Network Working Group
Internet Engineering Task Force (IETF) N. Rozen-Schiff
Internet-Draft
Request for Comments: 9523 D. Dolev
Intended status:
Category: Informational Hebrew University of Jerusalem
Expires: 1 March 2024
ISSN: 2070-1721 T. Mizrahi
Huawei Network.IO Innovation Lab
M. Schapira
Hebrew University of Jerusalem
29 August 2023
February 2024
A Secure Selection and Filtering Mechanism for the Network Time Protocol
with Khronos
draft-ietf-ntp-chronos-25
Abstract
The Network Time Protocol version 4 (NTPv4), as defined in RFC 5905,
is the mechanism used by NTP clients to synchronize with NTP servers
across the Internet. This document describes a companion application
to the NTPv4 client, named Khronos, which "Khronos", that is used as a "watchdog"
alongside NTPv4, NTPv4 and that provides improved security against time time-
shifting attacks. Khronos involves changes to the NTP client's
system process only. Since it does not affect the wire protocol, the
Khronos mechanism is applicable to current and future time protocols.
Status of This Memo
This Internet-Draft document is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list It represents the consensus of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents valid
approved by the IESG are candidates for a maximum any level of six months Internet
Standard; see Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be updated, replaced, or obsoleted by other documents obtained at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 1 March 2024.
https://www.rfc-editor.org/info/rfc9523.
Copyright Notice
Copyright (c) 2023 2024 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info)
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Revised BSD License text as described in Section 4.e of the
Trust Legal Provisions and are provided without warranty as described
in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions Used in This Document . . . . . . . . . . . . . . 5
2.1. Terms and Abbreviations . . . . . . . . . . . . . . . . . 5
2.2. Notations . . . . . . . . . . . . . . . . . . . . . . . . 5
3. Khronos Design . . . . . . . . . . . . . . . . . . . . . . . 6
3.1. Khronos Calibration - Gathering the Khronos Pool . . . . 6
3.2. Khronos's Poll and System Processes . . . . . . . . . . . 7
3.3. Khronos's Recommended Parameters . . . . . . . . . . . . 8
4. Operational Considerations . . . . . . . . . . . . . . . . . 9
4.1. Load considerations . . . . . . . . . . . . . . . . . . . 9 Considerations
5. Security Considerations . . . . . . . . . . . . . . . . . . . 10
5.1. Threat Model . . . . . . . . . . . . . . . . . . . . . . 10
5.2. Attack Detection . . . . . . . . . . . . . . . . . . . . 11
5.3. Security Analysis Overview . . . . . . . . . . . . . . . 11
6. Khronos Pseudocode . . . . . . . . . . . . . . . . . . . . . 13
7. Precision vs. Security . . . . . . . . . . . . . . . . . . . 13
8. Implementation Status . . . . . . . . . . . . . . . . . . . . 14
8.1. Implementation 1 . . . . . . . . . . . . . . . . . . . . 14
8.1.1. Coverage . . . . . . . . . . . . . . . . . . . . . . 14
8.1.2. Licensing . . . . . . . . . . . . . . . . . . . . . . 15
8.1.3. Contact Information . . . . . . . . . . . . . . . . . 15
8.1.4. Last Update . . . . . . . . . . . . . . . . . . . . . 15
8.2. Implementation 2 . . . . . . . . . . . . . . . . . . . . 15
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 15
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15
11.
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 15
11.1.
9.1. Normative References . . . . . . . . . . . . . . . . . . 15
11.2.
9.2. Informative References . . . . . . . . . . . . . . . . . 16
Acknowledgements
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16
1. Introduction
NTPv4, as defined in RFC 5905 [RFC5905], is vulnerable to time
shifting attacks, time-shifting
attacks in which the attacker changes (shifts) the clock of a network
device. Time shifting Time-shifting attacks on NTP clients can be based on
interfering with the communication between the NTP clients and
servers or compromising the servers themselves. Time shifting Time-shifting
attacks on NTP are possible even if NTP communication is encrypted
and authenticated. A weaker machine-in-the-middle (MitM) (MITM) attacker
can shift time simply by dropping or delaying packets, whereas a
powerful attacker, who attacker that has full control over an NTP server, server can do so
by explicitly determining the NTP response content. This document
introduces a time shifting time-shifting mitigation mechanism called Khronos. "Khronos".
