Bulletproof TLS Newsletter #54
Network Time Security (NTS) could finally bring support for authenticated network time
27 June 2019
Author: Hanno Böck

This issue was distributed to 50,900 email subscribers.

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space.

In this issue:

  1. Network Time Security (NTS) could finally bring support for authenticated network time
  2. Short news

Network Time Security (NTS) could finally bring support for authenticated network time

As part of its crypto week, the company Cloudflare recently announced that it will operate a time server supporting the Network Time Security (NTS) extension for the Network Time Protocol (NTP). This solves a long-standing problem with time in the context of secure protocols.

Most computers and other network-connected devices these days synchronize their clocks with time sources from the internet. However, the traditional way of doing so—the Network Time Protocol—supports no way of authenticating that data by default. This essentially means that for a man-in-the-middle attacker, it’s trivial to deliver a wrong time.

This can have security consequences because a working clock is assumed by many other security protocols, including X.509 certificates, which have an expiration date, and features like HSTS that have a lifetime. Practical attacks on HSTS have been shown in the past.

In the past, the TLS timestamp has been used as an alternative in the tlsdate tool, but it’s no longer maintained and TLS 1.3 removed the timestamp. OpenNTPD has a feature by which it can use TLS to provide authenticated time constraints, but it relies on LibreSSL and thus is not usable on many systems. Google’s Adam Langley has developed the Roughtime protocol as an alternative to NTP, but it’s not widely used.

NTP itself attempted to provide authentication in the past by a procedure called Autokey, but it’s been shown to be insecure. It also supports authentication with symmetric keys, but that’s not practical for widespread use.

NTS is a new attempt to fix this issue. It exchanges a key over an authenticated TLS channel and uses that to secure NTP itself. It’s been in development for a while, but now it seems it’ll be finished soon and implementations are starting to pick it up. There is a reference implementation of NTS, NTPsec just released a new version with support for NTS, Chrony has an experimental fork with NTS support, and more implementations are expected to come soon.

Chances are this will finally provide a widely supported option to synchronize time over the internet in a secure and authenticated way.

Short news