From: Harlan Stenn Date: Mon, 20 Dec 2010 08:50:47 +0000 (-0500) Subject: Documentation updates from Dave Mills X-Git-Tag: NTP_4_2_7P98~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=62ce5de7c4922ed27f749c00089092f6ac86e710;p=thirdparty%2Fntp.git Documentation updates from Dave Mills bk: 4d0f18e7TSN8Nn-wMOVOSTAlw1L1vw --- diff --git a/ChangeLog b/ChangeLog index 8bc94727e..9989f47e3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,6 @@ * [Bug 1761] clockstuff/clktest-opts.h omitted from tarball. * [Bug 1762] from 4.2.6p3-RC12: manycastclient responses interfere. +* Documentation updates from Dave Mills. (4.2.7p97) 2010/12/19 Released by Harlan Stenn * [Bug 1458] from 4.2.6p3-RC12: Can not compile NTP on FreeBSD 4.7. * [Bug 1760] from 4.2.6p3-RC12: ntpd Windows interpolation cannot be diff --git a/html/autokey.html b/html/autokey.html index b1996c538..648ebec77 100644 --- a/html/autokey.html +++ b/html/autokey.html @@ -7,14 +7,16 @@

Autokey Public-Key Authentication

Last update: - 19-Dec-2010 4:26 + 19-Dec-2010 22:23 UTC

@@ -44,27 +46,31 @@

It is important to note that the certificate trail is validated only at startup when an association is mobilized. Once validated in this way, the server remains valid until it is demobilized, even if certificates on the trail to the THs expire.

Example

Figure 1. Example Configuration

Figure 1 shows an example configuration with three NTP subnets, Alice, Helen and Carol. Hosts A and B are THs of Alice, host R is the TH of Helen and host X is the TH of Carol. Assume that all associations are client/server; so, for example, TH X has two mobilized associations, one to Alice host C and the other to Carol host S. While not shown in the figure, Alice hosts A and B could configure symmetric mode associations between them for redundancy and backup.

Note that host D cetificate trail is D→C→A or D→C→B, depending on the particular order the trails are built. Host Y certificate trail is only Y→X, since X is a TH. Host X has two cetficate trails X→C→A or X→C→B, and X→S→R.

NTP Secure Groups

NTP security groups are an extension of the NTP subnets described in the previous section. They include in addition to certificate trails one or another identity schemes described on the Autokey Identity Schemes page. NTP secure groups are used to define cryptographic compartments and security -hierarchies. The identity scheme insures that the server is authentic and not victim of masquerade by an intruder acting as a middleman.

As in NTP subnet, NTP secure groups are configured as an acyclic tree rooted on the THs. The THs are at the lowest stratum of the secure group. All group hosts construct an unbroken certificate trail from each host, possibly via intermediate hosts, and ending at a TH of that group. In addition, each group host verifies its server has the secret group key using an identity exchange.

+ hierarchies. The identity scheme insures that the server is authentic and not victim of masquerade by an intruder acting as a middleman.

As in NTP subnet, NTP secure groups are configured as an acyclic tree rooted on the THs. The THs are at the lowest stratum of the secure group; they and possibly other hosts in the group run the identity exchange. All group hosts construct an unbroken certificate trail from each host, possibly via intermediate hosts, and ending at a TH of that group. The TH verifies authenticity as a client of a serverin another group.

For secure group servers, the string specified by the -i option of the ntp-keygen program is the name of the secure group. For secure group servers this name must match the ident option - of the crypto command for the server. For secure group clients, this name must match the ident option of the server command. This name is also used in the identity keys and parameters file names. The file naming conventions are described on + of the crypto command. For secure group clients, this name must match the ident option of the server command. This name is also used in the identity keys and parameters file names. The file naming conventions are described on the ntp-keygen page.

In the latest Autokey version, the host name and group name are independent of each other and the host option of the crypto command is deprecated. When compatibility with older versions is required, specify the same name for both the -s and -i options.

The Autokey identity schemes involve a challenge-response exchange where a client generates a nonce and sends to the server. The server performs a mathematical operation involving a second nonce and the secret group key, and sends the result along with a hash to the client. The client performs a another mathematical operation and verifies the result with the hash. Since each exchange involves two nonces, even after repeated observations of many exchanges, an intruder cannot learn the secret group key. It is this quality that allows the secure group key to persist long after the longest period of certificate validity. In the Schnorr IFF scheme considered later on this page, the secret group key is not divulged to the clients, so they cannot conspire to prove identity to other hosts.

As described on the Autokey Identity Schemes page, there are five identity schemes, three of which - IFF, GQ and MV - require identity files specific to each scheme. There are two types of files for each scheme, an encrypted server keys file and a nonencrypted client parameters file, which usually contains a subset of the keys file.

