<body>
<h3>Autokey Public-Key Authentication</h3>
<p>Last update:
- <!-- #BeginDate format:En2m -->02-Nov-2010 19:13<!-- #EndDate -->
+ <!-- #BeginDate format:En2m -->11-Nov-2010 3:16<!-- #EndDate -->
UTC</p>
<hr>
<h4>Table of Contents</h4>
<h4 id="intro">Introduction</h4>
<p>This distribution includes support for the Autokey public key algorithms and protocol specified in RFC-5906 "Network Time Protocol Version 4: Autokey Specification". This support is available only if the OpenSSL library has been installed and the <tt>--enable-autokey</tt> option is specified when the distribution is built.</p>
<p> Public key cryptography is generally considered more secure than symmetric key cryptography, since the security is based on private and public values which are generated by each participant and where the private value is never revealed. Autokey uses X.509 public certificates, which can be produced by commercial services, utility programs in the OpenSSL software library or the <a href="keygen.html"><tt>ntp-keygen</tt></a> utility program in the NTP software distribution.</p>
-<p> The Autokey Version 2 protocol described on the <a href="http://www.eecis.udel.edu/%7emills/proto.html">Autokey Protocol</a> page verifies packet integrity using message digest algorithms,
such as MD5 or SHA, and verifies the source using any of several digital signature schemes, including RSA and DSA. Optional identity schemes described on the <a href="http://www.eecis.udel.edu/~mills/ident.html">Autokey Identity Schemes</a> page are based on cryptographic challenge/response exchanges. These schemes provide strong security against masquerade and most forms of clogging attacks. These schemes are described along with an executive summary, current status, briefing slides and reading list on the <a href="http://www.eecis.udel.edu/~mills/autokey.html">Autonomous Authentication</a> page.</p>
+<p> The Autokey Version 2 protocol described on the <a href="http://www.eecis.udel.edu/%7emills/proto.html">Autokey Protocol</a> page verifies packet integrity using message digest algorithms,
including as MD5 or SHA, and verifies the source using any of several digital signature schemes, including RSA and DSA. Optional identity schemes described on the <a href="http://www.eecis.udel.edu/~mills/ident.html">Autokey Identity Schemes</a> page are based on cryptographic challenge/response exchanges. These schemes provide strong security against masquerade and most forms of clogging attacks. These schemes are described along with an executive summary, current status, briefing slides and reading list on the <a href="http://www.eecis.udel.edu/~mills/autokey.html">Autonomous Authentication</a> page.</p>
<p>Autokey authenticates individual packets using cookies bound to the IP source and destination addresses. The cookies must have the same addresses at both the server and client. For this reason operation with network address translation schemes is not possible. This reflects the intended robust security model where government and corporate NTP servers are operated outside firewall perimeters.</p>
<h4 id="config">Configuration</h4>
-<p>The Trusted Certificate (TC) is recommended for national NTP time services, such as those operated by NIST and USNO. Configuration for TC is very simple. For each server as root:</p>
+<p>The Trusted Certificate (TC) scheme is recommended for national NTP time services, such as those operated by NIST and USNO. Configuration for TC is very simple. For each server, e.g. <tt>time.nist.gov,</tt> as root:</p>
<p><tt># cd /usr/local/etc<br>
# ntp-keygen -T</tt></p>
-<p>This generates an RSA private/public key pair and a self-signed certificate for the RSA digital signature algorithm with the MD5 message digest algoirhtm. Include in the <tt>ntp.conf</tt> configuration file something like</p>
+<p>This generates an RSA private/public host key file and a self-signed certificate file for the RSA digital signature algorithm with the MD5 message digest algorithm. Include in the <tt>ntp.conf</tt> configuration file something like</p>
<p><tt># disable kernel<br>
# server 127.127.18.1 minpoll 12 maxpoll 17 # ACTS modem<br>
# phone atdt913035547785 atddt913034944774<br>
# crypto<br>
# driftfile /etc/nto.drift.</tt></p>
-<p>Note the first three lines are specific to the ACTS driver and NIST phone numbers. The second number will be tried if the first times out. Any other reference clock can be used, or even another time server.</p>
-<p>For each client as root,</p>
+<p>Note the first three lines are specific to the ACTS driver and NIST modem telephone numbers. The second number will be tried if the first times out. Alternatively, any other reference clock can be used, or even another time server.</p>