Khronos can be integrated as a background monitoring background-monitoring application
("watchdog")
(watchdog) that guard guards against time shifting time-shifting attacks in any NTP
client. An NTP client that runs Khronos is interoperable with
[RFC5905]-compatible NTPv4 servers.
servers that are compatible with [RFC5905]. The Khronos mechanism
does not affect the wire mechanism and mechanism; therefore, it is therefore applicable to
any current or future time protocol.
Khronos is a mechanism that runs in the background, continuously
monitoring the client clock (which is updated by NTPv4) and
calculating an estimated offset which we refer by (referred to as the "Khronos time offset".
offset"). When the offset exceeds a predefined threshold (specified
in Section 5.2), this is interpreted as the client experiencing a time shifting
time-shifting attack. In this case, Khronos updates the client's
clock.
When the client is not under attack, Khronos is passive, allowing passive. This allows
NTPv4 to control the client's clock and providing provides the ordinary high
precision and accuracy of NTPv4. When under attack, Khronos takes
control over of the client's clock, mitigating the time shift, shift while
guaranteeing relatively high accuracy with respect to UTC and
precision, as discussed in Section 7.
By leveraging techniques from distributed computing theory for time- time
synchronization, Khronos achieves accurate time even in the presence
of powerful attackers who are in direct control of a large number of
NTP servers. Khronos will prevent shifting the clock when the ratio
of compromised time samples is below 2/3. In each polling interval,
a Khronos client randomly selects and samples a few NTP servers out
of a local pool of hundreds of servers. Khronos is carefully
engineered to minimize the load on NTP servers and the communication
overhead. In contrast, NTPv4, NTPv4 employs an algorithm which that typically
relies on a small subset of the NTP server pool (e.g., 4 four servers)
for time
synchronization, synchronization and is much more vulnerable to time shifting time-shifting
attacks. Configuring NTPv4 to use several hundreds of servers will
increase its security, but will incur very high network and
computational overhead compared to Khronos and will be bounded by a
compromised ratio of half of the time samples.
A Khronos client iteratively "crowdsources" time queries across NTP
servers and applies a provably secure algorithm for eliminating
"suspicious" responses and for averaging over the remaining
responses. In each Khronos poll interval, the Khronos client
selects, uniformly at random, a small subset (e.g., 10-15 servers) of
a large server pool (containing hundreds of servers). While Khronos
queries around 3 three times more servers per polling interval than
NTP, Khronos's polling interval can be longer (e.g., 10 times longer)
than NTPv4, thereby, thereby minimizing the load on NTP servers and the
communication overhead. Moreover, Khronos's random server selection
may even help to distribute queries across the whole pool.
Khronos's security was evaluated both theoretically and
experimentally with a prototype implementation. According to this
security analysis, if a local Khronos pool consists of, for example,
500 servers, 1/7 one-seventh of whom are controlled by an attacker and
Khronos queries 15 servers in each Khronos poll interval (around 10
times the NTPv4 poll interval), then over 20 years of effort are
required (in expectation) to successfully shift time at a Khronos
client by over 100 ms from UTC. The full exposition of the formal
analysis of this guarantee is available at [Khronos_paper]. [Khronos].
Khronos introduces a watchdog mechanism that maintains a time offset value that is used (the Khronos time offset) and
uses it as a reference for detecting attacks. The This time offset value
computation differs from the current NTPv4 in two key
aspects. aspects:
* First, Khronos periodically communicates, in each Khronos poll interval, Khronos periodically
communicates with only a few (tens) randomly selected servers out
of a pool consisting of a large number (e.g., hundreds) of NTP
servers.
* Second, Khronos computes "Khronos the Khronos time offset" offset based on an
approximate agreement technique to remove outliers, thus limiting
the attacker's ability to contaminate the "time samples" time samples (offsets)
derived from the queried NTP servers.
These two aspects allow Khronos to minimize the load on the NTP
servers and to provide provable security guarantees against both MITM
attackers and attackers capable of compromising a large number of NTP
servers.
We note that, to some extent, NTS Network Time Security (NTS) [RFC8915]
could make it more challenging for attackers to perform MITM attacks,
but is of little impact if the servers themselves are compromised.
