8

I need an unspoofable and accurate time source.

Short of setting up my own atomic clock (unless that's easier than it sounds) how could I accomplish this?

It's not that I don't trust the NTP pools; I don't have any assurance of who I am talking to.

Chris S
  • 77,945
  • 11
  • 124
  • 216
84104
  • 12,905
  • 6
  • 45
  • 76
  • 2
    Unspoofable isn't possible (assuming you want your time to synchronize with anyone else). In order for your time to synchronize with anyone else, you implicitly must trust at least one other person. It is always possible that the person you trust provides you for information that you would deem to be inaccurate. You can however take measures to ensure the information you receive is widely accepted as accurate. This is one of the reasons why a good NTP server should sync with many (8+ IMHO) other servers if it doesn't have a hardware time provider. – Chris S Oct 13 '11 at 19:07
  • Setting up your own atomic clock is not hard, you can just go buy one (look for a "frequency standard"). Its expensive, though. – derobert Oct 13 '11 at 21:10
  • 3
    I think that if you can't trust your NTP pools or your ISP, there are other issues... – TheLQ Oct 14 '11 at 14:14
  • I see this is very old but I feel its worth mentioning that you can use keyed connections to trusted time sources manually. Just ring up the admin of a trusted time source and ask to use their service with ntp keys. – mikebabcock Oct 15 '13 at 16:00

5 Answers5

13

My advice would be to trust NTP -- It's by no means secure, but I'm not aware of any major attack vectors, and it's as secure as your selection of peers (which are in tern as secure as your DNS resolution and your routing table).

If you need to consider other alternatives here are a few (accuracy/security in parentheses):

  1. Your own atomic clock as a PPS source. (Über acurate. Damn near unspoofable)
    (These are available on eBay. It's not impossible to set up - there are lots of time nerds that have them and your NTP daemon can use them as a time source. You will need to handle leap seconds.)

  2. A GPS receiver. (Super accurate. Very hard to spoof).
    (GPS signals CAN be overridden/spoofed but that's a specialist attack that would require some effort to carry out. A total failure of the GPS system is unlikely, as is a complete shutdown.)

  3. NTP (Very accurate. Spoofable with some effort)
    (The chances of someone attacking you via your time source are pretty slim, and if you configure your NTP daemon against several of the pool servers any outliers or false-tickers will be discarded.
    Note that this assumes you trust your DNS at least as far as you can drop-kick it.)

  4. A stabilized quartz oscillator as a PPS source. (Not very accurate. Damn near unspoofable)
    (Depending on the oscillator this may not be any more accurate than your computer's clock. Expect to have to correct the time periodically, and you will need to handle leap seconds.)

  5. Your computer's internal clock. (More accurate than an hourglass. Damn near unspoofable.)
    (For any modern application that cares about time this is pretty much unusable.)

voretaq7
  • 79,879
  • 17
  • 130
  • 214
  • 1
    Unfortunatelty, total GPS shutdown is actually a very simple attack vector. So simple, that it's been done totally by accident before: http://www.gizmodo.com.au/2011/03/gps-chaos-how-a-us30-box-can-jam-your-life/ – Mark Henderson Oct 13 '11 at 21:28
  • The atomic clocks you find on eBay (I assume you're talking about the HP 5071s that pop up from time to time) are the ones old enough to need new Cesium tubes, which come at about the price of a mid-size car. Standards like the 5071 are only accurate when averaged by the dozen (as USNO does) or as part of a system cross-disciplined with GPS . Despite having a clock on the front panel, the 5071 has no way to set or read it accurately, and the 1PPS outputs have to be steered externally to get into phase with UTC. – Blrfl Oct 14 '11 at 02:48
  • 1
    GPS is actually inaccurate, and is astonishingly easy to spoof or jam. Do not rely on it for timing accuracy, or in fact for navigation. – Rory Alsop Oct 14 '11 at 12:12
  • 3
    @RoryAlsop On what, do you base the statement that GPS is inaccurate and should not be relied upon? I will readily concede the jamming (and thus spoofing) possibility, but when operating normally (which is the vast majority of the time) I can fix a moving aircraft within its wingspan on an airport - that strikes me as quite accurate for position, and my experience with GPS time has been equally good well into sub-second accuracy, which is often "good enough". – voretaq7 Oct 14 '11 at 15:01
  • @Blrfl Replacing the cesium tube every 3-10 years (depending on the tube) **is** a pretty hefty expense, but if you need that kind of accuracy you want to be investing the money in maintenance. I can't comment on cesium clock drift or phasing (out of my area of expertise I'm afraid), but as a PPS source to discipline an existing clock it seems an OK option. – voretaq7 Oct 14 '11 at 15:24
  • @voretaq7 - I'll retract the inaccurate bit - my focus was really more on the possibility of an attacker moving the apparent GPS coordinates – Rory Alsop Oct 14 '11 at 18:34
  • @RoryAlsop I'll definitely concede that - GPS signals are very weak and can be overridden - but like I said such spoofing is a specialist attack - I'm sure the military can do it, but I'm not aware of any civilians demonstrating that capability. Inadvertent (or intentional) jamming/interference is more likely, though still a pretty remote possibility unless you're in a hostile environment (combat) :) – voretaq7 Oct 14 '11 at 19:12
  • I'm pretty certain it was demonstrated at DefCon or one of the other security cons - will try and find a link – Rory Alsop Oct 14 '11 at 19:13
  • @RoryAlsop Looking around I see that something was done back in 2008 using a bench-check transmitter & an RF amplifier. I'm not sure if those are substantially easier to get now – voretaq7 Oct 14 '11 at 19:27
8

