|
DataMuseum.dkPresents historical artifacts from the history of: DKUUG/EUUG Conference tapes |
This is an automatic "excavation" of a thematic subset of
See our Wiki for more about DKUUG/EUUG Conference tapes Excavated with: AutoArchaeologist - Free & Open Source Software. |
top - metrics - downloadIndex: T m
Length: 105949 (0x19ddd)
Types: TextFile
Names: »m.bishop.ntp.security.ps«
└─⟦4f9d7c866⟧ Bits:30007245 EUUGD6: Sikkerheds distributionen
└─⟦this⟧ »./papers/NTP_Security/m.bishop.ntp.security.ps«
%!
%%BoundingBox: (atend)
%%Pages: (atend)
%%DocumentFonts: (atend)
%%EndComments
%
% FrameMaker PostScript Prolog 2.0, for use with FrameMaker 2.0
% Copyright (c) 1986,87,89 by Frame Technology, Inc. All rights reserved.
%
% Known Problems:
% Due to bugs in Transcript, the 'PS-Adobe-' is omitted from line 1
/FMversion (2.0) def
/FrameDict 170 dict def
systemdict /errordict known not { /errordict 10 dict def
errordict /rangecheck { stop } put } if
% The readline in 23.0 doesn't recognize cr's as nl's on AppleTalk
FrameDict /tmprangecheck errordict /rangecheck get put
errordict /rangecheck {FrameDict /bug true put} put
FrameDict /bug false put
mark
% Some PS machines read past the CR, so keep the following 3 lines together!
currentfile 5 string readline
00
0000000000
cleartomark
errordict /rangecheck FrameDict /tmprangecheck get put
FrameDict /bug get {
/readline {
/gstring exch def
/gfile exch def
/gindex 0 def
{
gfile read pop
dup 10 eq {exit} if
dup 13 eq {exit} if
gstring exch gindex exch put
/gindex gindex 1 add def
} loop
pop
gstring 0 gindex getinterval true
} def
} if
/FMVERSION {
FMversion ne {
/Times-Roman findfont 18 scalefont setfont
100 100 moveto
(FrameMaker version does not match postscript_prolog!)
dup =
show showpage
} if
} def
/FMLOCAL {
FrameDict begin
0 def
end
} def
/gstring FMLOCAL
/gfile FMLOCAL
/gindex FMLOCAL
/orgxfer FMLOCAL
/orgproc FMLOCAL
/organgle FMLOCAL
/orgfreq FMLOCAL
FrameDict /graymode true put
/yscale FMLOCAL
/xscale FMLOCAL
/PrintInColor systemdict /colorimage known def
% Uncomment this line to force b&w on color printer
% /PrintInColor false def
PrintInColor
{
/HUE 0 def
/SAT 0 def
/BRIGHT 0 def
% array of arrays Hue and Sat values for the separations [HUE BRIGHT]
/Colors
[[0 0 ] % black
[0 0 ] % white
[0.00 1.0] % red
[0.37 1.0] % green
[0.60 1.0] % blue
[0.50 1.0] % cyan
[0.83 1.0] % magenta
[0.16 1.0] % comment
] def
/BEGINBITMAPCOLOR {
BITMAPCOLOR } def
/BEGINBITMAPCOLORc {
BITMAPCOLORc } def
/K {
Colors exch get dup
0 get /HUE exch store
1 get /BRIGHT exch store
HUE 0 eq BRIGHT 0 eq and
{1.0 SAT sub setgray }
{HUE SAT BRIGHT sethsbcolor }
ifelse
} def
/mysetgray {
/SAT exch 1.0 exch sub store
HUE 0 eq BRIGHT 0 eq and
{1.0 SAT sub setgray }
{HUE SAT BRIGHT sethsbcolor }
ifelse
} bind def
}
{
/BEGINBITMAPCOLOR {
BITMAPGRAY } def
/BEGINBITMAPCOLORc {
BITMAPGRAYc } def
/mysetgray { setgray } bind def
/K {
pop
} def
}
ifelse
/max {2 copy lt {exch} if pop} bind def
/min {2 copy gt {exch} if pop} bind def
/mtx matrix defaultmatrix def
/setmanualfeed {
%%BeginFeature *ManualFeed True
statusdict /manualfeed true put
%%EndFeature
} def
/FMDOCUMENT {
array /FMfonts exch def
/#copies exch def
0 ne dup {setmanualfeed} if
FrameDict begin
/manualfeed exch def
/paperheight exch def
/paperwidth exch def
setpapername
manualfeed {true} {papersize} ifelse
{manualpapersize} {false} ifelse
{desperatepapersize} if
/yscale exch def
/xscale exch def
currenttransfer cvlit /orgxfer exch def
currentscreen cvlit /orgproc exch def
/organgle exch def /orgfreq exch def
end
} def
/pagesave FMLOCAL
/orgmatrix FMLOCAL
/landscape FMLOCAL
/FMBEGINPAGE {
FrameDict begin
/pagesave save def
3.86 setmiterlimit
/landscape exch 0 ne store
landscape {
90 rotate 0 exch neg translate pop
}
{ pop pop }
ifelse
xscale yscale scale
/orgmatrix matrix def
gsave
} def
/FMENDPAGE {
grestore
pagesave restore
end
showpage
} def
/fontname FMLOCAL
/fontscale FMLOCAL
/fontnum FMLOCAL
/fontdict FMLOCAL
/FMDEFINEFONT {
FrameDict begin
/fontname exch def
/fontscale exch def
/fontnum exch def
/fontdict fontname findfont fontscale scalefont def
fontdict /Encoding get StandardEncoding eq
{
fontdict DiacriticEncode
/fontdict exch def
} {
fontdict NonDiacriticEncode
/fontdict exch def
} ifelse
FMfonts fontnum
fontnum fontdict definefont
put
end
} def
/FMNORMALIZEGRAPHICS {
newpath
0.0 0.0 moveto
1 setlinewidth
0 setlinecap
0 mysetgray
} bind def
/FMBEGINEPSF {
end
/FMEPSF save def
/showpage {} def
FMNORMALIZEGRAPHICS
[/fy /fx /fh /fw /ury /urx /lly /llx] {exch def} forall
fx fy translate
rotate
fw urx llx sub div fh ury lly sub div scale
llx neg lly neg translate
} bind def
/FMENDEPSF {
FMEPSF restore
FrameDict begin
} bind def
FrameDict begin
/pagedimen {
paperheight sub abs 16 lt exch
paperwidth sub abs 16 lt and
{/papername exch def} {pop} ifelse
} def
/inch {72 mul} def
/setpapername {
/papersizedict 14 dict def
papersizedict begin
/papername /unknown def
/Letter 8.5 inch 11.0 inch pagedimen
/LetterSmall 7.68 inch 10.16 inch pagedimen
/Tabloid 11.0 inch 17.0 inch pagedimen
/Ledger 17.0 inch 11.0 inch pagedimen
/Legal 8.5 inch 14.0 inch pagedimen
/Statement 5.5 inch 8.5 inch pagedimen
/Executive 7.5 inch 10.0 inch pagedimen
/A3 11.69 inch 16.5 inch pagedimen
/A4 8.26 inch 11.69 inch pagedimen
/A4Small 7.47 inch 10.85 inch pagedimen
/B4 10.125 inch 14.33 inch pagedimen
/B5 7.16 inch 10.125 inch pagedimen
end
} def
/papersize {
papersizedict begin
/Letter {lettertray} def
/LetterSmall {lettertray lettersmall} def
/Tabloid {11x17tray} def
/Ledger {ledgertray} def
/Legal {legaltray} def
/Statement {statementtray} def
/Executive {executivetray} def
/A3 {a3tray} def
/A4 {a4tray} def
/A4Small {a4tray a4small} def
/B4 {b4tray} def
/B5 {b5tray} def
/unknown {unknown} def
papersizedict dup papername known {papername} {/unknown} ifelse get
end
statusdict begin stopped end
} def
/manualpapersize {
papersizedict begin
/Letter {letter} def
/LetterSmall {lettersmall} def
/Tabloid {11x17} def
/Ledger {ledger} def
/Legal {legal} def
/Statement {statement} def
/Executive {executive} def
/A3 {a3} def
/A4 {a4} def
/A4Small {a4small} def
/B4 {b4} def
/B5 {b5} def
/unknown {unknown} def
papersizedict dup papername known {papername} {/unknown} ifelse get
end
stopped
} def
/desperatepapersize {
statusdict /setpageparams known
{
paperwidth paperheight 0 1
statusdict begin
{setpageparams} stopped pop
end
} if
} def
/savematrix {
orgmatrix currentmatrix pop
} bind def
/restorematrix {
orgmatrix setmatrix
} bind def
/dmatrix matrix def
/dpi 72 0 dmatrix defaultmatrix dtransform
dup mul exch dup mul add sqrt def
/freq dpi 18.75 div 8 div round dup 0 eq { pop 1 } if 8 mul dpi exch div def
/sangle 1 0 dmatrix defaultmatrix dtransform exch atan def
/DiacriticEncoding [
/.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef /space /exclam /quotedbl
/numbersign /dollar /percent /ampersand /quotesingle /parenleft
/parenright /asterisk /plus /comma /hyphen /period /slash /zero /one
/two /three /four /five /six /seven /eight /nine /colon /semicolon
/less /equal /greater /question /at /A /B /C /D /E /F /G /H /I /J /K
/L /M /N /O /P /Q /R /S /T /U /V /W /X /Y /Z /bracketleft /backslash
/bracketright /asciicircum /underscore /grave /a /b /c /d /e /f /g /h
/i /j /k /l /m /n /o /p /q /r /s /t /u /v /w /x /y /z /braceleft /bar
/braceright /asciitilde /.notdef /Adieresis /Aring /Ccedilla /Eacute
/Ntilde /Odieresis /Udieresis /aacute /agrave /acircumflex /adieresis
/atilde /aring /ccedilla /eacute /egrave /ecircumflex /edieresis
/iacute /igrave /icircumflex /idieresis /ntilde /oacute /ograve
/ocircumflex /odieresis /otilde /uacute /ugrave /ucircumflex
/udieresis /dagger /.notdef /cent /sterling /section /bullet
/paragraph /germandbls /registered /copyright /trademark /acute
/dieresis /.notdef /AE /Oslash /.notdef /.notdef /.notdef /.notdef
/yen /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef
/ordfeminine /ordmasculine /.notdef /ae /oslash /questiondown
/exclamdown /logicalnot /.notdef /florin /.notdef /.notdef
/guillemotleft /guillemotright /ellipsis /.notdef /Agrave /Atilde
/Otilde /OE /oe /endash /emdash /quotedblleft /quotedblright
/quoteleft /quoteright /.notdef /.notdef /ydieresis /Ydieresis
/fraction /currency /guilsinglleft /guilsinglright /fi /fl /daggerdbl
/periodcentered /quotesinglbase /quotedblbase /perthousand
/Acircumflex /Ecircumflex /Aacute /Edieresis /Egrave /Iacute
/Icircumflex /Idieresis /Igrave /Oacute /Ocircumflex /.notdef /Ograve
/Uacute /Ucircumflex /Ugrave /dotlessi /circumflex /tilde /macron
/breve /dotaccent /ring /cedilla /hungarumlaut /ogonek /caron
] def
/basefontdict FMLOCAL
/newfontdict FMLOCAL
/DiacriticEncode {
/basefontdict exch def
/newfontdict basefontdict maxlength dict def
basefontdict
{exch dup /FID ne
{dup /Encoding eq
{exch pop DiacriticEncoding}
{exch}
ifelse
newfontdict 3 1 roll put
}
{pop pop}
ifelse
} forall
newfontdict
} bind def
/NonDiacriticEncode {
/basefontdict exch def
/newfontdict basefontdict maxlength dict def
basefontdict
{exch dup /FID ne
{exch newfontdict 3 1 roll put}
{pop pop}
ifelse
} forall
newfontdict
} bind def
/bwidth FMLOCAL
/bpside FMLOCAL
/bstring FMLOCAL
/onbits FMLOCAL
/offbits FMLOCAL
/xindex FMLOCAL
/yindex FMLOCAL
/x FMLOCAL
/y FMLOCAL
/setpattern {
/bwidth exch def
/bpside exch def
/bstring exch def
/onbits 0 def /offbits 0 def
freq sangle landscape {90 add} if
{/y exch def
/x exch def
/xindex x 1 add 2 div bpside mul cvi def
/yindex y 1 add 2 div bpside mul cvi def
bstring yindex bwidth mul xindex 8 idiv add get
1 7 xindex 8 mod sub bitshift and 0 ne
{/onbits onbits 1 add def 1}
{/offbits offbits 1 add def 0}
ifelse
}
setscreen
{} settransfer
offbits offbits onbits add div mysetgray
/graymode false store
} bind def
/grayness {
mysetgray
graymode not {
/graymode true store
orgxfer cvx settransfer
orgfreq organgle orgproc cvx setscreen
} if
} bind def
/normalize {
transform round exch round exch itransform
} bind def
/dnormalize {
dtransform round exch round exch idtransform
} bind def
/lnormalize {
0 dtransform exch cvi 2 idiv 2 mul 1 add exch idtransform pop
} bind def
/H {
lnormalize setlinewidth
} bind def
/Z {
setlinecap
} bind def
/X {
fillprocs exch get exec
} bind def
/V {
gsave eofill grestore
} bind def
/N {
stroke
} bind def
/M {newpath moveto} bind def
/E {lineto} bind def
/D {curveto} bind def
/O {closepath} bind def
/n FMLOCAL
/L {
/n exch def
newpath
normalize
moveto
2 1 n {pop normalize lineto} for
} bind def
/Y {
L
closepath
} bind def
/x1 FMLOCAL
/x2 FMLOCAL
/y1 FMLOCAL
/y2 FMLOCAL
/rad FMLOCAL
/R {
/y2 exch def
/x2 exch def
/y1 exch def
/x1 exch def
x1 y1
x2 y1
x2 y2
x1 y2
4 Y
} bind def
/RR {
/rad exch def
normalize
/y2 exch def
/x2 exch def
normalize
/y1 exch def
/x1 exch def
newpath
x1 y1 rad add moveto
x1 y2 x2 y2 rad arcto
x2 y2 x2 y1 rad arcto
x2 y1 x1 y1 rad arcto
x1 y1 x1 y2 rad arcto
closepath
16 {pop} repeat
} bind def
/C {
grestore
gsave
R
clip
} bind def
/U {
grestore
gsave
} bind def
/F {
FMfonts exch get
setfont
} bind def
/T {
moveto show
} bind def
/RF {
rotate
0 ne { -1 1 scale } if
} bind def
/TF {
gsave
moveto
RF
show
grestore
} bind def
/P {
moveto
0 32 3 2 roll widthshow
} bind def
/PF {
gsave
moveto
RF
0 32 3 2 roll widthshow
grestore
} bind def
/S {
moveto
0 exch ashow
} bind def
/SF {
gsave
moveto
RF
0 exch ashow
grestore
} bind def
/B {
moveto
0 32 4 2 roll 0 exch awidthshow
} bind def
/BF {
gsave
moveto
RF
0 32 4 2 roll 0 exch awidthshow
grestore
} bind def
/x FMLOCAL
/y FMLOCAL
/dx FMLOCAL
/dy FMLOCAL
/dl FMLOCAL
/t FMLOCAL
/t2 FMLOCAL
/Cos FMLOCAL
/Sin FMLOCAL
/r FMLOCAL
/W {
dnormalize
/dy exch def
/dx exch def
normalize
/y exch def
/x exch def
/dl dx dx mul dy dy mul add sqrt def
dl 0.0 gt {
/t currentlinewidth def
savematrix
/Cos dx dl div def
/Sin dy dl div def
/r [Cos Sin Sin neg Cos 0.0 0.0] def
/t2 t 2.5 mul 3.5 max def
newpath
x y translate
r concat
0.0 0.0 moveto
dl t 2.7 mul sub 0.0 rlineto
stroke
restorematrix
x dx add y dy add translate
r concat
t 0.67 mul setlinewidth
t 1.61 mul neg 0.0 translate
0.0 0.0 moveto
t2 1.7 mul neg t2 2.0 div moveto
0.0 0.0 lineto
t2 1.7 mul neg t2 2.0 div neg lineto
stroke
t setlinewidth
restorematrix
} if
} bind def
/G {
gsave
newpath
normalize translate 0.0 0.0 moveto
dnormalize scale
0.0 0.0 1.0 5 3 roll arc
closepath fill
grestore
} bind def
/A {
gsave
savematrix
newpath
2 index 2 div add exch 3 index 2 div sub exch
normalize 2 index 2 div sub exch 3 index 2 div add exch
translate
scale
0.0 0.0 1.0 5 3 roll arc
restorematrix
stroke
grestore
} bind def
/x FMLOCAL
/y FMLOCAL
/w FMLOCAL
/h FMLOCAL
/xx FMLOCAL
/yy FMLOCAL
/ww FMLOCAL
/hh FMLOCAL
/FMsaveobject FMLOCAL
/FMoptop FMLOCAL
/FMdicttop FMLOCAL
/BEGINPRINTCODE {
/FMdicttop countdictstack 1 add def
/FMoptop count 4 sub def
/FMsaveobject save def
userdict begin
/showpage {} def
FMNORMALIZEGRAPHICS
3 index neg 3 index neg translate
} bind def
/ENDPRINTCODE {
count -1 FMoptop {pop pop} for
countdictstack -1 FMdicttop {pop end} for
FMsaveobject restore
} bind def
/gn {
0
{ 46 mul
cf read pop
32 sub
dup 46 lt {exit} if
46 sub add
} loop
add
} bind def
/str FMLOCAL
/cfs {
/str sl string def
0 1 sl 1 sub {str exch val put} for