2. Conventions Used in This Document
2.1. Terms and Abbreviations
NTPv4
NTPv4: Network Time Protocol version 4 4. See [RFC5905].
System process Selection Algorithm process: See the "Selection Algorithm" and the Cluster Algorithm "Cluster
Algorithm" sections of [RFC5905].
Security Requirements Security Requirements: See "Security Requirements of Time Protocols
in Packet Switched Networks Networks" [RFC7384].
NTS
NTS: Network Time Security. See "Network Time Security for the
Network Time
Protocol Protocol" [RFC8915].
2.2. Notations
Describing
When describing the Khronos algorithm, the following notation is used.
used:
+==========+====================================================+
| Notation | Meaning |
+==========+====================================================+
| n | The number of candidate servers in a Khronos pool |
| | (potentially hundreds). |
+----------+----------------------------------------------------+
| m | The number of servers that Khronos queries in each |
| | poll interval (up to tens). |
+----------+----------------------------------------------------+
| w | An upper bound on the distance between any |
| | "truechimer" NTP server (as in [RFC5905]) and UTC. |
+----------+----------------------------------------------------+
| B | An upper bound on the client's clock error rate |
| | (ms/sec). |
+----------+----------------------------------------------------+
| ERR | An upper bound on the client's clock error between |
| | Khronos polls (ms). |
+----------+----------------------------------------------------+
| K | The number of Khronos pool re-samplings resamplings until |
| | reaching "Panic "panic mode". |
+----------+----------------------------------------------------+
| H | Predefined threshold for a Khronos time offset triggering |
| | triggering clock update by Khronos. |
+----------+----------------------------------------------------+
Table 1: Khronos Notations Notation
The recommended values are discussed in Section 3.3.
3. Khronos Design
Khronos watchdog periodically queries a set of m (tens) servers from a large
(hundreds) server pool in each Khronos poll interval, where the m
servers are selected from the server pool at random. Based on
empirical analyses, to minimize the load on NTP servers while
providing high security, the Khronos poll interval should be around
10 times the NTPv4 poll interval (i.e., a Khronos clock update occurs
once every 10 NTPv4 clock updates). In each Khronos poll interval,
if the Khronos time offset exceeds a predetermined threshold (denoted
as H), an attack is indicated.
Unless an attack is indicated, Khronos uses only one sample from each
server (avoiding the "Clock Filter Algorithm" as defined in section
Section 10 in of [RFC5905]). When under attack, Khronos uses several
samples from each server, server and executes the "Clock Filter Algorithm"
for choosing the best sample from each server, server with low jitter. Then,
given a sample from each server, Khronos discards outliers by
executing the procedure described in Section 3.2.
Between consecutive Khronos polls, Khronos keeps track of clock
offsets, for example e.g., by catching clock discipline (as in [RFC5905]) calls.
The sum of offsets is referred to as the "Khronos inter-poll offset"
(denoted as tk) tk), which is set to zero after each Khronos poll.
3.1. Khronos Calibration - Gathering the Khronos Pool
Calibration is performed at the first time the Khronos is executed, executed and also periodically, once in a long time (every
periodically thereafter (once every two weeks). The calibration
process generates a local Khronos pool of n (up to hundreds) NTP
servers that the client can synchronize with. To this end, Khronos
makes multiple DNS queries to addresses of NTP pools collect the union NTP pools. Each query returns a
few NTP server IPs that Khronos combines into one set of all received IP addresses. IPs
considered as the Khronos pool. The servers in the Khronos pool
should be scattered across different regions to make it harder for an
attacker to compromise, compromise or gain machine-in-the-middle capabilities, MITM capabilities with respect to a
large fraction of the Khronos pool. Therefore, Khronos calibration
queries general NTP server pools (for example
pool.ntp.org), (e.g., pool.ntp.org) and not only just
the pool in the client's state or region. In addition, servers can
be selected to be part of the Khronos pool manually or by using other
NTP pools (such as NIST internet Internet time servers).
The first Khronos update requires m servers, which can be found in
several minutes. Moreover, it is possible to query several DNS pool
names to vastly accelerate the calibration and the first update.