+<p>For each client, e.g. <tt>grundoon.udel.edu,</tt> as root:</p>
<p><tt># cd /usr/local/etc<br>
# ntp-keygen</tt></p>
-<p>(There is no -<tt>T</tt> option). Include in the <tt>ntp.conf</tt> configuration file for a client such as grundoon.udel.edu something like</p>
-<p><tt># server time.nist.gov iburst<br>
+<p>(There is no -<tt>T</tt> option). Include in the <tt>ntp.conf</tt> configuration file something like</p>
+<p><tt># server time.nist.gov iburst autokey<br>
# crypto<br>
# driftfile /etc/nto.drift.</tt></p>
-<p>It is possible to configure client hosts of server grundoon in the same way with the server line pointing to grundoon. Dependent clients authenticate to time.nistg.gov through grundoon.udel.edu.</p>
-<p>In the above configuration examples, the default autokey host name is the string returned by the Unix gethostbyname() library routine. The host name is used as the subject and issuer names on the certificate, as well as the default deault password for the host key and certificate files. The host name can be chaned using the -s option with the ntp-keygen program. The default password can be changed using the -p optoin for the ntp-keygen and the pw option of the crypto command. </p>
+<p>It is possible to configure clients of server <tt>grundoon.udel.edu</tt> in the same way with the server line pointing to <tt>grundoon.udel.edu</tt>. Dependent clients authenticate to <tt>time.nistg.gov</tt> through <tt>grundoon.udel.edu</tt>.</p>
+<p>In the above configuration examples, the default autokey host name is the string returned by the Unix <tt>gethostbyname()</tt> library routine. This name has nothing to do with the DNS name of the host. The autokey host name is used as the subject and issuer names on the certificate, as well as the default password for the host key file. The autokey host name can be changed using the <tt>-s</tt> option with the <tt>ntp-keygen</tt> program. The default password can be changed using the <tt>-p</tt> option with the <tt>ntp-keygen</tt> program and the <tt>pw</tt> option of the <tt>crypto</tt> command. </p>
<p>It is important to note that certificates have a defined lifetime of one year from the time of creation. Sometime toward the end of the liftetime period, it is necessary to create a new certificat at both the server and client. For each server and client as root:</p>
<p><tt># ntp_keygen</tt></p>
-<p>The options are copied from the current certificarte.</p>
+<p>The options are copied from the current certificate.</p>
<p> </p>
<p>There are three timeouts associated with the Autokey scheme. The key list timeout, which defaults to about 1.1 h, specifies the interval between generating new key lists. The revoke timeout, which defaults to about 36 hr, specifies the interval between generating new private values. The restart timeout, with default about 5 d, specifies the interval between protocol restarts to refresh public values. In general, the behavior when these timeouts expire is not affected by the issues discussed on this page.</p>
<h4 id="group">NTP Secure Groups</h4>
#define MD5KEYS 10 /* number of keys generated of each type */
#define MD5SIZE 20 /* maximum key size */
#define JAN_1970 2208988800UL /* NTP seconds */
-#define YEAR ((long)60*60*24*365) /* one year in seconds */
+#define DAY ((long)60*60*24) /* one day in seconds */
+#define YEAR ((long)365) /* one year in days */
#define MAXFILENAME 256 /* max file name length */
#define MAXHOSTNAME 256 /* max host name length */
#ifdef AUTOKEY
*/
extern char *optarg; /* command line argument */
char *progname;
-volatile int debug = 0; /* debug, not de bug */
-#ifdef AUTOKEY
+volatile int debug = 0; /* debug, not de bug */
u_int modulus = PLEN; /* prime modulus size (bits) */
u_int modulus2 = ILEN; /* identity modulus size (bits) */
-#endif
+u_int lifetime = YEAR; /* cetificate lifetime (days) */
int nkeys; /* MV keys */
time_t epoch; /* Unix epoch (seconds) since 1970 */
u_int fstamp; /* NTP filestamp */
-char *hostname = NULL; /* host name (subject name) */
-char *groupname = NULL; /* trusted host name (issuer name) */
-char filename[MAXFILENAME + 1]; /* file name */
+char *hostname = NULL; /* host name */
+char *groupname = NULL; /* group name */
+char *certname = NULL; /* certificate subjetc/issuer name */
char *passwd1 = NULL; /* input private key password */
char *passwd2 = NULL; /* output private key password */
+char filename[MAXFILENAME + 1]; /* file name */
#ifdef AUTOKEY
long d0, d1, d2, d3; /* callback counters */
#endif /* AUTOKEY */
* Process options, initialize host name and timestamp.