str def
} bind def
/ic [
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0223
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0223
0
{0 hx} {1 hx} {2 hx} {3 hx} {4 hx} {5 hx} {6 hx} {7 hx} {8 hx} {9 hx}
{10 hx} {11 hx} {12 hx} {13 hx} {14 hx} {15 hx} {16 hx} {17 hx} {18 hx}
{19 hx} {gn hx} {0} {1} {2} {3} {4} {5} {6} {7} {8} {9} {10} {11} {12}
{13} {14} {15} {16} {17} {18} {19} {gn} {0 wh} {1 wh} {2 wh} {3 wh}
{4 wh} {5 wh} {6 wh} {7 wh} {8 wh} {9 wh} {10 wh} {11 wh} {12 wh}
{13 wh} {14 wh} {gn wh} {0 bl} {1 bl} {2 bl} {3 bl} {4 bl} {5 bl} {6 bl}
{7 bl} {8 bl} {9 bl} {10 bl} {11 bl} {12 bl} {13 bl} {14 bl} {gn bl}
{0 fl} {1 fl} {2 fl} {3 fl} {4 fl} {5 fl} {6 fl} {7 fl} {8 fl} {9 fl}
{10 fl} {11 fl} {12 fl} {13 fl} {14 fl} {gn fl}
] def
/sl FMLOCAL
/val FMLOCAL
/ws FMLOCAL
/im FMLOCAL
/bs FMLOCAL
/cs FMLOCAL
/len FMLOCAL
/pos FMLOCAL
/ms {
/sl exch def
/val 255 def
/ws cfs
/im cfs
/val 0 def
/bs cfs
/cs cfs
} bind def
400 ms
/ip {
is
0
cf cs readline pop
{ ic exch get exec
add
} forall
pop
} bind def
/wh {
/len exch def
/pos exch def
ws 0 len getinterval im pos len getinterval copy pop
pos len
} bind def
/bl {
/len exch def
/pos exch def
bs 0 len getinterval im pos len getinterval copy pop
pos len
} bind def
/s1 1 string def
/fl {
/len exch def
/pos exch def
/val cf s1 readhexstring pop 0 get def
pos 1 pos len add 1 sub {im exch val put} for
pos len
} bind def
/hx {
3 copy getinterval
cf exch readhexstring pop pop
} bind def
/h FMLOCAL
/w FMLOCAL
/d FMLOCAL
/lb FMLOCAL
/bitmapsave FMLOCAL
/is FMLOCAL
/cf FMLOCAL
/wbytes {
dup
8 eq { pop } { 1 eq { 7 add 8 idiv } { 3 add 4 idiv } ifelse } ifelse
} bind def
/BEGINBITMAPBWc {
1 {} COMMONBITMAPc
} bind def
/BEGINBITMAPGRAYc {
8 {} COMMONBITMAPc
} bind def
/BEGINBITMAP2BITc {
2 {} COMMONBITMAPc
} bind def
/COMMONBITMAPc {
/r exch def
/d exch def
gsave
translate rotate scale /h exch def /w exch def
/lb w d wbytes def
sl lb lt {lb ms} if
/bitmapsave save def
r
/is im 0 lb getinterval def
ws 0 lb getinterval is copy pop
/cf currentfile def
w h d [w 0 0 h neg 0 h]
{ip} image
bitmapsave restore
grestore
} bind def
/BEGINBITMAPBW {
1 {} COMMONBITMAP
} bind def
/BEGINBITMAPGRAY {
8 {} COMMONBITMAP
} bind def
/BEGINBITMAP2BIT {
2 {} COMMONBITMAP
} bind def
/COMMONBITMAP {
/r exch def
/d exch def
gsave
translate rotate scale /h exch def /w exch def
/bitmapsave save def
r
/is w d wbytes string def
/cf currentfile def
w h d [w 0 0 h neg 0 h]
{ cf is readhexstring pop } image
bitmapsave restore
grestore
} bind def
/Fmcc {
/proc2 exch cvlit def
/proc1 exch cvlit def
/newproc proc1 length proc2 length add array def
newproc 0 proc1 putinterval
newproc proc1 length proc2 putinterval
newproc cvx
} bind def
/colorsetup {
currentcolortransfer
/gryt exch def
/blut exch def
/grnt exch def
/redt exch def
/ngrayt 256 array def
/nredt 256 array def
/nbluet 256 array def
/ngreent 256 array def
0 1 255 {
/indx exch def
/cynu 1 red indx get 255 div sub def
/magu 1 green indx get 255 div sub def
/yelu 1 blue indx get 255 div sub def
/k cynu magu min yelu min def
/u k currentundercolorremoval exec def
nredt indx 1 0 cynu u sub max sub redt exec put
ngreent indx 1 0 magu u sub max sub grnt exec put
nbluet indx 1 0 yelu u sub max sub blut exec put
ngrayt indx 1 k currentblackgeneration exec sub gryt exec put
} for
{255 mul cvi nredt exch get}
{255 mul cvi ngreent exch get}
{255 mul cvi nbluet exch get}
{255 mul cvi ngrayt exch get}
setcolortransfer
{pop 0} setundercolorremoval
{} setblackgeneration
} bind def
/fakecolorsetup {
/tran 256 string def
0 1 255 { /ind exch def
tran ind
red ind get 77 mul
green ind get 151 mul
blue ind get 28 mul
add add 256 idiv put } for
currenttransfer
{ 255 mul cvi tran exch get 255.0 div }
exch Fmcc settransfer
} bind def
/BITMAPCOLOR {
/d 8 def
gsave
translate rotate scale /h exch def /w exch def
/bitmapsave save def
colorsetup
/is w d wbytes string def
/cf currentfile def
w h d [w 0 0 h neg 0 h]
{ cf is readhexstring pop } {is} {is} true 3 colorimage
bitmapsave restore
grestore
} bind def
/BITMAPCOLORc {
/d 8 def
gsave
translate rotate scale /h exch def /w exch def
/lb w d wbytes def
sl lb lt {lb ms} if
/bitmapsave save def
colorsetup
/is im 0 lb getinterval def
ws 0 lb getinterval is copy pop
/cf currentfile def
w h d [w 0 0 h neg 0 h]
{ip} {is} {is} true 3 colorimage
bitmapsave restore
grestore
} bind def
/BITMAPGRAY {
8 {fakecolorsetup} COMMONBITMAP
} bind def
/BITMAPGRAYc {
8 {fakecolorsetup} COMMONBITMAPc
} bind def
/ENDBITMAP {
} bind def
end
%%EndProlog
%%BeginSetup
(2.0) FMVERSION
1 1 612 792 0 1 10 FMDOCUMENT
/fillprocs 32 array def
fillprocs 0 { 0.000000 grayness } put
fillprocs 1 { 0.100000 grayness } put
fillprocs 2 { 0.300000 grayness } put
fillprocs 3 { 0.500000 grayness } put
fillprocs 4 { 0.700000 grayness } put
fillprocs 5 { 0.900000 grayness } put
fillprocs 6 { 0.970000 grayness } put
fillprocs 7 { 1.000000 grayness } put
fillprocs 8 {<0f1e3c78f0e1c387> 8 1 setpattern } put
fillprocs 9 {<0f87c3e1f0783c1e> 8 1 setpattern } put
fillprocs 10 {<cccccccccccccccc> 8 1 setpattern } put
fillprocs 11 {<ffff0000ffff0000> 8 1 setpattern } put
fillprocs 12 {<8142241818244281> 8 1 setpattern } put
fillprocs 13 {<03060c183060c081> 8 1 setpattern } put
fillprocs 14 {<8040201008040201> 8 1 setpattern } put
fillprocs 15 {} put
fillprocs 16 { 1.000000 grayness } put
fillprocs 17 { 0.900000 grayness } put
fillprocs 18 { 0.700000 grayness } put
fillprocs 19 { 0.500000 grayness } put
fillprocs 20 { 0.300000 grayness } put
fillprocs 21 { 0.100000 grayness } put
fillprocs 22 { 0.030000 grayness } put
fillprocs 23 { 0.000000 grayness } put
fillprocs 24 {<f0e1c3870f1e3c78> 8 1 setpattern } put
fillprocs 25 {<f0783c1e0f87c3e1> 8 1 setpattern } put
fillprocs 26 {<3333333333333333> 8 1 setpattern } put
fillprocs 27 {<0000ffff0000ffff> 8 1 setpattern } put
fillprocs 28 {<7ebddbe7e7dbbd7e> 8 1 setpattern } put
fillprocs 29 {<fcf9f3e7cf9f3f7e> 8 1 setpattern } put
fillprocs 30 {<7fbfdfeff7fbfdfe> 8 1 setpattern } put
fillprocs 31 {} put
%%EndSetup
0 12 /Times-BoldItalic FMDEFINEFONT
1 12 /Times-Bold FMDEFINEFONT
2 12 /Times-Roman FMDEFINEFONT
3 18 /Times-Bold FMDEFINEFONT
4 12 /Times-Italic FMDEFINEFONT
5 10 /Times-Italic FMDEFINEFONT
6 10 /Times-BoldItalic FMDEFINEFONT
%%Page: "1" 1
%%BeginPaperSize: Letter
%%EndPaperSize
612 792 0 FMBEGINPAGE
0 0 612 792 C
0 0 612 792 R
7 X
0 K
V
72 32.67 540 42.67 R
V
0 F
0 X
(DRAFT) 72 34.67 T
1 F
( ) 111.99 34.67 T
2 F
(Report to the PSRG) 114.98 34.67 T
(Page 1 of 20) 479.71 34.67 T
72 72 540 720 R
7 X
V
3 F
0 X
(A Security Analysis of the NTP Pr) 151.76 708 T
(otocol) 414.27 708 T
4 F
(Matt Bishop) 276.51 676 T
2 F
(Department of Mathematics and Computer Science) 182.92 656 T
(Dartmouth College) 259.86 642 T
(Hanover) 257.45 628 T
(, NH 03755) 298.26 628 T
4 F
(ABSTRACT) 277.68 602 T
2 F
-0.18 (The Network T) 108 582 P
-0.18 (ime Protocol is being used throughout the Internet to provide an ac-) 181.17 582 P
-0.36 (curate time service. This note examines the security requirements of such a service,) 108 568 P
0.05 (analyzes the NTP protocol to determine how well it meets these requirements, and) 108 554 P
(suggests improvements where appropriate.) 108 540 T
5 F
-0.49 (My comments ar) 216 491.33 P
-0.49 (e in this style\050with change bars to the left\051. They will be gone fr) 281.27 491.33 P
-0.49 (om) 527.79 491.33 P
-0.52 (the \336nal r) 216 480.33 P
-0.52 (eport, but I do have some questions and/or comments I\325d appr) 253.47 480.33 P
-0.52 (eciate help) 496.94 480.33 P
-0.19 (on. Of course, ) 216 469.33 P
6 F
-0.19 (all) 274.55 469.33 P
5 F
-0.19 ( comments, criticisms, and suggestions ar) 285.11 469.33 P
-0.19 (e ) 450.63 469.33 P
6 F
-0.19 (always) 457.38 469.33 P
5 F
-0.19 ( welcome, but) 485.14 469.33 P
(these comments ar) 216 458.33 T
(e things I\325d especially like your thoughts on.) 290.02 458.33 T
1 F
(1. Intr) 72 434 T
(oduction) 104.43 434 T
2 F
-0.75 (The goal of a time distribution protocol is to deliver continuous, accurate time synchronized) 108 410 P
-0.64 (with national standards even when leap seconds occur [9]. Such protocols establish a set of primary) 72 390 P
-0.22 (time reference sources which are directly synchronized with external sources. These may commu-) 72 370 P
-0.13 (nicate with secondary servers, which in turn may communicate with other \050secondary\051 servers de-) 72 350 P
0.64 (signed to propagate time to hosts on a subnet; the servers propagate the time either by initiating) 72 330 P
(transmission of time messages or by responding to requests from clients seeking the time.) 72 310 T
-0.63 (The goal of a time service is to allow a system to synchronize its clock with those of known,) 108 286 P
0.11 (accurate primary time servers. This means synchronizing time \050so the clocks agree on the time of) 72 266 P
1.01 (day\051 and synchronizing frequency \050so the clocks appear to tick at the same rate\051. However) 72 246 P
1.01 (, the) 518.33 246 P
0.28 (propagation of time messages over a network is hindered by transmission delays, unreliable con-) 72 226 P
0.19 (nections, disparity of methods of clients obtaining the time, and heterogeneousness of computing) 72 206 P
-0.34 (resources. These factors should not af) 72 186 P
-0.34 (fect the synchronization of the clocks, so a time service must) 251.27 186 P
0.57 (provide accurate time even in the face of lar) 72 166 P
0.57 (ge \050statistical\051 delays during propagation, as well as) 287.5 166 P
-0.61 (being very redundant, so the loss of a single subnet or transmission path does not prevent other por-) 72 146 P
-0.24 (tions of the network from obtaining the correct time. Further) 72 126 P
-0.24 (, the protocol must be \337exible enough) 359.86 126 P
-0.38 (to work with a variety of client/server interfaces, including having clients continuously poll for the) 72 106 P
0.26 (time, or obtain it by remote procedure calls, as well as in broadcast, multicast, and point-to-point) 72 86 P
52 455 54 498 R
V
FMENDPAGE
%%EndPage: "1" 2
3 10 /Times-Roman FMDEFINEFONT
%%Page: "2" 2
612 792 0 FMBEGINPAGE
0 0 612 792 C
0 0 612 792 R
7 X
0 K
V
72 746 540 756 R
V
2 F
0 X
(A Security Analysis of the NTP Protocol) 72 748 T
1 F
( ) 398.39 748 T
0 F
(DRAFT) 401.39 748 T
1 F
( ) 441.38 748 T
2 F
(Report to the PSRG) 444.38 748 T
72 32.67 540 42.67 R
7 X
V
0 X
(Last modified June 13, 1990 11:10 am) 72 34.67 T
(Page 2 of 20) 479.71 34.67 T
72 72 540 720 R
7 X
V
0 X
(transmission modes.) 72 712 T
0.33 (In what follows, we shall consider only attacks involving the transmission \050or hinderance) 108 688 P
-0.02 (of transmission\051 of time messages; we shall assume that the messages leave the source uncorrupt-) 72 668 P
-0.43 (ed, and once they arrive at the tar) 72 648 P
-0.43 (get they will not be altered. W) 228.6 648 P
-0.43 (e make this assumption for simplic-) 370.61 648 P
1.26 (ity; \336rst, not knowing the operating systems under which these protocols can run, without this) 72 628 P
-0.38 (restriction we would have to analyze all operating systems which might run the protocols. Second-) 72 608 P
0.32 (ly) 72 588 P
0.32 (, as access to networks is usually easier to obtain than access to individual hosts, the focus of a) 80.55 588 P
4 F
0.35 (network) 72 568 P
2 F
0.35 ( time protocol\325) 110.64 568 P
0.35 (s security should be on the ) 181.98 568 P
4 F
0.35 (network) 314.67 568 P
2 F
0.35 (. Third, as no system is completely se-) 353.32 568 P
0.14 (cure, the analysis of any protocol which did not involve an assumption about the nature of the at-) 72 548 P
(tack being from a network would be rather vacuous.) 72 528 T
0.87 (Five types of attacks on a time service are possible. An attacker could cause a non-time) 108 504 P
-0.69 (server to impersonate a time server \050) 72 484 P
4 F
-0.69 (masquerade) 243.07 484 P
2 F
-0.69 (\051, an attacker could modify some \050or all\051 time mes-) 301.69 484 P
0.04 (sages sent by a time server \050) 72 464 P
4 F
0.04 (modi\336cation) 207.46 464 P
2 F
0.04 (\051, an attacker could resend a time server) 267.42 464 P
0.04 (\325) 459.3 464 P
0.04 (s time messages) 462.64 464 P
0.07 (\050) 72 444 P
4 F
0.07 (r) 75.99 444 P
0.07 (eplay) 80.21 444 P
2 F
0.07 (\051, an attacker could intercept a time server) 106.19 444 P
0.07 (\325) 308.94 444 P
0.07 (s time messages and delete them \050) 312.27 444 P
4 F
0.07 (denial of ser-) 475.9 444 P
-0.37 (vice) 72 424 P
2 F
-0.37 (\051, and an attacker could delay the time messages by) 91.31 424 P
-0.37 (, for example, deliberately \337ooding the net-) 333.69 424 P
(work, thereby introducing lar) 72 404 T
(ge transmission delays \050) 212.35 404 T
4 F
(delay) 327.94 404 T
2 F
(\051.) 353.92 404 T
-0.28 (The goal of this report is to examine the security of the NTP protocol [7][8] with respect to) 108 380 P
-0.55 (the \336ve attacks described above, and when vulnerabilities are found we suggest remedies. The next) 72 360 P
-0.24 (section describes version 2 of the NTP protocol \050the current incarnation\051, and the section after that) 72 340 P
-0.42 (analyzes the attacks in terms of that protocol. The \336nal section suggests improvements to make the) 72 320 P
