve Kostecke wrote: > On 2011-03-25, j...@specsol.spam.sux.com > wrote: > >> Chris Albertson wrote: >> >>> On Thu, Mar 24, 2011 at 2:26 PM, wrote: >>> >>> When I see questions like this my first response is "Why all the bother?". There is nothing secret or proprietary about the time of day. >>> >>> Security is so that you know you are not being spoofed. Or if you are >>> providing the time so that you can prove to your users that you are >>> who you claim to be and are not spoofing them. >> >> The question was about clients authenticating to the server. > > NTP Authentication authenticates the server to the clients. It is not a > client access control mechanism. Yeah, I know, I should not have put "to" between the words "authenticating" and "server". It would be impossible to spoof a proper NTP setup where time is critical. If time is critical, a proper setup would have multiple servers as well as multiple independent, local sources like GPS and CDMA. -- Jim Pennino Remove .spam.sux to reply. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
Chris Albertson wrote: > On Thu, Mar 24, 2011 at 4:18 PM, wrote: >> Hal Murray wrote: >>> In article , >>> j...@specsol.spam.sux.com writes: >>> When I see questions like this my first response is "Why all the bother?". There is nothing secret or proprietary about the time of day. Since all NTP servers provide UTC, the service reveals nothing about the machine other than the fact that the clock is correct. If you don't want your resources utilized by outsiders, you just block access to the NTP port for everyone but your own clients as a blocked port uses less resources than denying an unsucessful authorization does. Am I missing something?? >>> >>> Yes. The encryption also verifies that you are talking to the >>> server you think you are talking to rather than an imposter. >> >> If you specify the server by IP address, how does that happen and who >> would bother to do it? > > The most obvious and easy way is that I cut the wire that goes from > your house to your ISP and place a computer (and modems) at the cut > point. It can change any bit in any packet. I would not bother with > your house but a bank, maybe. Childish fantasy that shows zero understanding of how such things work. > If I could make transactions that were backdated I could make a lot of > money even if only slightly back dated by 10 seconds. Yeah, if you could do that, but you can't. >> IP hijacking will disrupt a lot more than just NTP. > > It can but, that is up to the hijacker. A "man in the middle" > attack can filter network packets and change only the bits he wants > changed Yeah, right, like the time in NTP packets. >> If your server and its clients are on a corporate network, which is the >> usual case for having one's own server, how does this happen? > > Outsider has taken control of a computer that lives inside your network If that happens you have a lot more to worry about then the time on some client machines, like your total lack of competence. > In general your arguments follows a common mistake. It is equivalent > to "I can't figure it out so therefor it can't happen". It is never > valid to argue "it's imposable because I can't figure any way to". > To claim something is imposable you need something that is very > much like a mathematical proof. I never claimed it is "impossible" to disrupt an NTP server. My arguement is that if the correct time is important it is trival to ensure that with a proper setup and without jumping through hoops. -- Jim Pennino Remove .spam.sux to reply. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
On Fri, Mar 25, 2011 at 01:36 UTC, Chris Albertson wrote: > The most obvious and easy way is that I cut the wire that goes from > your house to your ISP and place a computer (and modems) at the cut > point. It can change any bit in any packet. I would not bother with > your house but a bank, maybe. It may be the most obvious way, but it sure isn't the easiest. Physical access on the last mile? How 1930s. The easiest way is to snoop and/or man-in-the-middle traffic at a point close enough to the end user that all the user's traffic is on one wire, yes. Such as the ISP PoP. There you can intercept or man-in-the-middle using commodity ethernet tools, avoiding expensive specialized equipment specific to the access technology (DSL, cable, wireless). Now, ISP Points of Presense are not palatial, they are likely to be crammed with equipment and only the minimum space available for human operators, who largely configure and control them remotely. Getting a piece of gear in there is challenging on several levels. But not to fear, at least here in the Land of Liberty, the so-called birthplace of freedom, where 1994's CALEA (revised in 2005) intentionally has opened up our telecommunications networks to easy remote-controlled interception, and probably provides much of what's needed for remote MiTM, especially with CALEA access to both source and destination networks. Telcos and ISPs much provision and pay for equipment and services scaled to spy on 10% of their traffic at any one time, IIRC. To understand just how evil this law is, you must appreciate that much if not most government wiretapping in the US is extralegal. That's a polite way of saying unconstitutional, illegal, and known to be so to the government agents committing said crimes. CALEA doesn't have anything to say about what is legal to wiretap, that's left to the courts. It is simply ensuring that telecommunications have a gaping backdoor that at least the few legal wiretaps can use, with the convenient side effect that such automated spying can be easily abused by those who do not need to be able to produce the evidence at trial and therefore actually concern themselves with