The calibration is the only Khronos part where DNS traffic is
generated. Around 125 DNS queries are required by Khronos to obtain
addresses of 500 NTP servers servers, which is higher than Khronos pool size
(n). Assuming the calibration period is two weeks, the expected DNS
traffic generated by the Khronos client is less than 10 DNS queries
per day, which is usually several orders of magnitude lower than the
total daily number of DNS queries per machine.
3.2. Khronos's Poll and System Processes
In each Khronos poll interval interval, the Khronos system process randomly
chooses a set of m (tens) servers out of the Khronos pool of n
(hundreds) servers and samples them. Note that the randomness of the
server selection is crucial for the security of the scheme and
therefore scheme;
therefore, any Khronos implementation must use a secure randomness
implementation such as what is used for encryption key generation.
Khronos's polling times of different servers may spread uniformly
within its poll interval, which is similar to NTPv4. Servers which that do
not respond during the Khronos poll interval are filtered out. If
less than 1/3 one-third of the m servers are left, a new subset of
servers is immediately sampled, sampled in the exact same manner (called (which is
called the "resampling" process).
Next, out of the time-samples time samples received from this chosen subset of
servers, the lowest third of the samples' offset values and the
highest third of the samples' offset values are discarded.
Khronos checks that the following two conditions hold for the
remaining sampled offsets: offsets (considering w and ERR defined in Table 1):
* The maximal distance between every two offsets does not exceed 2w
(can be verified by considering just the minimum and the maximum
offsets).
* The distance between the offsets offset's average and the Khronos inter-poll inter-
poll offset is ERR+2w at most ERR+2w.
(where w and ERR are as described in Table 1). most.
In the event that both of these conditions are satisfied, the average
of the offsets is set to be the "Khronos Khronos time offset". offset. Otherwise,
resampling is performed. This process spreads the Khronos client's
queries across servers servers, thereby improving security against powerful
attackers (as discussed in Section 5.3) and mitigating the effect of
a DoS attack on NTP servers that renders them non-responsive. This
resampling process continues in subsequent Khronos poll intervals
until the two conditions are both satisfied or the number of times
the servers are re-sampled resampled exceeds a "Panic Trigger" "panic trigger" (K in Table 1),
in which case 1).
In this case, Khronos enters a "Panic Mode". panic mode.
In panic mode, Khronos queries all the servers in its local Khronos
pool, orders the collected time samples from lowest to highest highest, and
eliminates the lowest third and the highest third of the samples.
The client then averages over calculates the average of the remaining samples, samples and
sets this average to be the new "Khronos Khronos time offset". offset.
If the Khronos time offset exceeds a predetermined threshold (H) (H), it
is passed on to the clock discipline algorithm in order to steer the
system time (as in [RFC5905]). In this case case, the user and/or admin
of the client machine should be notified about the detected time time-
shifting attack, for example e.g., by a message written to a relevant event log
or displayed on screen.
Note that resampling follows immediately follows the previous sampling since
waiting until the next polling interval may increase the time shift
in face of an attack. This shouldn't generate high overhead since
the number of resamples is bounded by K (after K resamplings, "Panic
mode" panic
mode is in place) and the chances to arrive to of ending up with repeated
resampling are low (see Section 5 for more details). Moreover, in an
interval following a panic mode, Khronos executes the same system
process
which that starts by querying only m servers (regardless of
previous panic).
3.3. Khronos's Recommended Parameters
According to empirical observations (presented in [Khronos_paper]), [Khronos]),
querying 15 servers at each poll interval (i.e., m=15) out of 500
servers (i.e., n=500), n=500) and setting w to be around 25 ms provides both
high time accuracy and good security. Specifically, when selecting
w=25ms,
w=25 ms, approximately 83% of the servers' clocks are are, at most w-away most, w
away from UTC, UTC and within 2w from each other, satisfying the first
condition of Khronos's system process. For a similar reason, the
threshold for a Khronos time offset triggering a clock update by
Khronos (H) should be between w to 2w and is selected on 2w; the default to 30ms. is 30 ms. Note
that in order to support scenarios with congested links scenarios, it is recommended
to use links, using a
higher w value, such as 1 sec. second, is recommended.