(NTP protocol more resistent to attacks.) 72 300 T
1 F
(2. Network T) 72 268 T
(ime Pr) 139.4 268 T
(otocol V) 173.49 268 T
(ersion 2) 214.69 268 T
2 F
0.6 (The Network T) 108 244 P
0.6 (ime Protocol \050or NTP\051) 182.72 244 P
3 F
0.5 (1) 292.78 248.8 P
2 F
0.6 ( is a protocol designed to meet the above require-) 297.78 244 P
-0.05 (ments in a wide-area network. It designates several sites as ) 72 224 P
4 F
-0.05 (primary time servers) 356.98 224 P
2 F
-0.05 (; these communi-) 456.81 224 P
-0.02 (cate with ) 72 204 P
4 F
-0.02 (secondary time servers) 118.6 204 P
2 F
-0.02 ( over ) 229.15 204 P
4 F
-0.02 (synchr) 256.43 204 P
-0.02 (onization paths) 287.96 204 P
2 F
-0.02 ( which are said to connect ) 361.58 204 P
4 F
-0.02 (peers) 489.39 204 P
2 F
-0.02 (. The) 515.37 204 P
-0.59 (secondary time servers also communicate with other secondary time servers; in addition, each such) 72 184 P
-0.1 (node serves clients on a subnet. The ) 72 164 P
4 F
-0.1 (stratum number) 247.19 164 P
2 F
-0.1 ( is a measure of distance from a primary time) 323.38 164 P
0.61 (server) 72 144 P
0.61 (, speci\336cally the number of synchronization paths that must be transverses to get from the) 100.82 144 P
1.16 (primary time server to the secondary time server) 72 124 P
1.16 (. Because network failures must not af) 312.27 124 P
1.16 (fect the) 503.21 124 P
-0.35 (availability of the time service, the synchronization paths are not \336xed, but may be recon\336gured as) 72 104 P
72 84 540 93 C
72 84 540 93 R
7 X
0 K
V
72 93 225 93 2 L
V
0.5 H
2 Z
0 X
N
0 0 612 792 C
3 F
0 X
0 K
(1. ) 72 77.33 T
(These de\336nitions and descriptions are from [9], \2441.2.) 90 77.33 T
FMENDPAGE
%%EndPage: "2" 3
6 12 /Symbol FMDEFINEFONT
7 10 /Times-Bold FMDEFINEFONT
%%Page: "3" 3
612 792 0 FMBEGINPAGE
0 0 612 792 C
0 0 612 792 R
7 X
0 K
V
72 746 540 756 R
V
2 F
0 X
(A Security Analysis of the NTP Protocol) 72 748 T
1 F
( ) 398.39 748 T
0 F
(DRAFT) 401.39 748 T
1 F
( ) 441.38 748 T
2 F
(Report to the PSRG) 444.38 748 T
72 32.67 540 42.67 R
7 X
V
0 X
(Last modified June 13, 1990 11:10 am) 72 34.67 T
(Page 3 of 20) 479.71 34.67 T
72 72 540 720 R
7 X
V
0 X
(needed.) 72 510 T
1.69 (Primary time servers are synchronized by an external system \050such as radio or atomic) 108 486 P
-0.19 (clocks\051 with up to 232-picosecond \0502) 72 466 P
6 F
-0.19 (\264) 249.27 466 P
2 F
-0.19 (10) 255.86 466 P
3 F
-0.16 (-10) 267.85 470.8 P
2 F
-0.19 ( seconds\051 resolution) 281.18 466 P
3 F
-0.16 (2) 376.74 470.8 P
2 F
-0.19 (. Secondary time servers are syn-) 381.73 466 P
0.69 (chronized by primary time servers or other secondary time servers with lower stratum numbers.) 72 446 P
0.25 (The arrangement is hierarchical, with members of a set \050called ) 72 426 P
4 F
0.25 (cohorts) 377.21 426 P
2 F
0.25 (\051 at stratum level ) 413.19 426 P
4 F
0.25 (i) 498.11 426 P
2 F
0.25 ( serving) 501.45 426 P
0.03 (some group at level ) 72 406 P
4 F
0.03 (i) 169.38 406 P
2 F
0.03 (+1 \050see Figure 1\051. Members of the group at ) 172.72 406 P
4 F
0.03 (i) 382.92 406 P
2 F
0.03 (+1 may synchronize themselves) 386.25 406 P
0.3 (with any time server in the set, but not with any server not in the set \050even if it is at a lower stra-) 72 386 P
(tum\051.) 72 366 T
3 F
(3) 97.65 370.8 T
2 F
-0.54 (When a message arrives at an NTP time server) 108 342 P
-0.54 (, it either causes an ) 327.7 342 P
4 F
-0.54 (association) 419.6 342 P
2 F
-0.54 ( \050instantiation) 474.24 342 P
0.25 (of the protocol machine\051 to be created, or causes an existing association to act; what happens de-) 72 322 P
0.6 (pends on the mode of the association. The two basic functions are to synchronize another host\325) 72 302 P
0.6 (s) 535.33 302 P
(clock, or to be synchronized by another host\325) 72 282 T
(s clock.) 287.85 282 T
1 F
(2.1. Association Modes) 72 250 T
7 F
(4) 188.6 254.8 T
2 F
0.61 (Three operating modes are designed for use on high-speed local area networks, although) 108 226 P
-0.08 (they may be used on wide area networks as well. An association operating in ) 72 206 P
4 F
-0.08 (client) 442.9 206 P
2 F
-0.08 ( mode periodi-) 469.55 206 P
-0.12 (cally sends messages to its peer; an association operating in ) 72 186 P
4 F
-0.12 (server) 359.9 186 P
2 F
-0.12 ( mode, which is created when a) 389.87 186 P
-0.46 (message from another association operating in client mode arrives, replies with the server) 72 166 P
-0.46 (\325) 496.95 166 P
-0.46 (s idea of) 500.28 166 P
-0.16 (the time, and then terminates; and an association operating in ) 72 146 P
4 F
-0.16 (br) 367.19 146 P
-0.16 (oadcast) 377.41 146 P
2 F
-0.16 ( mode sends periodic time) 414.72 146 P
0.31 (messages. The client associateion may resynchronize the host\325) 72 126 P
0.31 (s local clock, but no association in) 373.26 126 P
72 108 540 117 C
72 108 540 117 R
7 X
0 K
V
72 117 225 117 2 L
V
0.5 H
2 Z
0 X
N
0 0 612 792 C
3 F
0 X
0 K
(2. ) 72 101.33 T
([8], \2443.1.2.) 90 101.33 T
(3. ) 72 89.33 T
([8], \2442; [12], \2443.) 90 89.33 T
(4. ) 72 77.33 T
([7], \2443.3; [8], \2443.1.1.) 90 77.33 T
72 72 540 720 C
72 518 540 720 C
7 X
0 K
90 450 27 9 243 666 G
0.5 H
2 Z
0 X
90 450 27 9 243 666 A
7 X
90 450 27 9 369 666 G
0 X
90 450 27 9 369 666 A
7 X
90 450 27 9 189 621 G
0 X
90 450 27 9 189 621 A
7 X
90 450 27 9 288 621 G
0 X
90 450 27 9 288 621 A
7 X
90 450 27 9 423 621 G
0 X
90 450 27 9 423 621 A
315 702 351 675 2 L
N
297 702 261 675 2 L
N
378 657 414 630 2 L
N
261 657 297 630 2 L
N
225 657 189 630 2 L
N
2 F
(top level stratum) 450 702 T
(level 2 stratum) 450.71 659.6 T
(level 3 stratum) 459 614.6 T
(A) 239 663 T
(B) 365 663.6 T
(C) 186 619 T
276 694 343 708 7 RR
7 X
V
0 X
N
97 525 525 595 R
7 X
V
0 X
0.13 (Figure 1. The NTP hierarchy. The ellipses represent sets of cohorts. A server in C can be) 97 587 P
-0.62 (synchronized by one in A but not by one in B. If any member in B loses state \050so it no long-) 97 573 P
-0.35 (er knows the time accurately\051, it drops into a set at stratum 3. \050The set is a singleton unless) 97 559 P
0.21 (multiple servers in B lose state; in that case all drop into the same set.\051 When it becomes) 97 545 P
(resynchronized, it leaves the set at level 3 and rejoins its former cohorts in B.) 97 531 T
(fuzzballs) 287 697 T
72 522 540 522 2 L
1 H
N
72 72 540 720 C
0 0 612 792 C
FMENDPAGE
%%EndPage: "3" 4
%%Page: "4" 4
612 792 0 FMBEGINPAGE
0 0 612 792 C
0 0 612 792 R
7 X
0 K
V
72 746 540 756 R
V
2 F
0 X
(A Security Analysis of the NTP Protocol) 72 748 T
1 F
( ) 398.39 748 T
0 F
(DRAFT) 401.39 748 T
1 F
( ) 441.38 748 T
2 F
(Report to the PSRG) 444.38 748 T
72 32.67 540 42.67 R
7 X
V
0 X
(Last modified June 13, 1990 11:10 am) 72 34.67 T
(Page 4 of 20) 479.71 34.67 T
72 72 540 720 R
7 X
V
0 X
(broadcast or server mode will ever reset its host\325) 72 712 T
(s time.) 304.49 712 T
0.88 ( The primary and secondary time servers rely on two other modes to synchronize them-) 108 688 P
-0.56 (selves. An association in ) 72 668 P
4 F
-0.56 (symmetric active) 191.37 668 P
2 F
-0.56 ( mode periodically broadcasts messages intended to syn-) 271.74 668 P
-0.31 (chronize other hosts. When the messages arrive at these peers, an association in ) 72 648 P
4 F
-0.31 (symmetric passive) 452.71 648 P
2 F
-0.46 (mode is created. This association checks that the message arrived from a source operating at a stra-) 72 628 P
-0.52 (tum level no greater than the current host. If not, a reply is sent and the association terminates. Oth-) 72 608 P
1.24 (erwise, it synchronizes the current host as indicated by the message, and responds with a time) 72 588 P
0.05 (message of its own. Normally) 72 568 P
0.05 (, the servers at the highest strata will run in symmetric active mode,) 214.98 568 P
0.06 (with servers at lower strata in both symmetric active and passive modes. Note that a host may ac-) 72 548 P
(quire peers either through receipt of messages or through initialization data read at con\336guration.) 72 528 T
0.41 (In addition to normal messages, NTP allows several types of control messages) 108 504 P
3 F
0.34 (5) 488.95 508.8 P
2 F
0.41 ( designed) 493.95 504 P
0.25 (to handle exceptional conditions. These messages do not normally cause synchronization, but in-) 72 484 P
-0.32 (stead indicate the peer) 72 464 P
-0.32 (\325) 178.41 464 P
-0.32 (s variables associated with the host, or change the variables associated with) 181.74 464 P
0.23 (peer or the remote system, or indicate exception events have occurred. They are designed for use) 72 444 P
0.52 (when no other network management facilities \050such as SNMP [1]\051 are available, and these com-) 72 424 P
0.38 (mands may be sent by other than NTP peers. Further) 72 404 P
0.38 (, they need not be supported by conforming) 328.13 404 P
(NTP implementations.) 72 384 T
1 F
(2.2. Selection of Sour) 72 352 T
(ce Peer and Smoothing of Data) 179.39 352 T
7 F
(6) 337.62 356.8 T
2 F
-0.34 ( NTP uses various algorithms to \336lter \322bad\323 timestamps from \322good,\323 the discriminator in-) 108 328 P
(cluding \050among other things\051 how much at variance with previous timestamps the new one is.) 72 308 T
2.82 (The \336rst algorithm attempts to improve the accuracy of estimated clock of) 108 284 P
2.82 (fsets and) 494.88 284 P
-0.33 (roundtrip delays by eliminating bad data. From each NTP message the roundtrip delay ) 72 264 P
4 F
-0.33 (d) 485.38 264 P
2 F
-0.33 ( and clock) 491.38 264 P
-0.73 (of) 72 244 P
-0.73 (fset ) 81.78 244 P
4 F
-0.73 (c) 101.36 244 P
2 F
-0.73 ( are computed \050see Figure 2\051. The values computed from the last eight messages are retained) 106.68 244 P
72 96 540 105 C
72 96 540 105 R
7 X
0 K
V
72 105 225 105 2 L
V
0.5 H
2 Z
0 X
N
0 0 612 792 C
3 F
0 X
0 K
(5. These messages are described in [7], \2449 \050Appendix B\051.) 72 89.33 T
(6. The algorithms are described in detail in [7], \2444, and are analyzed and evaluated in [8], \2446 and [9], \2442-\2444.) 72 77.33 T
72 72 540 720 C
72 105 540 240 C
174.3 231 174.3 150 2 L
0.5 H
2 Z
0 X
0 K
N
426.3 231 426.3 150 2 L
N
413.33 216.72 426.3 213 413.33 209.28 413.33 213 4 Y
V
174.3 213 413.57 213 2 L
N
187.28 164.28 174.3 168 187.28 171.72 187.28 168 4 Y
V
187.04 168 426.3 168 2 L
N
2 F
(Local Server) 103.69 186.82 T
(Remote Server) 436.69 186.82 T
4 F
(t) 435.3 213 T
5 F
(i) 438.64 210 T
3 F
(-2) 441.42 210 T
4 F
(t) 435.3 164.17 T
5 F
(i) 438.64 161.17 T
3 F
(-1) 441.42 161.17 T
4 F
(t) 156.3 209.17 T
5 F
(i) 159.64 206.17 T
3 F
(-3) 162.42 206.17 T
4 F
(t) 156.3 164.17 T
5 F
(i) 159.64 161.17 T
85.5 105 526.5 141 R
7 X
V
2 F
0 X
(clock offset ) 85.5 133 T
4 F
(c) 144.78 133 T
5 F
(i) 150.11 130 T
2 F
( ) 152.89 133 T
(= \050\050) 155.88 133 T
4 F
(t) 173.64 133 T
5 F
(i) 176.97 130 T
3 F
(-2) 179.75 130 T
2 F
( - ) 188.07 133 T
4 F
(t) 198.06 133 T
5 F
(i) 201.4 130 T
3 F
(-3) 204.18 130 T
2 F
(\051+\050) 212.5 133 T
4 F
(t) 227.25 133 T
5 F
(i) 230.59 130 T
3 F
(-1) 233.37 130 T
2 F
( - ) 241.69 133 T
4 F
(t) 251.68 133 T
5 F
(i) 255.02 130 T
2 F
(\051) 257.8 133 T
(\051/2 and roundtrip delay ) 261.79 133 T
4 F
(d) 375.04 133 T
5 F
(i) 381.04 130 T
2 F
( ) 383.82 133 T
(= \050) 386.82 133 T
4 F
(t) 400.57 133 T
5 F
(i) 403.91 130 T
2 F
( - ) 406.68 133 T
4 F
(t) 416.68 133 T
5 F
(i) 420.01 130 T
3 F
(-3) 422.79 130 T
2 F
(\051+\050) 431.11 133 T
4 F
(t) 445.87 133 T
5 F
(i) 449.2 130 T
3 F
(-1) 451.98 130 T
2 F
( - ) 460.3 133 T
4 F
(t) 470.29 133 T
5 F
(i) 473.63 130 T
3 F
(-2) 476.41 130 T
2 F
(\051.) 484.73 133 T
(Figure 2. Computation of clock offset and roundtrip delay.) 165.43 116 T
72 236 540 236 2 L
1 H
N
72 72 540 720 C
0 0 612 792 C
FMENDPAGE
%%EndPage: "4" 5
%%Page: "5" 5
612 792 0 FMBEGINPAGE
0 0 612 792 C
0 0 612 792 R
7 X
0 K
V
72 746 540 756 R
V
2 F
0 X
(A Security Analysis of the NTP Protocol) 72 748 T
1 F
( ) 398.39 748 T
0 F
(DRAFT) 401.39 748 T
1 F
( ) 441.38 748 T
2 F
(Report to the PSRG) 444.38 748 T
72 32.67 540 42.67 R
7 X
V
0 X
(Last modified June 13, 1990 11:10 am) 72 34.67 T
(Page 5 of 20) 479.71 34.67 T
72 72 540 720 R
7 X
V
0 X
0.29 (and constitute the ) 72 712 P
4 F
0.29 (sample) 160.47 712 P
2 F
0.29 (. The \336rst algorithm simply chooses from among these the one with the) 194.45 712 P
0.36 (lowest delay and uses its associated of) 72 692 P
0.36 (fset as the estimated clock of) 257.82 692 P
0.36 (fset. It also computes an esti-) 398.3 692 P
(mate of the sample dispersion based on clock of) 72 672 T
(fsets in the sample ) 302.29 672 T
-0.36 (The second algorithm uses this estimate to determine which peer should be allowed to syn-) 108 648 P
-0.67 (chronize the clock. It \336rst sorts all possible clock sources by stratum number and then by dispersion) 72 628 P
0.95 (from the root of the synchronization subnet \050that is, up to the primary server synchronizing the) 72 608 P
0.48 (node\051. The list is pruned using various sanity checks and other criteria described in [8]. The ele-) 72 588 P
-0.24 (ments of this list then are scanned repeatedly) 72 568 P
-0.24 (, and during each scan the clock dispersion relative to) 285.04 568 P
0.49 (each peer is computed, and that peer with the highest dispersion is eliminated. This repeats until) 72 548 P