the Constitution. I bet CALEA-mandated backdoors are used much more by private detectives, intelligence agencies, and law enforcement more interested in information than legally-defensible wiretapping, than it is for the supposedly primary purpose. I may be paranoid and deluded, or I may be a realist familiar with the long history of illegal wiretapping by government agents. I'm no expert. I am a fundamentalist when it comes to the US Constitution and Bill of Rights, so I've intentionally avoided learning more than broad generalities about CALEA, for fear of suicidal depression or revolutionary violence. I know enough about the requirements to realize 10% is orders of magnitude overprovisioning for legal intercepts, and can only infer those behind CALEA very much intended to support criminal wiretapping, at least by governments. I take it for granted that anyone with money or government power can intercept any telecommunciations they care to, and it's my responsibility to encrypt things I don't want others to see. Revolutionarily depressed, Dave Hart ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
> NTP Authentication adds signatures to the packets. There is no > encryption. What are "signatures"?How are they generated? Signatures are typically encrypted hashes of the message. They are typically used when you don't really care to hide the content of the message but you do want to verify the sender of the message. Signatures depend on cryptography -- = Chris Albertson Redondo Beach, California ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
On 2011-03-25, j...@specsol.spam.sux.com wrote: > Chris Albertson wrote: > >> On Thu, Mar 24, 2011 at 2:26 PM, wrote: >> >> >>> When I see questions like this my first response is "Why all the >>> bother?". >>> >>> There is nothing secret or proprietary about the time of day. >> >> Security is so that you know you are not being spoofed. Or if you are >> providing the time so that you can prove to your users that you are >> who you claim to be and are not spoofing them. > > The question was about clients authenticating to the server. NTP Authentication authenticates the server to the clients. It is not a client access control mechanism. -- Steve Kostecke NTP Public Services Project - http://support.ntp.org/ ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
On 2011-03-24, Hal Murray wrote: > In article , > j...@specsol.spam.sux.com writes: > >>When I see questions like this my first response is "Why all the bother?". >> >>There is nothing secret or proprietary about the time of day. [snip] >>Am I missing something?? > > Yes. The encryption also verifies that you are talking to the > server you think you are talking to rather than an imposter. NTP Authentication adds signatures to the packets. There is no encryption. -- Steve Kostecke NTP Public Services Project - http://support.ntp.org/ ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
Chris Albertson wrote: > On Thu, Mar 24, 2011 at 2:26 PM, wrote: > > >> When I see questions like this my first response is "Why all the bother?". >> >> There is nothing secret or proprietary about the time of day. > > > Security is so that you know you are not being spoofed. Or if you are > providing the time so that you can prove to your users that you are > who you claim to be and are not spoofing them. The question was about clients authenticating to the server. See below. > There is the chance that someone might "impersonate" one of your > servers or a server you use. and then make a computer's clock be set > to the wrong time. Again "who cares" if you only use your computer > to serf the web and read emails but what if you were a bank processing > ATM or visa card transactions or worse a computer routing trans or > airplanes or controlling stop lights. > > If I were smart enough to remotely control a computer's time, then I > could maybe make stock trades with an effective trade date of four > hours ago. I could make a fortune. If the time on a client is that important, you run multiple local servers with backup like a GPS NTP box and you don't depend on getting the time across the Internet. If the time on a client is only "kind of" important, you still run multiple servers, which means a majority of your servers would have to be spoofed in sync before it would have any effect on the clients. If your clients and server are on your local network, it is not very likely your servers are going to be spoofed, and if it is you have bigger issues than the time of day. -- Jim Pennino Remove .spam.sux to reply. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
On Thu, Mar 24, 2011 at 4:18 PM, wrote: > Hal Murray wrote: >> In article , >> j...@specsol.spam.sux.com writes: >> >>>When I see questions like this my first response is "Why all the bother?". >>> >>>There is nothing secret or proprietary about the time of day. >>> >>>Since all NTP servers provide UTC, the service reveals nothing about the >>>machine other than the fact that the clock is correct. >>> >>>If you don't want your resources utilized by outsiders, you just block >>>access to the NTP port for everyone but your own clients as a blocked >>>port uses less resources than denying an unsucessful authorization does. >>> >>>Am I missing something?? >> >> Yes. The encryption also verifies that you are talking to the >> server you think you are talking to rather than an imposter. > > If you specify the server by IP address, how does that happen and who > would bother to do it? The most obvious and easy way is that I cut the wire that goes from your house to your ISP and place a computer (and modems) at the cut point. It can change any bit in any packet. I would not bother with your house but a bank, maybe. If I could make transactions