Furthermore, according to Khronos security analysis, setting K to be
3 (i.e., if after 3 re-samplings the two conditions are not satisfied after three
resamplings, then Khronos enters "panic mode") panic mode) is safe when facing time shifting
time-shifting attacks. In addition, the probability of an attacker
forcing a panic mode on a client when K equals 3, K=3 is negligible (less than
0.000002 for each polling interval).
Khronos's effect on precision and accuracy are discussed in Section 7 Sections
5 and Section 5. 7.
4. Operational Considerations
Khronos is designed in order to defend NTP clients from time shifting time-shifting attacks
while using public NTP servers. As such, Khronos is not applicable
for datacenters data centers and enterprises which that synchronize with local atomic
clocks, GPS devices devices, or a dedicated NTP server (for
example (e.g., due to
regulations).
Khronos can be used for devices that require and depend upon time
keeping withing
timekeeping within a configurable constant distance from UTC.
4.1. Load considerations Considerations
One requirement from Khronos is thus not to induce excessive load on NTP
servers beyond that of NTPv4, even if it is widely integrated into
NTP clients. We discuss below the possible causes for Khronos-induced a Khronos-
induced load on servers and how this can be mitigated.
Servers in pool.ntp.org are weighted differently by the NTP server
pool when assigned to NTP clients. Specifically, server owners
define a ``server weight'' "server weight" (the ``netspeed'' "netspeed" parameter) and servers are
assigned to clients probabilistically according to their proportional
weight. Khronos (watchdog mode) Khronos's queries are equally distributed across a pool of
servers. To avoid overloading servers, Khronos queries servers less
frequently than NTPv4, with the Khronos query interval set to 10
times the default NTPv4 maxpoll (interval) parameter. Hence, if
Khronos queries are targeted at servers in pool.ntp.org, any target
increase in server load (in terms of multiplicative increase in
queries or number of bytes per second) is controlled by the poll
interval configuration configuration, which was analyzed in
[Ananke_paper]. [Ananke].
Consider the scenario where an attacker attempts to generate
significant load on NTP servers by triggering multiple consecutive
panic modes at multiple NTP clients. We note that to accomplish
this, the attacker must have man-in-the-middle MITM capabilities with respect to the
communication between each and every client in a large group of
clients and a large fraction of all NTP servers in the queried pool.
This implies that the attacker must either be physically located at a
central location (e.g., at the egress of a large ISP) or launch a wide scale
wide-scale attack (e.g., on BGP or DNS) and
thereby DNS); thereby, it is capable to carry of
carrying similar and even higher impact attacks regardless of Khronos
clients.
5. Security Considerations
5.1. Threat Model
The following powerful attacker, including MitM, is considered: the
attacker is assumed to control threat model encompasses a broad spectrum of attackers impacting
a subset (e.g., third) one-third) of the servers in NTP pools and is capable of fully determining the values of the
time samples returned by these NTP servers. The threat model
encompasses a broad spectrum of attackers, ranging pools. These
attackers can range from a fairly weak (yet dangerous) MitM attackers MITM attacker
that is only capable of delaying and dropping packets (for example (e.g., using
the Bufferbloat attack) attack [RFC8033]) to an extremely powerful attackers attacker
who are is in control of (even authenticated) NTP servers and is capable
of fully determining the values of the time samples returned by these
NTP servers (see detailed security requirements attacker discussion in [RFC7384]).
The
For example, the attackers covered by this model might be, for example, (1) be:
1. in direct control of a fraction of the NTP servers (e.g., by
exploiting a software vulnerability), (2)
2. an ISP (or other Autonomous-System-
level attacker) attacker at the Autonomous System level) on the
default BGP paths from the NTP client to a fraction of the
available servers, (3)
3. a nation state with authority over the owners of NTP servers in
its jurisdiction, or (4)
4. an attacker capable of hijacking (e.g., through DNS cache
poisoning or BGP prefix hijacking) traffic to some of the
available NTP servers.
The details of the specific attack scenario are abstracted by
reasoning about attackers in terms of the fraction of servers with
respect to which the attacker has adversarial capabilities.
Attackers that can impact communications with (or control) a higher
fraction of the servers, for example servers (e.g., all servers, servers) are out of scope.