(there is only one element in the list; that is the required source.) 72 528 T
1 F
(2.3. Packet Pr) 72 496 T
(ocedur) 143.06 496 T
(e) 178.15 496 T
2 F
0.28 (Whenever a packet is received, either an error or a packet procedure is called. If the error) 108 472 P
0.98 (procedure is called and the association is not precon\336gured, it is deleted. This occurs when the) 72 452 P
0.06 (modes of the host and the peer are incompatible \050for example, both are symmetric passive\051. If the) 72 432 P
-0.53 (host is in symmetric passive mode and the peer is in symmetric active mode, a response packet will) 72 412 P
0.27 (be sent if the sanity checks \050described below\051 fail; otherwise, the packet is discarded. In all other) 72 392 P
(modes, if the sanity checks fail, the error procedure is called. ) 72 372 T
0.36 (The packet procedure) 108 348 P
3 F
0.3 (7) 212.63 352.8 P
2 F
0.36 ( \336rst checks that the \336eld ) 217.62 348 P
4 F
0.36 (pkt.xmt) 343.06 348 P
2 F
0.36 ( does not match the \336eld ) 378.03 348 P
4 F
0.36 (peer) 500.8 348 P
0.36 (.or) 520.79 348 P
0.36 (g) 534 348 P
2 F
1.03 (\050which would indicate a duplicate\051, and that the \336eld) 72 328 P
4 F
1.03 ( ) 333.07 328 P
1.03 (pkt.or) 337.1 328 P
1.03 (g) 364.97 328 P
2 F
1.03 ( matches the \336eld ) 370.97 328 P
4 F
1.03 (peer) 462.37 328 P
1.03 (.xmt) 482.35 328 P
2 F
1.03 ( \050which) 502.66 328 P
-0.04 (would indicate that the peer got an extra message, or messages were out of order\051. If either condi-) 72 308 P
0.57 (tion holds a sanity check is set. The association updates the variables shown in Figure 3 and the) 72 288 P
72 84 540 93 C
72 84 540 93 R
7 X
0 K
V
72 93 225 93 2 L
V
0.5 H
2 Z
0 X
N
0 0 612 792 C
3 F
0 X
0 K
(7. ) 72 77.33 T
(This procedure is formally described in [7], \2443.4.3.) 90 77.33 T
72 72 540 720 C
72 99 540 284 C
132.5 99 483.5 273 R
7 X
0 K
V
4 F
0 X
(association variable) 132.5 265 T
(set to) 240.5 265 T
(meaning) 324.5 265 T
2 F
(peer.leap) 132.5 248 T
(pkt.leap) 240.5 248 T
(leap second?) 312.5 248 T
(peer.stratum) 132.5 234 T
(pkt.stratum) 240.5 234 T
(stratum number of peer) 312.5 234 T
(peer.ppoll) 132.5 220 T
(pkt.ppoll) 240.5 220 T
(polling interval) 312.5 220 T
(peer.precision) 132.5 206 T
(pkt.precision) 240.5 206 T
(precision of peer\325s clock) 312.5 206 T
(peer.distance) 132.5 192 T
(pkt.distance) 240.5 192 T
(estimated delay from primary) 312.5 192 T
(peer.dispersion) 132.5 178 T
(pkt.dispersion) 240.5 178 T
(estimated dispersion from primary) 312.5 178 T
(peer.refid) 132.5 164 T
(pkt.refid) 240.5 164 T
(reference clock identifier) 312.5 164 T
(peer.reftime) 132.5 150 T
(pkt.reftime) 240.5 150 T
(time peer last updated) 312.5 150 T
(peer.org) 132.5 136 T
(pkt.xmt) 240.5 136 T
(when peer sent message) 312.5 136 T
(peer.rec) 132.5 122 T
(sys.clock) 240.5 122 T
(when peer\325s message received) 312.5 122 T
(Figure 3. Association variables set on receive.) 197.41 104 T
73 280 538 280 2 L
1 H
2 Z
N
72 72 540 720 C
0 0 612 792 C
FMENDPAGE
%%EndPage: "5" 6
%%Page: "6" 6
612 792 0 FMBEGINPAGE
0 0 612 792 C
0 0 612 792 R
7 X
0 K
V
72 746 540 756 R
V
2 F
0 X
(A Security Analysis of the NTP Protocol) 72 748 T
1 F
( ) 398.39 748 T
0 F
(DRAFT) 401.39 748 T
1 F
( ) 441.38 748 T
2 F
(Report to the PSRG) 444.38 748 T
72 32.67 540 42.67 R
7 X
V
0 X
(Last modified June 13, 1990 11:10 am) 72 34.67 T
(Page 6 of 20) 479.71 34.67 T
72 72 540 720 R
7 X
V
0 X
-0.49 (polling interval) 72 478 P
3 F
-0.41 (8) 145.14 482.8 P
2 F
-0.49 (. It then applies several other sanity checks \050see Figure 4\051, and if all are passed cal-) 150.14 478 P
0.5 (culates estimates for the round-trip delay and clock of) 72 458 P
0.5 (fset using the four timestamps ) 334.24 458 P
4 F
0.5 (pkt.or) 484.32 458 P
0.5 (g) 512.19 458 P
2 F
0.5 (, ) 518.19 458 P
4 F
0.5 (pk-) 524.68 458 P
0.99 (t.xmt) 72 438 P
2 F
0.99 (, ) 95.65 438 P
4 F
0.99 (pkt.r) 102.64 438 P
0.99 (ec) 124.52 438 P
2 F
0.99 (, and ) 135.17 438 P
4 F
0.99 (peer) 163.47 438 P
0.99 (.r) 183.45 438 P
0.99 (ec) 190.67 438 P
2 F
0.99 (; on some local area networks, a correction factor involving the \336eld) 201.32 438 P
4 F
-0.37 (peer) 72 418 P
-0.37 (.pr) 91.98 418 P
-0.37 (ecision) 105.2 418 P
2 F
-0.37 ( may be applied. If appropriate, the clock update procedure) 139.18 418 P
3 F
-0.31 (9) 419.26 422.8 P
2 F
-0.37 ( is invoked to update the) 424.26 418 P
(local clock.) 72 398 T
1 F
(2.4. T) 72 366 T
(ransmit Pr) 103.1 366 T
(ocedur) 158.51 366 T
(e) 193.6 366 T
7 F
(10) 198.93 370.8 T
2 F
0.41 (Associated with each peer is a timer which decrements periodically) 108 342 P
0.41 (. When the timer is 0,) 434.34 342 P
-0.46 (or some exceptional event occurs\050such as an operator command or the arrival of an NTP message\051,) 72 322 P
0.73 (an NTP message is generated and sent to the peer) 72 302 P
0.73 (. The transmit timestamp \050) 315.38 302 P
4 F
0.73 (pkt.xmt) 445.21 302 P
2 F
0.73 (\051 is saved to) 480.19 302 P
-0.2 (validate the reply) 72 282 P
-0.2 (. Next, if in the last two time-out intervals, the packet procedure has not obtained) 154.09 282 P
0.38 (valid roundtrip delay and clock of) 72 262 P
0.38 (fset measurements from the peer) 236.58 262 P
0.38 (, the system invokes the clock) 394.17 262 P
-0.09 (\336lter procedure with both delay and of) 72 242 P
-0.09 (fset for this host set to 0 and then determines if using a new) 255.75 242 P
(time source is appropriate. If a new source is chosen, the poll interval is updated.) 72 222 T
0.55 (The peer timer is then reset to the minimum of the interval with which the peer polls the) 108 198 P
-0.28 (current host and the interval with which the host polls the peer; if this is not in some precon\336gured) 72 178 P
0.13 (interval \050currently between 64 and 1024 seconds\051,) 72 158 P
3 F
0.11 (1) 312.94 162.8 P
0.11 (1) 317.57 162.8 P
2 F
0.13 ( the timer is set to the lar) 322.57 158 P
0.13 (ger or smaller of the) 442.21 158 P
72 132 540 141 C
72 132 540 141 R
7 X
0 K
V
72 141 225 141 2 L
V
0.5 H
2 Z
0 X
N
0 0 612 792 C
3 F
0 X
0 K
(8. ) 72 125.33 T
(The procedure to do this is described in [7], \2443.4.8.) 90 125.33 T
(9. ) 72 113.33 T
([7], \2443.4.5.) 90 113.33 T
(10. ) 72 101.33 T
([7], \2443.4.1.) 90 101.33 T
(1) 72 89.33 T
(1. ) 76.63 89.33 T
-0.2 (These bounds are the values of the con\336gurable constants NTP) 90 89.33 P
-0.2 (.MINPOLL and NTP) 338.84 89.33 P
-0.2 (.MAXPOLL, respective-) 422.55 89.33 P
(ly; see [7], T) 90 77.33 T
(able 5, and \2443.4.1, \2443.4.8.) 140.37 77.33 T
72 72 540 720 C
72 486 540 720 C
2 F
0 X
0 K
(if \050) 94.5 712 T
4 F
(time packet transmitted) 108.82 712 T
2 F
( = ) 221.41 712 T
4 F
(time last received packet transmitted) 234.18 712 T
2 F
(\051 then) 410.72 712 T
(sanity := 1;) 130.5 698 T
(if \050) 94.5 684 T
4 F
(time peer received last packet from host) 108.82 684 T
2 F
( <> ) 300.68 684 T
4 F
(time last message sent to peer) 320.2 684 T
2 F
(\051 then) 463.78 684 T
(sanity := 1;) 130.5 670 T
(\050* ) 94.5 656 T
4 F
(update association variables in Figure 2 ) 107.49 656 T
2 F
(*\051) 305.38 656 T
(if \050) 94.5 642 T
4 F
(peer clock not synchronized) 108.82 642 T
2 F
(\051 or \050) 243.05 642 T
4 F
(peer) 267.02 642 T
2 F
( ) 288.34 642 T
4 F
(clock not updated for 1 day) 291.34 642 T
2 F
(\051 then) 422.92 642 T
(sanity := true;) 130.5 628 T
(if \050) 94.5 614 T
4 F
(not authenticated correctly) 108.82 614 T
2 F
(\051 then) 238.73 614 T
(sanity := true;) 130.5 600 T
(if \050) 94.5 586 T
4 F
(peer not preconfigured) 108.82 586 T
2 F
(\051 and) 219.41 586 T
4 F
( ) 243.72 586 T
2 F
(\050) 246.72 586 T
4 F
(packet\325s stratum ) 250.71 586 T
2 F
(>) 333.33 586 T
4 F
( peer\325s stratum) 340.09 586 T
2 F
(\051 then) 412.71 586 T
(sanity := true;) 130.5 572 T
(if sanity then) 94.5 558 T
(\050* ) 130.5 544 T
4 F
(discard message and exit) 143.49 544 T
2 F
( *\051) 264.41 544 T
(if \050) 94.5 530 T
4 F
(packet originate timestamp) 108.82 530 T
2 F
( = 0\051 or \050) 239.4 530 T
4 F
(time last message received by peer) 282.14 530 T
2 F
( = 0\051 then) 449 530 T
(\050* ) 130.5 516 T
4 F
(exit; note sanity flag not set) 143.49 516 T
2 F
( *\051) 276.41 516 T
(Figure 4. Sanity checks applied to incoming packets) 180.75 498 T
74 491 542 491 2 L
1 H
2 Z
N
72 72 540 720 C
0 0 612 792 C
FMENDPAGE
%%EndPage: "6" 7
%%Page: "7" 7
612 792 0 FMBEGINPAGE
0 0 612 792 C
0 0 612 792 R
7 X
0 K
V
72 746 540 756 R
V
2 F
0 X
(A Security Analysis of the NTP Protocol) 72 748 T
1 F
( ) 398.39 748 T
0 F
(DRAFT) 401.39 748 T
1 F
( ) 441.38 748 T
2 F
(Report to the PSRG) 444.38 748 T
72 32.67 540 42.67 R
7 X
V
0 X
(Last modified June 13, 1990 11:10 am) 72 34.67 T
(Page 7 of 20) 479.71 34.67 T
72 72 540 720 R
7 X
V
0 X
-0.16 (endpoints of the interval according to whether the minimum is above or below the interval. Hence) 72 541 P
(the polling frequency may vary but only within a speci\336c interval.) 72 521 T
-0.37 (Finally) 108 497 P
-0.37 (, the polling interval for the peer by this host is decreased if the estimated dispersion) 141.21 497 P
(is lar) 72 477 T
(ger than a con\336gured constant,) 95.43 477 T
3 F
(12) 242.99 481.8 T
2 F
( or increased if it is smaller) 252.99 477 T
(.) 382.9 477 T
1 F
(2.5. Security Mechanisms) 72 445 T
2 F
-0.7 (Several state variables and parameters are important. W) 108 421 P
-0.7 (e con\336ne ourselves to those actually) 369.94 421 P
-0.14 (transmitted over the network; these are given in Figure 5 and are transmitted in messages \050also re-) 72 401 P
0.38 (ferred to as packets\051. Some of these are used to implement an optional access control feature de-) 72 381 P
(signed to prevent unauthorized updating of the local clock.) 72 361 T
1 F
(2.5.1. Access Contr) 72 329 T
(ol Mechanism) 169.37 329 T
7 F
(13) 241 333.8 T
2 F
-0.07 (This optional feature partitions the set of all hosts into three subsets: those that are trusted,) 108 305 P
1.01 (those that are friendly) 72 285 P
1.01 (, and all others. T) 179.18 285 P
1.01 (rusted hosts are allowed to synchronize the local clock;) 266.76 285 P
-0.29 (friendly hosts are sent NTP messages and timestamps as appropriate, but may not change the local) 72 265 P
0.69 (clock; and messages from hosts in the third subset are ignored. The set of trusted hosts is either) 72 245 P
0.38 (precon\336gured \050at initialization\051 or based on a trusted ticket service such as Kerberos. The imple-) 72 225 P
0.62 (mentation of this feature is not speci\336ed, although two are suggested \050the \336rst, treating all peers) 72 205 P
-0.02 (con\336gured in symmetric or client modes as trusted and all others as friendly; the second, masking) 72 185 P
0.31 (the internet address and looking up the result and the peer mode in a table to obtain the subset to) 72 165 P
0.68 (which the peer belongs\051. The peer address in the NTP packet \050) 72 145 P
4 F
0.68 (pkt.sr) 378.52 145 P
0.68 (cadr) 405.06 145 P
2 F
0.68 (\051 is used as the address) 427.04 145 P
72 132 540 141 C
72 132 540 141 R
7 X
0 K
V
72 141 225 141 2 L
V
0.5 H
2 Z
0 X
N
0 0 612 792 C
3 F
0 X
0 K
(12. ) 72 125.33 T
0.05 (The constant is the value of the con\336gurable parameter PEER.THRESHOLD, currently set to 0.5; see T) 90 125.33 P
0.05 (able) 505.35 125.33 P
(5 in [7].) 90 113.33 T
(13. ) 72 101.33 T
0.41 ([7], \2443.5. Note that this is not part of the NTP speci\336cation. The given methods are recommended ways of) 90 101.33 P
0.52 (implementing access control in the Internet; if another form is more suitable for the environment in which) 90 89.33 P
(NTP is being run, that form should be used.) 90 77.33 T
72 72 540 720 C
72 549 540 720 C
4 F
0 X
0 K
(variable) 90 712 T
(representing \311) 180 712 T
(variables) 333 712 T
(representing \311) 432 712 T
2 F
(pkt.srcadr) 81 698 T
(peer\325s address) 162 698 T
(pkt.precision) 324 698 T
(precision of peer\325s clock) 405 698 T
(pkt.srcport) 81 684 T
(peer\325s port) 162 684 T
(pkt.distance) 324 684 T
(estimated delay) 405 684 T
(pkt.dstadr) 81 670 T
(local address) 162 670 T
(pkt.dispersion) 324 670 T
(estimated dispersion) 405 670 T
(pkt.dstport) 81 656 T
(local port) 162 656 T
(pkt.refid) 324 656 T
(reference clock id) 405 656 T
(pkt.leap) 81 642 T
(leap indicator) 162 642 T
(pkt.reftime) 324 642 T
(last clock update) 405 642 T
(pkt.version) 81 628 T
(version number) 162 628 T
(pkt.org) 324 628 T
(when last msg sent) 405 628 T
(pkt.pmode) 81 614 T
(mode of peer\325s association) 162 614 T
(pkt.rec) 324 614 T
(when last msg received) 405 614 T
(pkt.stratum) 81 600 T
(pkt.stratum) 162 600 T
(pkt.xmit) 324 600 T
(when last msg left peer) 405 600 T
(pkt.ppoll) 81 586 T
(polling interval) 162 586 T
(Figure5. List of NTP message \050packet\051 \336elds.) 196.74 568 T
74 555 546 555 2 L
1 H
2 Z
N
72 72 540 720 C
0 0 612 792 C
FMENDPAGE
%%EndPage: "7" 8
%%Page: "8" 8
612 792 0 FMBEGINPAGE
0 0 612 792 C
0 0 612 792 R
7 X
0 K
V
72 746 540 756 R
V
2 F
0 X
(A Security Analysis of the NTP Protocol) 72 748 T
1 F
( ) 398.39 748 T
0 F
(DRAFT) 401.39 748 T
1 F
( ) 441.38 748 T
2 F
(Report to the PSRG) 444.38 748 T
72 32.67 540 42.67 R
7 X
V
0 X
(Last modified June 13, 1990 11:10 am) 72 34.67 T
(Page 8 of 20) 479.71 34.67 T