*/
gethostname(hostbuf, MAXHOSTNAME);
- hostname = hostbuf;
+ hostname = groupname = certname = passwd1 = hostbuf;
+ passwd2 = NULL;
gettimeofday(&tv, 0);
-
epoch = tv.tv_sec;
{
md5key++;
#ifdef AUTOKEY
- passwd1 = hostbuf;
if (HAVE_OPT( PVT_PASSWD ))
passwd1 = strdup(OPT_ARG( PVT_PASSWD ));
scheme = OPT_ARG( CERTIFICATE );
if (HAVE_OPT( SUBJECT_NAME ))
- hostname = strdup(OPT_ARG( SUBJECT_NAME ));
+ certname = strdup(OPT_ARG( SUBJECT_NAME ));
if (HAVE_OPT( ISSUER_NAME ))
groupname = strdup(OPT_ARG( ISSUER_NAME ));
exit (-1);
}
if (exten == NULL)
- x509(pkey_sign, ectx, grpkey, exten, hostname);
+ x509(pkey_sign, ectx, grpkey, exten, certname);
else
x509(pkey_sign, ectx, grpkey, exten, groupname);
#endif /* AUTOKEY */
*
* How it works
*
- * The scheme goes like this. Bob has the server values (p, E, q, gbar,
- * ghat) and Alice has the client values (p, xbar, xhat).
+ * The scheme goes like this. Bob has the server values (p, E, q,
+ * gbar, ghat) and Alice has the client values (p, xbar, xhat).
*
* Alice rolls new random nonce r mod p and sends to Bob in the MV
* request message. Bob rolls random nonce k mod q, encrypts y = r E^k
*/
for (i = 0; i <= n; i++) {
a[i] = BN_new();
-
BN_one(a[i]);
}
for (j = 1; j <= n; j++) {
*/
for (i = 0; i <= n; i++) {
g[i] = BN_new();
-
BN_mod_exp(g[i], dsa->g, a[i], dsa->p, ctx);
}
for (i = 1; i <= n; i++) {
if (i == j)
continue;
+
BN_mod_exp(u, x[i], v, dsa->q, ctx);
BN_add(xbar[j], xbar[j], u);
}
* additional keys, so we sail on with only token revocations.
*/
s = BN_new();
-
BN_copy(s, dsa->q);
- BN_div(s, u, s, s1[10], ctx);
BN_div(s, u, s, s1[n], ctx);
/*
* changed.
*/
bige = BN_new(); gbar = BN_new(); ghat = BN_new();
-
BN_mod_exp(bige, biga, s, dsa->p, ctx);
BN_mod_exp(gbar, dsa->g, s, dsa->p, ctx);
BN_mod_mul(v, s, b, dsa->q, ctx);
fprintf(stderr, "Generating %d MV client keys\n", n);
for (j = 1; j <= n; j++) {
sdsa = DSA_new();
-
sdsa->p = BN_dup(dsa->p);
sdsa->q = BN_dup(BN_value_one());
sdsa->g = BN_dup(BN_value_one());
X509_set_serialNumber(cert, serial);
ASN1_INTEGER_free(serial);
X509_time_adj(X509_get_notBefore(cert), 0L, &epoch);
- X509_time_adj(X509_get_notAfter(cert), YEAR, &epoch);
+ X509_time_adj(X509_get_notAfter(cert), lifetime * DAY, &epoch);
subj = X509_get_subject_name(cert);
X509_NAME_add_entry_by_txt(subj, "commonName", MBSTRING_ASC,
(unsigned char *) name, strlen(name), -1, 0);
projects / thirdparty / ntp.git / commitdiff