Considering the pool size across the world to be thousands across in the world, thousands,
such attackers will most probably likely be capable of performing creating far worst worse
damage than time shifting. time-shifting attacks.
Notably, Khronos provides protection from MitM MITM and powerful attacks
that cannot be achieved by cryptographic authentication protocols
since
since, even with such measures in place place, an attacker can still
influence time by dropping/delaying packets. However, adding an
authentication layer (e.g., NTS [RFC8915]) to Khronos will enhance
its security guarantees and enable the detection of various spoofing
and modification attacks.
Moreover, Khronos uses randomness to independently select the queried
servers in each poll interval, preventing attackers from exploiting
observations of past server selections.
5.2. Attack Detection
Khronos detects time-shifting attacks by constantly monitoring
NTPv4's (or potentially any other current or future time protocol)
clock and the offset computed by Khronos and checking whether the
offset exceeds a predetermined threshold (H). Unless an attack was
detected, NTPv4 controls the
client's clock. clock unless an attack was detected. Under attack, Khronos
takes control over the clients client's clock in order to prevent its shift.
Analytical results (in [Khronos_paper]) [Khronos]) indicate that if a local Khronos
pool consists of 500 servers, 1/7 one-seventh of whom are controlled by a
machine-in-the-middle
MITM attacker, and 15 of those servers are queried in each Khronos
poll interval, then success in shifting time of a Khronos client by
even a small degree (100 ms), ms) takes many years of effort (over 20
years in expectation). See a brief overview of Khronos's security
analysis below.
Khronos's security analysis is briefly described next.
5.3. Security Analysis Overview
Time-samples
Time samples that are at most w away from UTC are considered "good",
whereas other samples are considered "malicious". Two scenarios are
considered:
* Scenario A: Less than 2/3 two-thirds of the queried servers are under
the attacker's control.
* Scenario B: The attacker controls more than 2/3 two-thirds of the
queried servers.
The first scenario, where there are more than 1/3 good samples,
Scenario A consists of two sub-cases: (i) there
1. There is at least one good sample in the set of samples not
eliminated by Khronos (in the middle third of samples), and (ii)
2. there are no good samples in the remaining set of samples.
In the first of these two cases (at least one good sample
in the set of samples that was not eliminated by Khronos), sub-case 1, the other remaining samples, including those provided
by the attacker, must be close to a good sample (for otherwise, (otherwise, the first
condition of Khronos's system process in Section 3.2 is violated and
a new set of servers is chosen). This implies that the average of
the remaining samples must be close to UTC.
In the second sub-case (where there
are no good samples in the set of remaining samples), 2, since more than a third of the initial samples were
good, both the (discarded) third
lowest-value third-lowest-value samples and the
(discarded) third highest-value third-highest-value samples must each contain a good
sample. Hence, all the remaining samples are bounded from both above
and below by good samples, and so is their average value, implying
that this value is close to UTC [RFC5905].
In the second scenario, where the attacker controls more than 2/3 of
the queried servers, Scenario B, the worst possibility for the client is that all
remaining samples are malicious (i.e., more than w away from UTC).
However, as proved in [Khronos_paper], [Khronos], the probability of this scenario is
extremely low low, even if the attacker controls a large fraction (e.g., 1/4)
one-fourth) of the n servers in the local Khronos pool. Therefore,
the probability that the attacker repeatedly reaches this scenario
decreases exponentially, rendering the probability of a significant
time shift negligible. We can express the improvement ratio of
Khronos over NTPv4 by the ratios of their single shift single-shift probabilities.
Such ratios are provided in Table Table 2, where higher values indicate
higher improvement of Khronos over NTPv4 and are also proportional to
the expected time till until a time shift time-shift attack succeeds once.