72 72 540 720 R
7 X
V
0 X
(upon which access control is based.) 72 712 T
1 F
(2.5.2. Delay Compensation Mechanisms) 72 680 T
7 F
(14) 275.22 684.8 T
2 F
0.74 (The second feature of relevance is the algorithm used to set the local clock; this is not a) 108 656 P
-0.24 (security mechanism, strictly speaking, as it is used to of) 72 636 P
-0.24 (fset problems from statistical irregularities) 337.11 636 P
0.64 (or problems in network connectivity and congestion, but it is still relevant. The precise function) 72 616 P
-0.47 (used is detailed in [7]; the aspect relevant to this discussion is that the algorithm calculates both the) 72 596 P
0.05 (roundtrip delay and the clock of) 72 576 P
0.05 (fset relative to the peer) 225.56 576 P
0.05 (, and from these applies a statistical proce-) 335.17 576 P
(dure to determine estimates used to update the local clock.) 72 556 T
1 F
(2.5.3. Authentication Mechanism) 72 524 T
7 F
(15) 240.9 528.8 T
2 F
-0.42 (A third optional feature is integral to the packets, and is designed to provide both origin au-) 108 500 P
-0.51 (thentication and packet integrity) 72 480 P
-0.51 (. It is enabled by two \336elds in the peer information. If the ) 224.57 480 P
4 F
-0.51 (authentic) 495.36 480 P
2 F
-0.57 (\336eld is set to 0, any information from the peer is considered corrupt; in practise, this means the peer) 72 460 P
0.25 (will never synchronize the local host\325) 72 440 P
0.25 (s clock. If the authentic \336eld is 1 but the ) 252.81 440 P
4 F
0.25 (authenable) 450.88 440 P
2 F
0.25 ( \336eld is) 504.17 440 P
-0.09 (0, the association will not authenticate any packets, and will consider those received to be reliable) 72 420 P
-0.22 (\050unless a sanity check fails, causing the packet to be rejected\051. If both \336elds are 1, then an optional) 72 400 P
(authentication mechanism is in use.) 72 380 T
-0.12 (The authentication mechanism described in [7] is intended for interim use only) 108 356 P
-0.12 (, until more) 484.61 356 P
-0.27 (general standards become available. It uses a cryptographically-based message integrity check; all) 72 336 P
0.15 (algorithms and keys are distributed by a mechanism other than NTP) 72 316 P
0.15 (, and the keys and algorithms) 398.66 316 P
-0.25 (are referenced within the packet by indices. A major requirement is that the computation of the in-) 72 296 P
0.07 (tegrity check be predictable, since it must be done after timestamping, but the timestamping must) 72 276 P
(re\337ect the time needed to compute the checksum.) 72 256 T
0.28 (When a packet is transmitted in authenticated mode, the entire NTP packet except for the) 108 232 P
-0.29 (authenticator and additional information is checksummed using the active peer) 72 212 P
-0.29 (\325) 447.93 212 P
-0.29 (s key \050if available\051) 451.27 212 P
0.39 (or the default key 0 \050if not\051. Note that if the association is symmetric active, client, or broadcast,) 72 192 P
-0.1 (the key used is that of the local host, whereas if the association is symmetric passive or server) 72 172 P
-0.1 (, the) 519.45 172 P
(key used is that of the remote host \050or the default key\051. ) 72 152 T
0.5 (When a packet is received, the authentication routine is invoked. If the host is precon\336g-) 108 128 P
72 96 540 105 C
72 96 540 105 R
7 X
0 K
V
72 105 225 105 2 L
V
0.5 H
2 Z
0 X
N
0 0 612 792 C
3 F
0 X
0 K
(14. ) 72 89.33 T
(These are described brie\337y in \2442.2.) 90 89.33 T
(15. ) 72 77.33 T
(The authentication mechanism is described in [7], \24410 \050Appendix C\051; key assignment is described in [10].) 90 77.33 T
FMENDPAGE
%%EndPage: "8" 9
%%Page: "9" 9
612 792 0 FMBEGINPAGE
0 0 612 792 C
0 0 612 792 R
7 X
0 K
V
72 746 540 756 R
V
2 F
0 X
(A Security Analysis of the NTP Protocol) 72 748 T
1 F
( ) 398.39 748 T
0 F
(DRAFT) 401.39 748 T
1 F
( ) 441.38 748 T
2 F
(Report to the PSRG) 444.38 748 T
72 32.67 540 42.67 R
7 X
V
0 X
(Last modified June 13, 1990 11:10 am) 72 34.67 T
(Page 9 of 20) 479.71 34.67 T
72 72 540 720 R
7 X
V
0 X
0.13 (ured, the authenable \336eld associate with that peer is untouched; however) 72 447 P
0.13 (, if not, and if there is no) 420.86 447 P
-0.21 (authentication information associated with the packet, that \336eld is set to 0 and the routine exits \050so) 72 427 P
-0.22 (no authentication is done\051. If the message does not contain any authentication information, the au-) 72 407 P
-0.34 (thentic \336eld is cleared and the routine exits. Otherwise, the number indexing the peer) 72 387 P
-0.34 (\325) 476.06 387 P
-0.34 (s key is reset) 479.4 387 P
-0.04 (to that in the packet, and the checksum is recomputed and compared to the transmitted checksum.) 72 367 P
-0.25 (If the key is not the default one, and the checksums match, the authentic \336eld is set and the routine) 72 347 P
(exits; otherwise that \336eld is cleared and the routine exits. This is summarized in Figure 6.) 72 327 T
-0.46 ( The checksum is currently computed using the Data Encryption Standard based DEA-1 al-) 108 303 P
-0.57 (gorithm \050that is, DES in CBC mode\051 [2]. The checksum is 64 bits long, and the key index is 32 bits;) 72 283 P
-0.33 (these 96 bits are appended to the original NTP packet, and their presence is indicated by the length) 72 263 P
(of the packet. \050The choice of algorithm is not part of the NTP speci\336cation.\051) 72 243 T
-0.72 (W) 108 219 P
-0.72 (e should note that for control messages, if the received message is authenticated, the reply) 118.36 219 P
-0.48 (is too. If the received message\325) 72 199 P
-0.48 (s checksum is correct, the reply is authenticated using the same key;) 218.16 199 P
(if not, the reply is authenticated using the default key) 72 179 T
(.) 326.38 179 T
1 F
(3. Analysis of NTP with r) 72 147 T
(espect to Attacks) 201.05 147 T
2 F
0.33 (This section describes the attacks that might be launched against an NTP server or client,) 108 123 P
(and how NTP handles them. For convenience, we discuss some general problems \336rst.) 72 103 T
72 72 540 720 C
72 455 540 720 C
148.5 466 463.5 720 R
7 X
0 K
V
2 F
0 X
(if peer.config = 0 then) 148.5 712 T
(if ) 184.5 698 T
4 F
(authenticator in message data) 194.83 698 T
2 F
( then) 339.74 698 T
(peer.authenable := 1) 220.5 684 T
(else) 184.5 670 T
(peer.authenable := 0;) 220.5 656 T
(if peer.authenable =1 then begin) 148.5 642 T
(peer.authentic := 0;) 184.5 628 T
(if \050) 184.5 614 T
4 F
(authenticator in message data) 198.82 614 T
2 F
(\051 then begin) 343.74 614 T
(peer.keyid := packet.keyid;) 220.5 600 T
(compute_mac\050mac, peer.keyid, packet\051;) 220.5 586 T
(if peer.keyid <> 0 and mac = packet.check then) 220.5 572 T
(peer.authentic := 1;) 256.5 558 T
(end;) 184.5 544 T
(end;) 148.5 530 T
(\050* ) 148.5 516 T
4 F
(if peer.authenable is 0, authentication is not done; ) 161.49 516 T
2 F
(*\051) 436.5 516 T
(\050* ) 148.5 502 T
4 F
(otherwise if peer.authentic is 0, the integrity of the) 161.49 502 T
(*\051) 436.5 502 T
2 F
(\050*) 148.5 488 T
4 F
( packet\325s contents are suspect) 158.49 488 T
2 F
(*\051) 436.5 488 T
(Figure 6. The authentication routine\325) 166.09 470 T
(s checking algorithm.) 342.31 470 T
72 459 549 459 2 L
1 H
2 Z
N
72 72 540 720 C
0 0 612 792 C
FMENDPAGE
%%EndPage: "9" 10
%%Page: "10" 10
612 792 0 FMBEGINPAGE
0 0 612 792 C
0 0 612 792 R
7 X
0 K
V
72 746 540 756 R
V
2 F
0 X
(A Security Analysis of the NTP Protocol) 72 748 T
1 F
( ) 398.39 748 T
0 F
(DRAFT) 401.39 748 T
1 F
( ) 441.38 748 T
2 F
(Report to the PSRG) 444.38 748 T
72 32.67 540 42.67 R
7 X
V
0 X
(Last modified June 13, 1990 11:10 am) 72 34.67 T
(Page 10 of 20) 473.71 34.67 T
72 72 540 720 R
7 X
V
1 F
0 X
(3.1. Access Contr) 72 712 T
(ol Mechanism) 160.38 712 T
2 F
-0.1 (The access control mechanism conditions access on the internet address in the source \336eld) 108 688 P
1.14 (of the packet. If the attacker can generate or modify an NTP packet, the attacker can choose a) 72 668 P
0.38 (source address that allows synchronization of the victim. Hence the access control mechanism is) 72 648 P
0.14 (redundant from the point of view of network security; the protection it provides is against a com-) 72 628 P
-0.48 (promised time source, which can simply be denied access \050or at least, the ability to synchronize the) 72 608 P
(host\051.) 72 588 T
0.12 (The problem with the recommended access control mechanism is that it works on an end-) 108 564 P
0.17 (to-end basis. One possible means of improving it would be to condition it on a routing basis; that) 72 544 P
-0.56 (is, build a list of all the intermediate nodes the message is sent over and condition trust on that path.) 72 524 P
-0.15 (This provides some protection in the case of one portion of the network \050or one intermediate host\051) 72 504 P
(being untrusted.) 72 484 T
0.69 (Unfortunately) 108 460 P
0.69 (, it provides no protection against someone for) 174.5 460 P
0.69 (ging a packet with a \322good\323) 402.31 460 P
0.13 (route. Routing information added using the IP record route option [3] \050which causes intermediate) 72 440 P
0.34 (nodes to insert their address into the IP datagram\051 is not checksummed cryptographically) 72 420 P
0.34 (, and so) 502.34 420 P
(can be altered in transit without detection.) 72 400 T
1 F
(3.2. Authentication Mechanism) 72 368 T
2 F
0.17 (First, it should be noted that the authentication mechanism is also an integrity mechanism) 108 344 P
0.19 (because it guards against the altering of messages while in transit. The authentication provided is) 72 324 P
0.09 (simply that of only two parties \050the peer and the host\051 sharing a common key) 72 304 P
0.09 (. In particular) 441.54 304 P
0.09 (, if any) 506.18 304 P
4 F
-0.71 (n) 72 284 P
2 F
-0.71 ( hosts have the same key) 78 284 P
-0.71 (, then it will not be possible to determine which of them sent the message. ) 192.57 284 P
(No key distribution mechanism is de\336ned.) 108 260 T
1.45 (The integrity checking algorithm used is subject to various cryptanalytic attacks which) 108 236 P
0.13 (have been discussed in the literature [4] because the check is only 64 bits long; however) 72 216 P
0.13 (, as these) 496.11 216 P
(attacks are probabilistic in nature, changing the keys periodically will defeat them.) 72 196 T
-0.38 (Although we are assuming no system is penetrated, it is worth noting that the keys are used) 108 172 P
-0.09 (on a per) 72 152 P
-0.09 (-host basis, not a per) 110.21 152 P
-0.09 (-path basis, so compromise of one host\325) 208.54 152 P
-0.09 (s key can lead to compromise) 398.22 152 P
(of all the hosts it synchronizes.) 72 132 T
0.75 (W) 108 108 P
0.75 (e should not that the use of a default key is ) 118.36 108 P
4 F
0.75 (not) 334.86 108 P
2 F
0.75 ( a weakness, contrary to what it would) 350.19 108 P
-0.45 (seem. In Figure 6, notice that if the checksum is computed using the default key) 72 88 P
-0.45 (, the \337ag indicating) 448.72 88 P
FMENDPAGE
%%EndPage: "10" 11
%%Page: "11" 11
612 792 0 FMBEGINPAGE
0 0 612 792 C
0 0 612 792 R
7 X
0 K
V
72 746 540 756 R
V
2 F
0 X
(A Security Analysis of the NTP Protocol) 72 748 T
1 F
( ) 398.39 748 T
0 F
(DRAFT) 401.39 748 T
1 F
( ) 441.38 748 T
2 F
(Report to the PSRG) 444.38 748 T
72 32.67 540 42.67 R
7 X
V
0 X
(Last modified June 13, 1990 11:10 am) 72 34.67 T
(Page 11 of 20) 473.71 34.67 T
72 72 540 720 R
7 X
V
0 X
0.17 (whether or not the packet is authentic is set to 0 \050meaning the packet\325) 72 712 P
0.17 (s integrity or origin are sus-) 406.26 712 P
-0.19 (pect\051. Hence anything authenticated with the default key will be treated as bogus by the other end.) 72 692 P
(In what follows we shall assume the authentication mechanism is not compromised.) 108 668 T
1 F
(3.3. Masquerade) 72 636 T
4 F
-0.7 (Goal) 72 612 P
2 F
-0.7 (. T) 95.99 612 P
-0.7 (o persuade a timekeeper that the attacker is a peer authorized to synchronize the timekeeper) 107.78 612 P
-0.7 (.) 537 612 P
(Note this includes NTP client processes as well as secondary servers.) 72 592 T
4 F
0.41 (Attack) 72 568 P
2 F
0.41 (: Send packets to the victim with source address of the time server to be imitated. As both) 102.64 568 P
-0.03 (source ) 72 548 P
4 F
-0.03 (and destination) 106.27 548 P
2 F
-0.03 ( Internet addresses and ports are matched to \336nd the correct peer) 180.54 548 P
-0.03 (, an equiv-) 489.11 548 P
(alent attack would simply change the destination address within the NTP message.) 72 528 T
4 F
-0.06 (Effects) 72 504 P
2 F
-0.06 (: If the host being impersonated is known to the victim and allowed to synchronize the vic-) 104.65 504 P
0.27 (tim, in the absence of access control and authentication, the masquerade may be ignored \050but not) 72 484 P
1.01 (detected\051 by the sample processing and selection operations. However) 72 464 P
1.01 (, if the attacker alters the) 416.37 464 P
0.25 (timestamps to change the clock of) 72 444 P
0.25 (fsets and roundtrip delays gradually) 236.61 444 P
0.25 (, those algorithms will pro-) 408.72 444 P
(vide no protection and the victim\325) 72 424 T
(s clock will drift from that of the time source.) 234.24 424 T
0.13 (If the host being impersonated is not known to the victim, and the default is to allow non-) 108 400 P