that were backdated I could make a lot of money even if only slightly back dated by 10 seconds. > > IP hijacking will disrupt a lot more than just NTP. It can but, that is up to the hijacker. A "man in the middle" attack can filter network packets and change only the bits he wants changed > > If your server and its clients are on a corporate network, which is the > usual case for having one's own server, how does this happen? Outsider has taken control of a computer that lives inside your network In general your arguments follows a common mistake. It is equivalent to "I can't figure it out so therefor it can't happen". It is never valid to argue "it's imposable because I can't figure any way to". To claim something is imposable you need something that is very much like a mathematical proof. -- = Chris Albertson Redondo Beach, California ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
Hal Murray wrote: > In article , > j...@specsol.spam.sux.com writes: > >>When I see questions like this my first response is "Why all the bother?". >> >>There is nothing secret or proprietary about the time of day. >> >>Since all NTP servers provide UTC, the service reveals nothing about the >>machine other than the fact that the clock is correct. >> >>If you don't want your resources utilized by outsiders, you just block >>access to the NTP port for everyone but your own clients as a blocked >>port uses less resources than denying an unsucessful authorization does. >> >>Am I missing something?? > > Yes. The encryption also verifies that you are talking to the > server you think you are talking to rather than an imposter. If you specify the server by IP address, how does that happen and who would bother to do it? IP hijacking will disrupt a lot more than just NTP. If your server and its clients are on a corporate network, which is the usual case for having one's own server, how does this happen? -- Jim Pennino Remove .spam.sux to reply. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
On Thu, Mar 24, 2011 at 2:26 PM, wrote: > When I see questions like this my first response is "Why all the bother?". > > There is nothing secret or proprietary about the time of day. Security is so that you know you are not being spoofed. Or if you are providing the time so that you can prove to your users that you are who you claim to be and are not spoofing them. There is the chance that someone might "impersonate" one of your servers or a server you use. and then make a computer's clock be set to the wrong time. Again "who cares" if you only use your computer to serf the web and read emails but what if you were a bank processing ATM or visa card transactions or worse a computer routing trans or airplanes or controlling stop lights. If I were smart enough to remotely control a computer's time, then I could maybe make stock trades with an effective trade date of four hours ago. I could make a fortune. -- = Chris Albertson Redondo Beach, California ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
In article , j...@specsol.spam.sux.com writes: >When I see questions like this my first response is "Why all the bother?". > >There is nothing secret or proprietary about the time of day. > >Since all NTP servers provide UTC, the service reveals nothing about the >machine other than the fact that the clock is correct. > >If you don't want your resources utilized by outsiders, you just block >access to the NTP port for everyone but your own clients as a blocked >port uses less resources than denying an unsucessful authorization does. > >Am I missing something?? Yes. The encryption also verifies that you are talking to the server you think you are talking to rather than an imposter. -- These are my opinions, not necessarily my employer's. I hate spam. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
Yessica wrote: > Hello! > I am installing an NTP server, but requires authentication for that > clients can be synchronized with the server, and also that > authentication should be with public and private keys. Let me know if > I can work with certificates issued by any authority or can only use > the certificates generated by the ntp-keygen. > > Thank you very much! > I hope you can answer. > > PS: I'm working with ntp v4 When I see questions like this my first response is "Why all the bother?". There is nothing secret or proprietary about the time of day. Since all NTP servers provide UTC, the service reveals nothing about the machine other than the fact that the clock is correct. If you don't want your resources utilized by outsiders, you just block access to the NTP port for everyone but your own clients as a blocked port uses less resources than denying an unsucessful authorization does. Am I missing something?? -- Jim Pennino Remove .spam.sux to reply. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
Yassica, In principle, NTP Autokey can use certificates generated by OpenSSL or by other certificate authorities (CA); however, there are some very minor details with these certificates, including the sequence number and use of the X.500 extension fields. Ideally, the CA would run the Autokey protocol and serve as the TH itself, which would be consistent with the TC model. Absent that, the choice is to use the certificates generated by the ntp-keygen program. Yessica wrote: Hello! I am installing an NTP server, but requires authentication for that clients can be synchronized with the server, and also that authentication should be with public and private keys. Let me know if I can work with certificates issued by any authority or can only use the certificates generated by the ntp-keygen. Thank you very much! I hope you can answer. PS: I'm working with ntp v4 ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