NTP isn't a secure protocol (well, there is an authentication mechanism, but it's not widely used, and MD5 auth isn't terribly secure) - no matter what internet time server you're talking to, you don't really know that you're talking to them. Trustworthiness of the pools aside (I don't like them because their strata are all over the place, NIST has good sources for internet NTP), internet NTP doesn't meet your requirement.

A hardware clock on the local network is really the only way you can be assured that your connection isn't being intercepted - and even then, only if your local area network's security is able to assure you of that.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
  • 2
    Can you really be sure about a hardware clock? It is just receiving another signal. It would be expensive, and illegal, but with money and the proper motivation one could jam the frequencies used, and provide an alternate source with bad time. – Zoredache Oct 13 '11 at 18:38
  • Forged GPS signals, I like it! – Shane Madden Oct 13 '11 at 18:41
  • 2
    It could be argued that polling a sufficiently large number of NTP sources (both some randomly chosen from a pool and some fixed) would give reasonable assurance of an accurate time. That said, if your ISP(s) are meddling with NTP packets you're still pretty screwed. A combination of NTP and Stratum 0 device(s) would increase assurance further. – Chris S Oct 13 '11 at 18:41
  • 1
    Forging (or jamming) GPS isn't as hard as people think - it's a *VERY* weak signal by the time it gets to your receiver. There was quite a stir in the aviation community a while back about GPS interference from cell towers - cf. http://www.avweb.com/avwebbiz/news/LightSquared_GPS_Interference_Reported_204668-1.html – voretaq7 Oct 13 '11 at 19:21
  • @voretaq7 That's interfering, blocking the GPS signal. In order to spoof a GPS signal, you'd have to generate almost-correct data to rebroadcast. OTOH, now that I think of it, you could just get the raw data from a receiver a short distance away, change the coordinate data, then modify the time data in the message and re-broadcast that. Still pretty far-fetched.. – Ward - Trying Codidact Oct 14 '11 at 21:31
  • @Ward - I thought so too but see my back and forth with RoryAlsop in the comments to my answer. I think it's still an unlikely attack vector, but if we're wearing our tinfoil GPS-Signal-Blocking hats I suppose we can't rule it out… – voretaq7 Oct 15 '11 at 05:58
7

One of the previous answers mentioned MD5 auth but failed to mention the pubkey authentication available in NTP4. Many national labs provide md5/autokey enabled time services.

I do not understand what your threat model is; if someone is capable of and willing to spoof your GPS signal you have bigger issues than what time it is. That being said you could combine a local refclock using GPS or CDMA and then augment this time signal with authenticated time from some of the national labs that provide authenticated time services. This way if your GPS signal is spoofed you could still rely on the authenticated time from the national labs.

GPS:

For as little as $40 and some soldering you could set up a local GPS+PPS time source with a Sure Electronics GPS evaluation board. Occasionally you can find a CDMA refclock for fairly cheap on ebay if you can not receive a GPS signal in your data center.

Authenticated NTP Service:

NIST, NRC, and INRIM (national labs for US, Canada and Italy) provide MD5 authenticated time services. Unlike NIST and INRIM the CRC md5 service is not free. Autokey authenticated time service is available from OBSPM and INRIM (the french and italian national labs) and they provide this service for free. There are surely other national labs with authenticated time but you are going to need to google for them.