0.47 (precon\336gured peers to become the clock source, sending messages in such a way that the victim) 72 380 P
0.83 (receives at least 8 messages uninterrupted by any other time source could compromise the time) 72 360 P
-0.31 (server; since the clock \336ltering mechanisms use the last 8 messages as the sample upon which out-) 72 340 P
-0.27 (liers are discarded, the attacker needs to ensure it controls the elements of the sample. For this rea-) 72 320 P
(son, no non-precon\336gured peer should be allowed to become the clock source.) 72 300 T
5 F
0.61 (In [10], Dave wr) 216 277.33 P
0.61 (ote, \322It is unlikely that a determined jammer can spoof a mes-) 285.18 277.33 P
1.66 (sage, since transmitted messages ar) 216 266.33 P
1.66 (e timestamped to a pr) 365.79 266.33 P
1.66 (ecision of about 80) 458.67 266.33 P
0.95 (nanoseconds and it is very unlikely the jammer can pr) 216 255.33 P
0.95 (edict the exact value.\323 I) 440.44 255.33 P
0.25 (think the ability to pr) 216 244.33 P
0.25 (edict timestamp values doesn\325) 301.03 244.33 P
0.25 (t r) 420.87 244.33 P
0.25 (eally matter) 429.91 244.33 P
0.25 (, because in the) 477.08 244.33 P
-0.3 (two places wher) 216 233.34 P
-0.3 (e equality is tested, one timestamp has been sent out fr) 279.99 233.34 P
-0.3 (om the host) 494.52 233.34 P
0.3 (to the peer \050second sanity test in the packet pr) 216 222.34 P
0.3 (ocedur) 402.37 222.34 P
0.3 (e\051 and one fr) 429.76 222.34 P
0.3 (om the peer to) 481.64 222.34 P
0.1 (the host \050\336rst sanity test in the packet pr) 216 211.34 P
0.1 (ocedur) 376.86 211.34 P
0.1 (e\051. In either case a passive tapper) 404.25 211.34 P
0.65 (would see those values. That\325) 216 200.34 P
0.65 (s what this next paragraph is about. Am I missing) 335.32 200.34 P
(something obvious \050or subtle\051?) 216 189.34 T
2 F
0.21 (Note that although the timestamps are precise to 80 nanoseconds \050and hence it is unlikely) 108 166 P
0.65 (the attacker can predict the value of the next time stamp\051, if the attacker can see the transmitted) 72 146 P
-0.4 (time of any packet sent from the host to the peer \050) 72 126 P
4 F
-0.4 (pkt.xmt) 306.39 126 P
2 F
-0.4 (\051 and transmit a \050bogus\051 packet to the host) 341.36 126 P
4 F
0.19 (befor) 72 106 P
0.19 (e) 96.87 106 P
2 F
0.19 ( the peer does so, the masquerade will not be detected; but if the host replies, and the reply) 102.2 106 P
-0.27 (arrives after the true peer sends another message, the true peer) 72 86 P
-0.27 (\325) 368.43 86 P
-0.27 (s message will be rejected as bogus) 371.77 86 P
52 186 54 284 R
V
FMENDPAGE
%%EndPage: "11" 12
%%Page: "12" 12
612 792 0 FMBEGINPAGE
0 0 612 792 C
0 0 612 792 R
7 X
0 K
V
72 746 540 756 R
V
2 F
0 X
(A Security Analysis of the NTP Protocol) 72 748 T
1 F
( ) 398.39 748 T
0 F
(DRAFT) 401.39 748 T
1 F
( ) 441.38 748 T
2 F
(Report to the PSRG) 444.38 748 T
72 32.67 540 42.67 R
7 X
V
0 X
(Last modified June 13, 1990 11:10 am) 72 34.67 T
(Page 12 of 20) 473.71 34.67 T
72 72 540 720 R
7 X
V
0 X
-0.07 (because the ) 72 712 P
4 F
-0.07 (pkt.or) 130.48 712 P
-0.07 (g) 158.35 712 P
2 F
-0.07 ( \336eld in that packet will not match the time the host sent its last message to the) 164.35 712 P
(peer) 72 692 T
(. In this way) 91.98 692 T
(, the attacker could successfully spoof the peer) 150.5 692 T
(.) 373.66 692 T
4 F
-0.04 (Countermeasur) 72 668 P
-0.04 (es) 146.18 668 P
2 F
-0.04 (: The use of authentication would preclude this attack. The use of access control) 156.17 668 P
0.38 (does not; however) 72 648 P
0.38 (, it does allow one to \322turn of) 160.21 648 P
0.38 (f\323 permission for a suspect server to synchronize) 303.21 648 P
-0.4 (the local clock. If access control is used, all non-precon\336gured peers should be considered \322friend-) 72 628 P
(ly\323 at best \050using the language of \2443.1.\051) 72 608 T
1 F
(3.4. NTP Message Modi\336cation) 72 576 T
4 F
0.43 (Goal) 72 552 P
2 F
0.43 (. T) 95.99 552 P
0.43 (o alter a message from one timekeeper to another to cause the recipient to incorrectly re-) 108.9 552 P
(synchronize itself, or to disable an active association.) 72 532 T
4 F
(Attack) 72 508 T
2 F
(: Alter packets sent to the victim.) 102.64 508 T
4 F
0 (Effects) 72 484 P
2 F
0 (: By examining the packet procedure it is clear that several variables related to the associa-) 104.65 484 P
-0.68 (tion may be changed a packet altered in transit ) 72 464 P
4 F
-0.68 (befor) 292.06 464 P
-0.68 (e) 316.93 464 P
2 F
-0.68 ( the packet alteration is acted upon \050see Figure) 322.26 464 P
(4\051. How would such alteration af) 72 444 T
(fect the integrity of the recipient\325) 229.66 444 T
(s clock?) 387.88 444 T
0.14 (First, if any of the sanity checks discussed in \2442.2 fail, the packet is discarded, the associ-) 108 420 P
0.18 (ation deactivated \050if the message is from a peer that has not been precon\336gured\051, and the clock is) 72 400 P
0.17 (not updated. If all the sanity checks are passed, then the clock may be reset \050if the strata numbers) 72 380 P
1.02 (are correctly related and any access control mechanism indicates the peer is trusted\051. If not, no) 72 360 P
0.08 (harm is done. If the clock is reset, then the \336elds that the attacker can alter af) 72 340 P
0.08 (fecting the new time) 441.49 340 P
-0.55 (are ) 72 320 P
4 F
-0.55 (pkt.or) 89.09 320 P
-0.55 (g) 116.96 320 P
2 F
-0.55 (, ) 122.96 320 P
4 F
-0.55 (pkt.r) 128.4 320 P
-0.55 (ec) 150.28 320 P
2 F
-0.55 (, ) 160.93 320 P
4 F
-0.55 (pkt.xmt) 166.38 320 P
2 F
-0.55 (, and ) 201.35 320 P
4 F
-0.55 (pkt.pr) 226.56 320 P
-0.55 (ecision) 254.43 320 P
2 F
-0.55 (. However) 288.41 320 P
-0.55 (, for the sanity checks to pass, ) 337.33 320 P
4 F
-0.55 (pkt.or) 480.36 320 P
-0.55 (g) 508.23 320 P
2 F
-0.55 ( must) 514.23 320 P
0.69 (match the time the last packet was transmitted, which is stored in the receiving host, so altering) 72 300 P
4 F
-0.42 (pkt.or) 72 280 P
-0.42 (g) 99.87 280 P
2 F
-0.42 ( will cause the packet to be dropped. Hence only ) 105.87 280 P
4 F
-0.42 (pkt.r) 337.82 280 P
-0.42 (ec) 359.69 280 P
2 F
-0.42 (, ) 370.34 280 P
4 F
-0.42 (pkt.xmt) 375.92 280 P
2 F
-0.42 (, and ) 410.89 280 P
4 F
-0.42 (pkt.pr) 436.37 280 P
-0.42 (ecision) 464.24 280 P
2 F
-0.42 ( can suc-) 498.22 280 P
(cessfully be altered in an attack to change the local system\325) 72 260 T
(s time. ) 355.79 260 T
0.5 (Altering ) 108 236 P
4 F
0.5 (pkt.pr) 151.48 236 P
0.5 (ecision) 179.35 236 P
2 F
0.5 ( may result in changes to the roundtrip delay for the packet on sys-) 213.33 236 P
-0.66 (tems involving high-speed local area networks. In these cases, a \322fudge factor\323 ) 72 216 P
6 F
-0.66 (d) 445.77 216 P
2 F
-0.66 ( is computed using) 451.69 216 P
4 F
0.13 (c) 72 196 P
2 F
0.13 ( + 2) 77.32 196 P
5 F
0.11 ( pkt.pr) 96.35 200.8 P
0.11 (ecision) 122.18 200.8 P
2 F
0.13 ( where ) 150.5 196 P
4 F
0.13 (c) 186.06 196 P
2 F
0.13 ( is a system-dependent constant; this accounts for possible discrepancies) 191.38 196 P
0.02 (between the host and peer clocks) 72 176 P
3 F
0.02 (16) 230.29 180.8 P
2 F
0.02 (. Then ) 240.29 176 P
6 F
0.02 (d) 273.97 176 P
2 F
0.02 ( is added to the roundtrip delay) 279.89 176 P
0.02 (. Clearly) 428.45 176 P
0.02 (, by modifying) 469 176 P
0.79 (this \336eld appropriately the roundtrip delay can be made \050almost arbitrarily\051 lar) 72 156 P
0.79 (ge. It can also be) 455.9 156 P
-0.45 (made quite small by choosing a value so that ) 72 136 P
6 F
-0.45 (d) 286.11 136 P
2 F
-0.45 ( is approximately 0; this has as an advantage that the) 292.04 136 P
(clock source selection algorithm bases its choice of peer in part upon ) 72 116 T
6 F
(d) 405.75 116 T
2 F
(.) 411.68 116 T
3 F
(17) 414.68 120.8 T
72 96 540 105 C
72 96 540 105 R
7 X
0 K
V
72 105 225 105 2 L
V
0.5 H
2 Z
0 X
N
0 0 612 792 C
3 F
0 X
0 K
(16. ) 72 89.33 T
([7], p. 26.) 90 89.33 T
(17. ) 72 77.33 T
(The detailed description of the algorithm is in [7], \2443.4.3 and \2444.2.) 90 77.33 T
FMENDPAGE
%%EndPage: "12" 13
%%Page: "13" 13
612 792 0 FMBEGINPAGE
0 0 612 792 C
0 0 612 792 R
7 X
0 K
V
72 746 540 756 R
V
2 F
0 X
(A Security Analysis of the NTP Protocol) 72 748 T
1 F
( ) 398.39 748 T
0 F
(DRAFT) 401.39 748 T
1 F
( ) 441.38 748 T
2 F
(Report to the PSRG) 444.38 748 T
72 32.67 540 42.67 R
7 X
V
0 X
(Last modified June 13, 1990 11:10 am) 72 34.67 T
(Page 13 of 20) 473.71 34.67 T
72 72 540 720 R
7 X
V
0 X
0.43 (W) 108 613 P
0.43 (e should note that the roundtrip delay and clock of) 118.36 613 P
0.43 (fset are used to compute both an ad-) 363.48 613 P
0.73 (justment to the frequency with which messages are sent to the peer on the local host\325) 72 593 P
0.73 (s initiative) 488.96 593 P
0.49 (\050that is, not in response to a peer) 72 573 P
0.49 (\325) 231.79 573 P
0.49 (s message\051 and to determine which of the set of possible clock) 235.12 573 P
-0.05 (sources should be used as the source. Both these computations involve a statistical \050weighted\051 av-) 72 553 P
-0.34 (erage of the peer clock of) 72 533 P
-0.34 (fsets as well as estimates of the roundtrip delays and clock of) 192.28 533 P
-0.34 (fsets. Hence) 481.73 533 P
0.54 (altering ) 72 513 P
4 F
0.54 (pkt.r) 112.18 513 P
0.54 (ec) 134.06 513 P
2 F
0.54 (, ) 144.71 513 P
4 F
0.54 (pkt.xmt) 151.25 513 P
2 F
0.54 (, and ) 186.22 513 P
4 F
0.54 (pkt.pr) 213.62 513 P
0.54 (ecision) 241.5 513 P
2 F
0.54 ( can also af) 275.47 513 P
0.54 (fect the choice of clock source and the fre-) 331.17 513 P
(quency of initiating contact with other time servers.) 72 493 T
0.55 (If the purpose of the attack is something other than incorrectly altering the victim\325) 108 469 P
0.55 (s local) 508.48 469 P
1.09 (clock, a variety of other mechanisms may be used. W) 72 449 P
1.09 (e consider these by considering the other) 337.63 449 P
(\336elds of the transmitted packet:) 72 429 T
4 F
(pkt.leap) 108 405 T
2 F
(As these bits are not used by NTP) 180 405 T
(, modifying them does nothing.) 341.56 405 T
4 F
(pkt.version) 108 381 T
2 F
0.9 (If this is changed to the version number of an earlier version of NTP) 180 381 P
0.9 (, the) 518.45 381 P
2.06 (packet will be discarded unless speci\336c exception has been made. This) 180 361 P
0.46 (would allow a denial-of-service attack, and possibly other types of attacks) 180 341 P
(if the exceptional actions permitted.) 180 321 T
4 F
(pkt.mode) 108 297 T
2 F
-0.53 (Depending on how the mode is changed and the mode of the victim, this can) 180 297 P
-0.03 (cause the disconnection of an association \050see Figure 7\051; it cannot change a) 180 277 P
-0.12 (packet from one that does not cause a clock update into one that does cause) 180 257 P
0.22 (a clock update. If the source of the packet has a pre-con\336gured association) 180 237 P
-0.57 (with the victim, however) 180 217 P
-0.57 (, the packet is discarded without the association be-) 297.73 217 P
(ing broken. ) 180 197 T
4 F
(pkt.stratum) 108 173 T
2 F
0.64 (If the \050original\051 value is greater than the victim\325) 180 173 P
0.64 (s stratum number) 413.65 173 P
0.64 (, and the) 497.74 173 P
-0.08 (altered value is less, then the altered value will replace the original value in) 180 153 P
-0.15 (the victim\325) 180 133 P
-0.15 (s table of peer associations; this peer then becomes eligible to be) 231.5 133 P
-0.34 (added to the list of clock sources. Note that access control mechanisms may) 180 113 P
(prevent this if the peer whose packets are being modi\336ed is not trusted.) 180 93 T
72 72 540 720 C
72 621 540 720 C
4 F
0 X
0 K
(victim\325s mode) 137.53 712 T
(altered mode) 274.52 712 T
2 F
(symmetric passive) 126 698 T
(symmetric passive, server, broadcast) 252 698 T
(client) 126 684 T
(client) 252 684 T
(server) 126 670 T
(symmetric passive, server, broadcast) 252 670 T
(broadcast) 126 656 T
(symmetric passive, server, broadcast) 252 656 T
(Figure 7. Mode combinations deactivating non-precon\336gured associations) 127.95 638 T
72 630 540 630 2 L
1 H
2 Z
N
72 72 540 720 C
0 0 612 792 C
FMENDPAGE
%%EndPage: "13" 14
%%Page: "14" 14
612 792 0 FMBEGINPAGE
0 0 612 792 C
0 0 612 792 R
7 X
0 K
V
72 746 540 756 R
V
2 F
0 X
(A Security Analysis of the NTP Protocol) 72 748 T
1 F
( ) 398.39 748 T
0 F
(DRAFT) 401.39 748 T
1 F
( ) 441.38 748 T
2 F
(Report to the PSRG) 444.38 748 T
72 32.67 540 42.67 R
7 X
V
0 X
(Last modified June 13, 1990 11:10 am) 72 34.67 T
(Page 14 of 20) 473.71 34.67 T
72 72 540 720 R
7 X
V
4 F
0 X
(pkt.ppoll) 108 712 T
2 F
0.51 (This af) 180 712 P
0.51 (fects the frequency of the polling of the peer) 213.94 712 P
0.51 (. Associated with each) 430.54 712 P
-0.7 (host is a polling interval; this interval is copied into the packet \336eld pkt.ppoll) 180 692 P
0.51 (before it is sent. At the other end, the time to initiate a message is reset to) 180 672 P
0.35 (2) 180 652 P
5 F
0.29 (smaller of peer) 186 656.8 P
0.29 (\325) 247.47 656.8 P
0.29 (s polling interval and host\325) 249.51 656.8 P
0.29 (s polling interval) 357.66 656.8 P
2 F
0.35 (, unless that is lar) 426.55 652 P
0.35 (ger or) 511.35 652 P
0.14 (smaller than two preset constants \050as described in \2442.3.\051 Hence one can af-) 180 632 P