Hosts with no dependent clients can retrieve client parameter files from an +

Figure 2. Identify Scheme

As shown in Figure 2, an Autokey identity scheme involves a challenge-response exchange where a client generates a nonce and sends to the server. The server performs a mathematical operation involving a second nonce and the secret group key, and sends the result along with a hash to the client. The client performs a another mathematical operation and verifies the result with the hash.

Since each exchange involves two nonces, even after repeated observations of many exchanges, an intruder cannot learn the secret group key. It is this quality that allows the secret group key to persist long after the longest period of certificate validity. In the Schnorr (Identify Friend or Foe - IFF) scheme, the secret group key is not divulged to the clients, so they cannot conspire to prove identity to other hosts.

As described on the Autokey Identity Schemes page, there are five identity schemes, three of which - IFF, GQ and MV - require identity files specific to each scheme. There are two types of files for each scheme, an encrypted server keys file and a nonencrypted client keys file, also called the parameters file, which usually contains a subset of the keys file.

Figure 2 shows how keys and parameters are distributed to servers and clients. Here, a TH constructs the encrypted keys file and the nonencrypted parameters file. Hosts with no dependent clients can retrieve client parameter files from an archive or web page. The ntp-keygen program can export parameter files using the -e option. - Hosts with dependent clients other than the CA must retrieve copies of the server - key file using secure means. The ntp-keygen program can export these data - using the -q option and chosen remote password. In either case the data are installed as a file + Servers with dependent clients other than THs must retrieve copies of the server + keys file using secure means. The ntp-keygen program can export server keys files + using the -q option and chosen remote password. In either case the files are installed and then renamed using the name given as the first line in the file, but without -the filestamp.

+ the filestamp.

Example

Returning to the example of Figure 1, Alice, Helen and Carol run TC, internally, as the environment is secure and without threat from external attack, in particular a middleman masquerade. However, TH X of Carol is vulnerable to masquerade on the links between X and C and between X and S. Therefor, both C and S are configured as Autokey servers with, for example, the IFF identity scheme, and X as a client of both of them. For this purpose, both C and S export their IFF parameter files to X as described above.

Configuration - Authentication Schemes

@@ -88,18 +94,18 @@ the filestamp.

It is possible to configure clients of server grundoon.udel.edu in the same way with the server line pointing to grundoon.udel.edu. Dependent clients authenticate to time.nistg.gov through grundoon.udel.edu.

In the above configuration examples, the default Autokey host name is the string returned by the Unix gethostname() library routine. However, this name has nothing to do with the DNS name of the host. The Autokey host name is used as the subject and issuer names on the certificate, as well as the default password for the encrypted keys files. The Autokey host name can be changed using the -s option of the ntp-keygen program. The default password can be changed using the -p option of the ntp-keygen program and the pw option of the crypto command.

Configuration - Identity Schemes

For the simplest identity scheme TC, the server generates host keys, trusted certificate and identity files using an ntp-keygen program commadn with options specified in this section, while the clients use the same command with no options. The server uses the crypto command in the comnfiguration file with options specified in this section, while the clients use the same command with no options. Additonia client options are specified in the server command for each association.

It's best to start with a functioning TC configuation and add commands as necessary. For example, the CA generates an encrypted server keys file using the command

ntp-keygen -I -i group,

where group is the group name used by all hosts in the group. This and following commands can be combined in a single command. The nonencrypted client parameters can be exported using the command

ntp-keygen -e >file,

where the -e option redirects the client parameters to file via the standard output stream for a mail application or stored locally for later distribution. In a similar fashion the encrypted keys file can be exported using the command

ntp-keygen -q passw2 >file,

where passwd2 is the read password for another host. In either case the file is installed under the name found in the first line of the file, but converted to lower case and without the filestamp

As in the TC scheme, the server includes a crypto command in the configuration file with the ident group option. The crypto command in the client configuration file is unchanged, but the server command includes the ident group option.

In special circumstances the Autokey message digest algorithm can be changed using the digest option of the crypto command. The digest algorithm is separate and distinct from the symmetric key message digest algorithm. If compliance with FIPS 140-2 is required, -the algorithm must be ether SHA or SHA1. The Autokey message digest algorithm must be the same for all participants in the NTP subnet.

+ the algorithm must be ether SHA or SHA1. The Autokey message digest algorithm must be the same for all participants in the NTP subnet.

Examples

Consider a scenario involving three secure groups RED, GREEN and BLUE. RED and BLUE are typical of national laboratories providing certified time to the Internet at large. As shown ion the figure, RED TH mort and BLUE TH macabre run NTP symmetric mode with each other for monitoring or backup. For the purpose of illustration, assume both THs are primary servers. GREEN is typical of a large university providing certified time to the campus community. GREEN TH howland is a broadcast client of both RED and BLUE. BLUE uses the IFF scheme, while both RED and GREEN use the GQ scheme, but with different keys. YELLOW is a client of GREEN and for purposes of illustration a TH for YELLOW.

Autokey Public-Key Authentication

Table of Contents

NTP Secure Groups

Configuration - Authentication Schemes

Configuration - Identity Schemes

Examples