Links for authenticated time from national labs:

NIST:

http://www.nist.gov/pml/div688/grp40/auth-ntp.cfm

NRC:

http://www.nrc-cnrc.gc.ca/eng/services/inms/calibration-services/time-frequency.html#Authenticated

OBSPM:

http://syrte.obspm.fr/informatique/ntp_infos.php

https://syrte.obspm.fr/informatique/ntp_keys.php

INRIM:

http://www.inrim.it/ntp/

http://www.inrim.it/ntp/auth_i.shtml

dfc
  • 1,341
  • 8
  • 16
5

Well, purchase a meinberg with GPS sync. Those aren't too expensive. You should be able to trust that to some degree. http://www.meinberg.de. Or just buy a GPS sync device and hook it to a server.

cmouse
  • 488
  • 3
  • 10
  • Why can I trust the civilian band GPS signals? – 84104 Oct 13 '11 at 19:12
  • 1
    @user84104 There is no "civilian band" -- GPS/WAAS signals (including the time signal) is available to everyone now subject to the whims of the military (and some dumb US export laws on receivers). You can trust it because sailing vessels and aircraft rely on it, so turning it off or substantially degrading it would, to speak bluntly, really screw over a lot of people :-) – voretaq7 Oct 13 '11 at 19:41
  • @voretaq7 I should know better than to believe wikipedia, yet I keep doing it. http://en.wikipedia.org/wiki/GPS_signals#Military_.28M-code.29 – 84104 Oct 13 '11 at 19:56
  • @user84104 AFAIK M-Mode isn't in use (it's a proposed extension) - if it were none of the users I outlined in my comment would have access to it anyway :-) – voretaq7 Oct 13 '11 at 20:32
  • Unfortunatelty, total GPS shutdown is actually a very simple attack vector. So simple, that it's been done totally by accident before: http://www.gizmodo.com.au/2011/03/gps-chaos-how-a-us30-box-can-jam-your-life/ – Mark Henderson Oct 13 '11 at 21:28
  • @MarkHenderson that (like the lightsquared test incident I linked to above) was a localized jamming issue (it's also why the FCC has strict laws on jamming) - That's a very real (though relatively remote) threat. A coordinated "we are turning off GPS by telling the satellites to stop broadcasting the signals" shutdown is far less likely, though definitely a remote possibility (GPS is under the control of the US military - Still belongs to the Navy I believe...) – voretaq7 Oct 13 '11 at 22:18
  • @voretaq7 - the military, and others, regularly degrade gps, so while people do rely on it, and it is generally correct, it should not be relied on as an unspoofable accurate clock. – Rory Alsop Oct 14 '11 at 12:14
  • 1
    @RoryAlsop Do you have any references or proof of any military or others actually doing this? – Chris S Oct 14 '11 at 15:55
  • Certainly during major exercises and in battle conditions degrading has been done, yes. – Rory Alsop Oct 14 '11 at 17:09
  • @RoryAlsop Reference? It's common knowledge that it *can* be degraded, but I've never seen reporting of a case where it actually *has*. – Shane Madden Oct 14 '11 at 21:39
4

There are any number of secure time sources available on the Internet. Most of them work this way:

  1. You generate a random challenge.

  2. You send the challenge to the time source.

  3. The time source appends a timestamp to your challenge, signs it with their well-known private key, and sends it back to you.

  4. You confirm the signature with their public key.

  5. You now know, assuming you can trust this source, that the time in the timestamp reflects a time somewhere between when you generated the challenge and when you received the reply.

Verisign runs such a service over HTTPS. The URL is http://timestamp.verisign.com/scripts/timstamp.dll. Globalsign runs one as well, the URL is http://timestamp.globalsign.com/scripts/timstamp.dll. The protocol is specified in RFC 3161 and also implemented in OpenSSL.

David Schwartz
  • 31,449
  • 2
  • 55
  • 84
  • 1
    Major problem: there's no way to account for transit/protocol delays here. Like you said, you know the timestamp `reflects a time somewhere between when you generated the challenge and when you received the reply` - That could have 20ms, 200ms or 2000ms(pathological case) delay time. The only "accurate" time guarantee here is that the TSA's timestamp is accurate for when the TSA issued it (not when it was requested or received by the client) – voretaq7 Oct 13 '11 at 19:46
  • Every time synchronizing scheme has some level of accuracy. For a scheme that is both secure and free, two second accuracy is actually pretty darned good. – David Schwartz Oct 13 '11 at 20:30
  • Trouble is two-second accuracy (and more importantly indeterminate accuracy) isn't good enough for many environments where accurate/synchronized time is necessary. Timestamping and time synchronization are *vastly* different problem domains: These services are the former. NTP and local PPS clocks are for the latter. – voretaq7 Oct 13 '11 at 20:36
  • His issue with NTP or GPS is that he can't secure it. He can do that with timestamping. They combine perfectly, though it's hard to be sure since we don't know his exact requirements. – David Schwartz Oct 13 '11 at 22:10