(fect the polling interval, but only within speci\336ed limits.) 180 612 T
4 F
(pkt.distance) 108 588 T
2 F
-0.15 (Altering this \336eld af) 180 588 P
-0.15 (fects the estimated roundtrip delay \050dispersion\051 that the) 276.26 588 P
1.1 (victim perceives from the primary source and so can ef) 180 568 P
1.1 (fect the choice of) 453.78 568 P
(clock source as well as the frequency of polling that clock.) 180 548 T
4 F
(pkt.dispersion) 108 524 T
2 F
0.11 (Altering this \336eld af) 180 524 P
0.11 (fects the estimated dispersion that the victim perceives) 277.06 524 P
(from the primary source.) 180 504 T
4 F
(pkt.r) 108 480 T
(e\336d) 129.88 480 T
2 F
-0.35 (Altering this \336eld af) 180 480 P
-0.35 (fects the time reference source that the victim perceives) 275.68 480 P
(the primary source to be relying on.) 180 460 T
4 F
(pkt.r) 108 436 T
(eftime) 129.88 436 T
2 F
-0.37 (This is used to detect non-updated peer clocks. If it is over one day dif) 180 436 P
-0.37 (ferent) 512.03 436 P
-0.01 (than the ) 180 416 P
4 F
-0.01 (pkt.xmt) 221.29 416 P
2 F
-0.01 ( \336eld, the packet will be discarded and \050if the association is) 256.27 416 P
-0.64 (not precon\336gured\051 it will be discontinued. In any case, the state variables as-) 180 396 P
(sociated with the association are updated to those of the packet.) 180 376 T
4 F
0.99 (Countermeasur) 72 352 P
0.99 (es) 146.18 352 P
2 F
0.99 (: T) 156.17 352 P
0.99 (o prevent message modi\336cation from escaping detection, the authentication) 169.98 352 P
-0.4 (mechanism must be used. T) 72 332 P
-0.4 (o prevent message modi\336cation from af) 203.14 332 P
-0.4 (fecting the local host time even) 391.78 332 P
0.69 (in the absence of detection is not possible as the distance and dispersion \336elds can be modi\336ed;) 72 312 P
-0.23 (however) 72 292 P
-0.23 (, the stratum value should be used only if all sanity checks are passed \050this is true for non-) 112.81 292 P
0.78 (precon\336gured associations, but not true for precon\336gured ones\051 and access controls indicate the) 72 272 P
(connection is trusted \050not simply the host\051) 72 252 T
1 F
(3.5. Replay) 72 220 T
4 F
-0.45 (Goal) 72 196 P
2 F
-0.45 (. T) 95.99 196 P
-0.45 (o intercept and resend NTP messages from one timekeeper to another to cause the recipient) 108.02 196 P
(to incorrectly resynchronize itself, or to disable an active association.) 72 176 T
4 F
(Attack) 72 152 T
2 F
(: Record messages sent at one time and resend them later) 102.64 152 T
(.) 375.78 152 T
4 F
-0.37 (Effects) 72 128 P
2 F
-0.37 (: First, note that if the delay is greater than the polling interval or no other message has been) 104.65 128 P
0.43 (sent from the peer to the tar) 72 108 P
0.43 (get, the sanity checks in the receive procedure will detect the replay;) 206.91 108 P
-0.02 (but as noted in the previous section, this can still cause various association parameters to be reset.) 72 88 P
FMENDPAGE
%%EndPage: "14" 15
%%Page: "15" 15
612 792 0 FMBEGINPAGE
0 0 612 792 C
0 0 612 792 R
7 X
0 K
V
72 746 540 756 R
V
2 F
0 X
(A Security Analysis of the NTP Protocol) 72 748 T
1 F
( ) 398.39 748 T
0 F
(DRAFT) 401.39 748 T
1 F
( ) 441.38 748 T
2 F
(Report to the PSRG) 444.38 748 T
72 32.67 540 42.67 R
7 X
V
0 X
(Last modified June 13, 1990 11:10 am) 72 34.67 T
(Page 15 of 20) 473.71 34.67 T
72 72 540 720 R
7 X
V
0 X
-0.38 (In particular) 72 712 P
-0.38 (, if the synchronization paths have been recon\336gured so the peer) 130.09 712 P
-0.38 (\325) 435.53 712 P
-0.38 (s stratum number has) 438.86 712 P
(dropped \050and hence the tar) 72 692 T
(get\325) 199.67 692 T
(s stratum number has dropped\051, the peer could become a source.) 217.66 692 T
(Otherwise the ef) 108 668 T
(fects are the same as for message modi\336cation. ) 187.05 668 T
-0.69 (A major ef) 108 644 P
-0.69 (fect of a replay attack will be to reset the recipient\325) 158.36 644 P
-0.69 (s clock backwards; as the mes-) 395.24 644 P
0.67 (sage is valid byt for an earlier time, if the replay is not caught and the victim resynchronizes its) 72 624 P
(clock to the \050replayed\051 time in the packet, the local time will be reset to an earlier time.) 72 604 T
4 F
0.03 (Countermeasur) 72 580 P
0.03 (es) 146.18 580 P
2 F
0.03 (: Decreasing the bounds of the polling interval will decrease the window of vul-) 156.17 580 P
-0.64 (nerability) 72 560 P
-0.64 (. As an alternative, change the \336rst sanity check in the packet procedure to reject any mes-) 117.19 560 P
-0.24 (sage with a transmit timestamp older than the last one received, and create a special resynchronize) 72 540 P
0.42 (message to be sent when a clock is changed backwards. Then the window of vulnerability exists) 72 520 P
(only when a resynchronization packet is sent.) 72 500 T
1 F
(3.6. Delay) 72 468 T
4 F
-0.23 (Goal) 72 444 P
2 F
-0.23 (. T) 95.99 444 P
-0.23 (o delay NTP messages from one timekeeper to another to cause the recipient to incorrectly) 108.24 444 P
(resynchronize itself, or to disable an active association.) 72 424 T
4 F
(Attack) 72 400 T
2 F
(: Arti\336cially increase \050by various nefarious means\051 the roundtrip delay of an association.) 102.64 400 T
4 F
0.13 (Effects) 72 376 P
2 F
0.13 (: This increases the estimate of delay to the peer; if more than 8 packets are so delayed \050so) 104.65 376 P
-0.29 (the estimate of the delay is more than 8 seconds\051, the peer whose packets are being delayed cannot) 72 356 P
(be a source. This may result in the tar) 72 336 T
(get having no source, resulting in a denial of service attack.) 251.99 336 T
4 F
0.41 (Countermeasur) 72 312 P
0.41 (es) 146.18 312 P
2 F
0.41 (: The only way to prevent this is redundancy of clock sources, which NTP cur-) 156.17 312 P
(rently provides.) 72 292 T
1 F
(3.7. Denial of Service) 72 260 T
4 F
-0.16 (Goal) 72 236 P
2 F
-0.16 (. T) 95.99 236 P
-0.16 (o prevent NTP messages from any one timekeeper from arriving at the tar) 108.31 236 P
-0.16 (get of the attack,) 460.55 236 P
(thereby preventing the tar) 72 216 T
(get from obtaining the correct time.) 195.35 216 T
4 F
(Attack) 72 192 T
2 F
(: Prevent packets from clock sources from reaching an NTP host.) 102.64 192 T
4 F
-0.05 (Effects) 72 168 P
2 F
-0.05 (: This will force the NTP server to run under its own clock, and possibly get far out of syn-) 104.65 168 P
-0.13 (chronization with the rest of the Internet \050see T) 72 148 P
-0.13 (able 7 in [7]\051 for a list of standard time sources and) 295.95 148 P
(their drift from the correct time\051.) 72 128 T
4 F
(Countermeasur) 72 104 T
(es) 146.18 104 T
2 F
(: The only way to prevent this is redundancy of clock sources.) 156.17 104 T
FMENDPAGE
%%EndPage: "15" 16
%%Page: "16" 16
612 792 0 FMBEGINPAGE
0 0 612 792 C
0 0 612 792 R
7 X
0 K
V
72 746 540 756 R
V
2 F
0 X
(A Security Analysis of the NTP Protocol) 72 748 T
1 F
( ) 398.39 748 T
0 F
(DRAFT) 401.39 748 T
1 F
( ) 441.38 748 T
2 F
(Report to the PSRG) 444.38 748 T
72 32.67 540 42.67 R
7 X
V
0 X
(Last modified June 13, 1990 11:10 am) 72 34.67 T
(Page 16 of 20) 473.71 34.67 T
72 72 540 720 R
7 X
V
1 F
0 X
(4. Suggested Impr) 72 712 T
(ovements) 164.73 712 T
2 F
-0.4 (There are two ways for security mechanisms in NTP to evolve. The \336rst is external to NTP) 108 688 P
-0.4 (,) 537 688 P
-0.18 (the second internal. External mechanisms are provided by the network protocols upon which NTP) 72 668 P
-0.11 (is built; internal protocols assume no underlying security mechanism and implement all such con-) 72 648 P
(siderations within the NTP protocol. Currently) 72 628 T
(, the latter is the model used; so let us begin there.) 295.09 628 T
1 F
(4.1. Recommendations for the Internal Mechanisms) 72 596 T
2 F
0.1 (Authentication should always be used.) 108 572 P
3 F
0.08 (18) 293.27 576.8 P
2 F
0.1 ( T) 303.26 572 P
0.1 (o be more ef) 312.85 572 P
0.1 (fective, keys should be issued on a) 373.2 572 P
0.27 (per) 72 552 P
0.27 (-path, not a per) 87.08 552 P
0.27 (-host, basis. This has been noted in [10], in which it is also said that \322the com-) 160.25 552 P
0.3 (plexity of assigning a distinct key to every peer path used by a server would be pretty \336erce \311.\323) 72 532 P
-0.31 (However) 72 512 P
-0.31 (, such a key assignment system adds a \336re wall in that if the key for one peer path is com-) 115.48 512 P
-0.38 (promised, no other peer paths are af) 72 492 P
-0.38 (fected. Further) 241.67 492 P
-0.38 (, the dif) 311.41 492 P
-0.38 (ferent keys do not af) 347.4 492 P
-0.38 (fect the time needed) 444.23 492 P
0.31 (for authentication, but merely the time needed to administrate the key distribution. As key distri-) 72 472 P
-0.04 (bution is out of the scope of the NTP protocol, we merely note that a certi\336cate-based mechanism) 72 452 P
0.24 (as used in [5] could be used to distribute keys on a per) 72 432 P
0.24 (-peer path basis. There would be a consid-) 335.14 432 P
0.09 (erable lag involved in validating the keys, but as noted in [7], \322the nature of NTP is quite tolerant) 72 412 P
-0.72 (to such disruptions [as inconsistent key information while re-keying is in progress], so no particular) 72 392 P
(provisions are needed to deal with them.\323) 72 372 T
3 F
(19) 271.52 376.8 T
2 F
-0.07 (The record route option of IP should be used when available, and access control should be) 108 348 P
-0.29 (based on the routes recorded. Of course this does not prevent altering the route while the datagram) 72 328 P
-0.7 (is in transit or at an intermediate node, but it is another detail an attacker will have to worry about.) 72 308 P
3 F
-0.58 (20) 530.01 312.8 P
2 F
-0.55 (The peer association variables should be changed only ) 108 284 P
4 F
-0.55 (after) 368.08 284 P
2 F
-0.55 ( the packet has passed all sanity) 390.73 284 P
0 (checks. Otherwise there is a chance the packet is bogus or corrupt, and in either case the informa-) 72 264 P
(tion in it is not reliable and should not be used.) 72 244 T
3 F
(21) 296.88 248.8 T
2 F
0.5 (The legal values of the \336eld ) 108 220 P
4 F
0.5 (pkt.pr) 247.6 220 P
0.5 (ecision) 275.47 220 P
2 F
0.5 ( should be constrained more tightly than is cur-) 309.45 220 P
0.66 (rently done. As of version 2, this \336eld may assume values between -127 and 127 inclusive; it is) 72 200 P
-0.04 (unlikely that any clock will have precision as coarse as 2) 72 180 P
3 F
-0.03 (127) 344.11 184.8 P
2 F
-0.04 ( seconds \050roughly 5) 359.1 180 P
6 F
-0.04 (\264) 453.26 180 P
2 F
-0.04 (10) 459.84 180 P
3 F
-0.03 (31) 471.84 184.8 P
2 F
-0.04 ( years\051 or as) 481.83 180 P
-0.57 (\336ne as 2) 72 160 P
3 F
-0.48 (-127) 110.83 164.8 P
2 F
-0.57 ( seconds \050roughly 6) 129.15 160 P
6 F
-0.57 (\264) 221.69 160 P
2 F
-0.57 (10) 228.28 160 P
3 F
-0.48 (-39) 240.27 164.8 P
2 F
-0.57 ( seconds\051 in the immediate future. Note that this applies only) 253.59 160 P
(to systems involving high-speed LANS; ) 72 140 T
4 F
(pkt.pr) 267.57 140 T
(ecision) 295.44 140 T
2 F
( is used nowhere else.) 329.42 140 T
3 F
(22) 434.33 144.8 T
72 120 540 129 C
72 120 540 129 R
7 X
0 K
V
72 129 225 129 2 L
V
0.5 H
2 Z
0 X
N
0 0 612 792 C
3 F
0 X
0 K
(18. ) 72 113.33 T
(See \2443.2, fourth paragraph, and \2443.4 of this report.) 90 113.33 T
(19. ) 72 101.33 T
([7], p. 56.) 90 101.33 T
(20. ) 72 89.33 T
(See \2443.1, second paragraph of this report.) 90 89.33 T
(21. ) 72 77.33 T
(See \2443.4 of this report.) 90 77.33 T
FMENDPAGE
%%EndPage: "16" 17
%%Page: "17" 17
612 792 0 FMBEGINPAGE
0 0 612 792 C
0 0 612 792 R
7 X
0 K
V
72 746 540 756 R
V
2 F
0 X
(A Security Analysis of the NTP Protocol) 72 748 T
1 F
( ) 398.39 748 T
0 F
(DRAFT) 401.39 748 T
1 F
( ) 441.38 748 T
2 F
(Report to the PSRG) 444.38 748 T
72 32.67 540 42.67 R
7 X
V
0 X
(Last modified June 13, 1990 11:10 am) 72 34.67 T
(Page 17 of 20) 473.71 34.67 T
72 72 540 720 R
7 X
V
0 X
0.4 (Currently) 108 712 P
0.4 (, 8 data points are sampled to estimate the dispersion of the clock of) 153.19 712 P
0.4 (fset and the) 483.92 712 P
0.45 (roundtrip delay) 72 692 P
0.45 (. This enables attackers to \337ood the victim with bogus packets. If the sample size) 145.29 692 P
(can be increased to require more data points, this danger can be diminished. Allowing some max-) 72 672 T
-0.5 (imum number of packets per period of time would have a similar ef) 72 652 P
-0.5 (fect.) 390.18 652 P
3 F
-0.42 (23) 411.16 656.8 P
2 F
-0.5 ( Note that this may af) 421.15 652 P
-0.5 (fect) 522.02 652 P
(the statistical algorithms used, so it should be considered in that light.) 72 632 T
-0.37 (The danger of replay arises from the possibility of a system\325) 108 608 P
-0.37 (s clock being set ) 392.74 608 P
4 F
-0.37 (backwar) 473.86 608 P
-0.37 (ds) 514.72 608 P
2 F
-0.37 ( by) 525.38 608 P
-0.33 (a packet from another host. The best way to prevent this is to require a special packet be sent when) 72 588 P
-0.16 (the clock is to be moved back, and provide a nonce to ensure the packet cannot be replayed. \050Note) 72 568 P
0.49 (it is not suf) 72 548 P
0.49 (\336cient to reject any packet with a timestamp no newer than the last one received, be-) 126.91 548 P
0.22 (cause a clock may run fast and need to be set back; it must then propagate its change to those for) 72 528 P
(which it is the source.\051) 72 508 T
-0.36 (Finally) 108 484 P
-0.36 (, redundancy must be ensured; in particular) 141.21 484 P
-0.36 (, no server should have as its source only) 346.05 484 P
-0.37 (one other server) 72 464 P
-0.37 (. NTP does this to a lar) 147.87 464 P
-0.37 (ge extent already) 255.72 464 P
-0.37 (, but it is imperative that the sets at the var-) 336.13 464 P
-0.14 (ious strata contain more than one element. This will limit the ef) 72 444 P
-0.14 (fectiveness of delay and denial-of-) 374.71 444 P
(service attacks.) 72 424 T
3 F
(24) 145.27 428.8 T
1 F
(4.2. Applicability of External Mechanisms) 72 392 T
2 F
-0.28 (NTP has attempted to provide its own security) 108 368 P
-0.28 (, with all the resulting problems of any secu-) 328.09 368 P
-0.34 (rity system. An alternative is to use a security protocol for the underlying transmission mechanism) 72 348 P
(and ignore security considerations at the higher \050NTP\051 level.) 72 328 T
-0.17 (There are two problems with such a design. The \336rst is that none of the major security-ori-) 108 304 P
0.62 (ented protocols allow broadcast, because broadcasting unfor) 72 284 P
0.62 (geable, authenticated packets would) 364.94 284 P
-0.16 (imply the use of a public-key checksumming scheme, and no such scheme runs quickly enough to) 72 264 P
0.41 (be used in that context \050the best-studied, RSA, runs at 1) 72 244 P
0.41 (150 bits/second on a Sun 3/60 [6]; given) 342.87 244 P
0.02 (that the checksum should be on the order of 512 bits, this would mean that at most only 2 packets) 72 224 P
(could be processed per second\051.) 72 204 T
3 F
(25) 224.87 208.8 T
2 F
( The second is that few such protocols are in widespread use.) 234.86 204 T
-0.23 (The lack of broadcast is not serious between primary and secondary) 108 180 P
-0.23 (, or secondary and sec-) 430.68 180 P
0.07 (ondary) 72 160 P
0.07 (, servers, as these are not expected to use broadcast mode; however) 104.53 160 P
0.07 (, for a secondary server) 427.51 160 P
72 132 540 141 C
72 132 540 141 R
7 X
0 K
V
72 141 225 141 2 L
V
0.5 H
2 Z
0 X
N
0 0 612 792 C
3 F
0 X
0 K
(22. ) 72 125.33 T
(See \2443.4, paragraph 3, of this report.) 90 125.33 T
(23. ) 72 113.33 T
(See \2443.5 of this report.) 90 113.33 T
(24. ) 72 101.33 T
(See \2443.6-\2443.7 of this report.) 90 101.33 T
(25. ) 72 89.33 T
0.09 (Note that this is not a barrier to NTP) 90 89.33 P
0.09 (, since polling is done no more frequently than on the order of a minute) 235.64 89.33 P
([8], \2443.3.) 90 77.33 T
FMENDPAGE
%%EndPage: "17" 18
%%Page: "18" 18
612 792 0 FMBEGINPAGE
0 0 612 792 C
0 0 612 792 R
7 X
0 K
V
72 746 540 756 R
V
2 F
0 X
(A Security Analysis of the NTP Protocol) 72 748 T
1 F
( ) 398.39 748 T
0 F
(DRAFT) 401.39 748 T
1 F
( ) 441.38 748 T
2 F
(Report to the PSRG) 444.38 748 T
72 32.67 540 42.67 R
7 X
V
0 X
(Last modified June 13, 1990 11:10 am) 72 34.67 T
(Page 18 of 20) 473.71 34.67 T
72 72 540 720 R
7 X
V
0 X
1.11 (providing time service to other hosts on a LAN, the broadcast mode is used.) 72 712 P
3 F
0.93 (26) 451.18 716.8 P
2 F
1.11 ( One alternative) 461.18 712 P
0.21 (would simply be to eliminate that mode of operation, and require workstations on such a LAN to) 72 692 P
0.48 (query the secondary server directly \050the address being con\336gured at boot time\051. A second would) 72 672 P
-0.16 (be to allow broadcast but require con\336rmation by the resynchronizing workstation having an NTP) 72 652 P
-0.58 (association that enters client mode when it uses the broadcast NTP message to reset the local clock.) 72 632 P
0.08 (Unfortunately) 108 608 P
0.08 (, the availability of such network-level and transport-level protocols is more) 174.5 608 P
0.03 (serious. The current UDP protocol [1) 72 588 P
0.03 (1] provide for no security beyond that available with IP) 250.24 588 P
0.03 (. The) 515.32 588 P
(IP options include two relevant here: security and strict source routing.) 72 568 T
1.5 (Strict source routing forces packets to be routed through speci\336c intermediate hosts. If) 108 544 P
0.69 (those hosts and the links connecting them are trusted, then the NTP packets can also be trusted.) 72 524 P
0.4 (However) 72 504 P
0.4 (, in a wide-area environment, such assurances are rare; and the source route is speci\336ed) 115.48 504 P
-0.25 (as a set of \336elds within the IP datagram itself. Those \336elds have no associated manipulation detec-) 72 484 P
0.34 (tion code. Hence if any link is vulnerable to an active wiretapper) 72 464 P
0.34 (, the source route can be altered) 385.74 464 P
(and the packet made to go along any route.) 72 444 T
0.31 (The IP security option [13] is designed for the protection of information falling under the) 108 420 P
0.32 (U.S. classi\336cation scheme \050) 72 400 P
4 F
0.32 (i) 205.87 400 P
2 F
0.32 (.) 209.2 400 P
4 F
0.32 (e) 212.2 400 P
2 F
0.32 (., T) 217.53 400 P
0.32 (op Secret, Secret, Con\336dential, and Unclassi\336ed\051 and is not ap-) 233.33 400 P
(propriate for use here.) 72 380 T
0.44 (So, at this point we must conclude that IP does not provide suf) 108 356 P
0.44 (\336cient underlying security) 413.2 356 P
-0.58 (to enable its use as an external security mechanism even if broadcasting is eliminated or designated) 72 336 P
(\322not trustworthy) 72 316 T
(.\323) 150.17 316 T
-0.41 (Other protocols not currently in widespread use may prove more suitable. For example, the) 108 292 P
-0.41 (SDNS Security Protocols SP/3 [14] and SP/4 [15] provide integrity and authentication; this would) 72 272 P
0.2 (require NTP to detect only replay or delaying attacks. But these are fundamental to NTP\325) 72 252 P
0.2 (s nature) 502.16 252 P
-0.17 (\050one due to the connectionless protocol used, and the other due to the use of statistical algorithms\051) 72 232 P
(and so most likely cannot be prevented by the underlying protocol.) 72 212 T
1 F
(5. Conclusion) 72 180 T
2 F
-0.24 (The NTP protocol is a useful, well-designed protocol designed to be robust under a variety) 108 156 P
0.42 (of conditions. Like all other protocols, it has security weaknesses, some of which are inherent in) 72 136 P
0.56 (the goals of the protocol and some of which are a result of the limits of the mechanisms used to) 72 116 P
72 84 540 93 C
72 84 540 93 R
7 X
0 K
V
72 93 225 93 2 L
V
0.5 H
2 Z
0 X
N
0 0 612 792 C
3 F
0 X
0 K
(26. [7], \2443.3, p. 21.) 72 77.33 T
FMENDPAGE
%%EndPage: "18" 19
%%Page: "19" 19
612 792 0 FMBEGINPAGE
0 0 612 792 C
0 0 612 792 R
7 X
0 K
V
72 746 540 756 R
V
2 F
0 X
(A Security Analysis of the NTP Protocol) 72 748 T
1 F
( ) 398.39 748 T
0 F
(DRAFT) 401.39 748 T
1 F
( ) 441.38 748 T
2 F
(Report to the PSRG) 444.38 748 T
72 32.67 540 42.67 R
7 X
V
0 X
(Last modified June 13, 1990 11:10 am) 72 34.67 T
(Page 19 of 20) 473.71 34.67 T
72 72 540 720 R
7 X
V
0 X
-0.56 (improve security) 72 712 P
-0.56 (. In this report we have highlighted speci\336c areas where attacks designed to thwart) 151.6 712 P
(the goals of NTP are possible, and have suggested improvements where appropriate.) 72 692 T
2.14 (The recommendations made here are made from the security analyst\325) 108 668 P
2.14 (s point of view;) 458.63 668 P
0.31 (whether or not they can be implemented without adversely impacting the goals of the protocol is) 72 648 P
-0.26 (another matter) 72 628 P
-0.26 (. It may be necessary to experiment, for example to determine how much increasing) 140.69 628 P
0.18 (the sample size would af) 72 608 P
0.18 (fect the accuracy of the statistical algorithms used in NTP) 191.08 608 P
0.18 (. Further) 468.84 608 P
0.18 (, there) 509.85 608 P
-0.09 (are some attacks against which the only defense is redundancy) 72 588 P
-0.09 (, and that may not be possible in all) 370.5 588 P
(circumstances.) 72 568 T
0 F
0.14 (Acknowledgments) 72 544 P
2 F
0.14 (: I would like to thank Dave Mills, the author of NTP) 161.96 544 P
0.14 (, for his extensive help in) 418.04 544 P
0.48 (guiding me through the intricacies of the algorithm, his unfailing good humor) 72 524 P
0.48 (, and his frankness) 449.28 524 P
0.9 (about security matters. As with so many other papers, this is not simply the work of the author) 72 504 P
0.2 (alone; I would like to thank the members of the Privacy and Security Research Group, especially) 72 484 P
-0.19 (David Balenson, Russ Housley) 72 464 P
-0.19 (, Steve Kent, John Linn, Dan Nessett, Richard Parker) 219.91 464 P
-0.19 (, Ken Rossen,) 473.75 464 P
-0.27 (Miles Smid, and Dave Solo, for their helpful discussions of attacks on NTP; and also Ralph Merk-) 72 444 P
(le, for his comments during the discussion of NTP and security) 72 424 T
(.) 374.03 424 T
-0.5 (This work was supported by grant NAG 2-628 from NASA Ames Research Center to Dart-) 108 400 P
(mouth College, and by a Burke A) 72 380 T
(ward from Dartmouth College.) 232.46 380 T
1 F
(Refer) 72 348 T
(ences) 100.41 348 T
2 F
([1]) 72 324 T
0.95 (J. Case, M. Fedor) 108 324 P
0.95 (, M. Schof) 194.98 324 P
0.95 (fstall, and C. Davin, ) 247.3 324 P
4 F
0.95 (Simple Network Management Pr) 350.71 324 P
0.95 (otocol) 510.02 324 P
(\050SNMP\051) 108 304 T
2 F
(, RFC 1) 147.3 304 T
(157 \050May 1990\051.) 184.52 304 T
([2]) 72 280 T
0.1 (Federal Information Processing Standards Publication 81, ) 108 280 P
4 F
0.1 (DES Modes of Operation) 388.73 280 P
2 F
0.1 ( \050Dec.) 510.6 280 P
(1980\051.) 108 260 T
([3]) 72 236 T
(Information Sciences Institute, ) 108 236 T
4 F
(Internet Pr) 258.57 236 T
(otocol) 311.08 236 T
2 F
(, RFC 791 \050Sep. 1981\051.) 341.07 236 T
([4]) 72 212 T
-0.31 (B. Kaliski, Jr) 108 212 P
-0.31 (., R. Rivest, and A. Sherman, \322Is the Data Encryption Standard a Group? \050Re-) 170.01 212 P
(sults of Cycling Experiments on DES\051,\323) 108 192 T
4 F
( Journal of Cryptography) 300.55 192 T
2 F
( ) 423.49 192 T
1 F
(1) 426.48 192 T
2 F
(\0501\051 pp. 3-36 \0501988\051.) 432.48 192 T
([5]) 72 168 T
0.27 (S. Kent and J. Linn, ) 108 168 P
4 F
0.27 (Privacy Enhancement for Internet Electr) 207.95 168 P
0.27 (onic Mail: Part II -- Certi\336-) 404.42 168 P
(cate-Based Key Management) 108 148 T
2 F
(, RFC-1) 248.55 148 T
(1) 286.76 148 T
(14 \050Aug. 1989\051.) 292.32 148 T
([6]) 72 124 T
-0.63 (D. Laurichesse, ) 108 124 P
4 F
-0.63 (Mise En \316uvr) 184.67 124 P
-0.63 (e Optimisee du Chiffr) 252.9 124 P
-0.63 (e RSA) 354.17 124 P
2 F
-0.63 (, T) 382.52 124 P
-0.63 (echnical Report LAAS-90052,) 394.37 124 P
(Laboratoire d\325Automatique et d\325Analyse des Systemes \050Mar) 108 104 T
(. 1990\051) 397.13 104 T
FMENDPAGE
%%EndPage: "19" 20
%%Page: "20" 20
612 792 0 FMBEGINPAGE
0 0 612 792 C
0 0 612 792 R
7 X
0 K
V
72 746 540 756 R
V
2 F
0 X
(A Security Analysis of the NTP Protocol) 72 748 T
1 F
( ) 398.39 748 T
0 F
(DRAFT) 401.39 748 T
1 F
( ) 441.38 748 T
2 F
(Report to the PSRG) 444.38 748 T
72 32.67 540 42.67 R
7 X
V
0 X
(Last modified June 13, 1990 11:10 am) 72 34.67 T
(Page 20 of 20) 473.71 34.67 T
72 72 540 720 R
7 X
V
0 X
([7]) 72 712 T
-0.04 (D. Mills, ) 108 712 P
4 F
-0.04 (Network T) 153.9 712 P
-0.04 (ime Pr) 203.52 712 P
-0.04 (otocol \050V) 235.34 712 P
-0.04 (ersion 2\051 Speci\336cation and Implementation) 278.28 712 P
2 F
-0.04 (, RFC 1) 485.32 712 P
-0.04 (1) 522.45 712 P
-0.04 (19) 528.01 712 P
(\050Sep. 1989\051.) 108 692 T
([8]) 72 668 T
2.05 (D. Mills, ) 108 668 P
4 F
2.05 (Internet T) 158.08 668 P
2.05 (ime Synchr) 207.11 668 P
2.05 (onization: the Network T) 262.34 668 P
2.05 (ime Pr) 387.44 668 P
2.05 (otocol) 421.35 668 P
2 F
2.05 (, RFC 1) 451.34 668 P
2.05 (129 \050Oct.) 492.65 668 P
(1989\051.) 108 648 T
([9]) 72 624 T
0.9 (D. Mills, \322On the Accuracy and Stability of Clocks Synchronized by the Network T) 108 624 P
0.9 (ime) 522.01 624 P
(Protocol in the Internet System,\323 ) 108 604 T
4 F
(ACM Computer Communications Review) 268.57 604 T
2 F
( \050Jan. 1990\051) 466.78 604 T
4 F
(.) 523.74 604 T
2 F
([10]) 72 580 T
0.63 (D. Mills, \322NTP authentication,\323 message id <8002091231.aa02142@Huey) 108 580 P
0.63 (.UDEL.EDU>) 470.62 580 P
(\050Feb. 1989\051.) 108 560 T
([1) 72 536 T
(1]) 81.55 536 T
(J. Postel, ) 108 536 T
4 F
(User Datagram Pr) 153.98 536 T
(otocol) 244.15 536 T
2 F
(, RFC 768 \050Aug. 1980\051.) 274.13 536 T
([12]) 72 512 T
(Privacy and Security Research Group, \322Meeting Minutes\323 \050Jan. 17-19, 1990\051) 108 512 T
([13]) 72 488 T
(M. St. Johns, ) 108 488 T
4 F
(Draft Revised IP Security Option) 173.98 488 T
2 F
(, RFC 1038 \050Jan. 1988\051.) 333.2 488 T
([14]) 72 464 T
1.03 (SDNS Protocol and Signaling W) 108 464 P
1.03 (orking Group, ) 269.07 464 P
4 F
1.03 (Security Pr) 342.08 464 P
1.03 (otocol 3 \050SP3\051) 396.96 464 P
2 F
1.03 (, Revision 1.5,) 468.31 464 P
(SDN.301 \050May 1989\051.) 108 444 T
([15]) 72 420 T
1.15 (SDNS Protocol and Signaling W) 108 420 P
1.15 (orking Group, ) 269.56 420 P
4 F
1.15 (Security Pr) 342.82 420 P
1.15 (otocol 4 \050SP) 397.82 420 P
2 F
1.15 (4\051) 459.42 420 P
4 F
1.15 (, Revision 1.3,) 469.41 420 P
(SDN.401 \050May 1989\051.) 108 400 T
FMENDPAGE
%%EndPage: "20" 21
%%Trailer
%%BoundingBox: 0 0 612 792
%%Pages: 20 1
%%DocumentFonts: Times-BoldItalic
%%+ Times-Bold
%%+ Times-Roman
%%+ Times-Italic
%%+ Symbol