+========+==========+==========+==========+==========+==========+
| Attack | 6 | 12 | 18 | 24 | 30 |
| Ratio | samples Samples | samples Samples | samples Samples | samples Samples | samples Samples |
+========+==========+==========+==========+==========+==========+
| 1/3 | 1.93e+01 | 3.85e+02 | 7.66e+03 | 1.52e+05 | 3.03e+06 |
+--------+----------+----------+----------+----------+----------+
| 1/5 | 1.25e+01 | 1.59e+02 | 2.01e+03 | 2.54e+04 | 3.22e+05 |
+--------+----------+----------+----------+----------+----------+
| 1/7 | 1.13e+01 | 1.29e+02 | 1.47e+03 | 1.67e+04 | 1.90e+05 |
+--------+----------+----------+----------+----------+----------+
| 1/9 | 8.54e+00 | 7.32e+01 | 6.25e+02 | 5.32e+03 | 4.52e+04 |
+--------+----------+----------+----------+----------+----------+
| 1/10 | 5.83e+00 | 3.34e+01 | 1.89e+02 | 1.07e+03 | 6.04e+03 |
+--------+----------+----------+----------+----------+----------+
| 1/15 | 3.21e+00 | 9.57e+00 | 2.79e+01 | 8.05e+01 | 2.31e+02 |
+--------+----------+----------+----------+----------+----------+
Table 2: Khronos Improvement
In addition to evaluating the probability of an attacker successfully
shifting time at the client's clock, we also evaluated the
probability that the attacker succeeds in launching a DoS attack on
the servers by causing many clients to enter a panic mode (and query querying
all the servers in their local Khronos pools). This probability
(with the previous parameters of n=500, m=15, w=25 w=25, and K=3) is
negligible even for an attacker who controls a large number of
servers in client's clients' local Khronos pools, and it is expected to take
decades to force a panic mode.
Further details about Khronos's security guarantees can be found in
[Khronos_paper].
[Khronos].
6. Khronos Pseudocode
The pseudocode for Khronos Time Sampling Scheme, which is invoked in
each Khronos poll interval interval, is as follows:
counter = 0
S = []
T = []
While counter < K do
S = sample(m) //gather //get samples from (tens of) randomly chosen servers
T = bi_side_trim(S,1/3) //trim lowest and highest thirds
if (max(T) - min(T) <= 2w) and (|avg(T) - tk| < ERR + 2w) Then 2w), then
return avg(T) // Normal case
end
counter ++
end
// panic mode
S = sample(n)
T = bi-sided-trim(S,1/3) //trim lowest and highest thirds
return avg(T)
Note that if clock disciplines can be called during this pseudocode's
execution, then each time offset sample, as well as the final output
(Khronos time offset), should be normalized with the sum of the clock
disciplines offsets (tk) at the time of computing it.
7. Precision vs. Security
Since NTPv4 updates the clock at times when no time-shifting attacks
are detected, the precision and accuracy of a Khronos client are the
same as NTPv4 at these times. Khronos is proved to maintain an
accurate estimation of the UTC with high probability. Therefore Therefore,
when Khronos detects that client's clock error exceeds a threshold
(H), it considers it as to be an attack and takes control over the
client's clock. As a result, the time shift is mitigated and high
accuracy is guaranteed (the error is bounded by H).
Khronos is based on crowdsourcing across servers and regions, changes
the set of queried servers more frequently than NTPv4
[Khronos_paper], [Khronos], and
avoids some of the filters in NTPv4's system process. These factors
can potentially harm its precision. Therefore, a smoothing mechanism
can be used, used where instead of a simple average of the remaining
samples, the smallest (in absolute value) offset is used unless its
distance from the average is higher than a predefined value.
Preliminary experiments demonstrated promising results with precision
similar to NTPv4.
Note that in
In applications such as multi source multi-source media streaming, which are
highly sensitive to time differences among hosts, note that it is
advisable to use Khronos at all hosts in order to obtain high precision
precision, even in the presence of attackers that try to shift each
host in a different magnitude and/or direction. Another approach
that is more efficient approach for this these cases may be to allow direct time
synchronization between one host who runs Khronos to others.
8. Implementation Status
This section records the status of known implementations of the
protocol defined by this specification at the time of posting of this
Internet-Draft, and is based on a proposal described in [RFC7942].
The description of implementations in this section is intended to
assist the IETF in its decision processes in progressing drafts to
RFCs. Please note that the listing of any individual implementation
here does not imply endorsement by the IETF. Furthermore, no effort
has been spent to verify the information presented here that was
supplied by IETF contributors. This is not intended as, and must not
be construed to be, a catalog of available implementations or their
features. Readers are advised to note that other implementations may
exist.
According to [RFC7942], "this will allow reviewers and working groups
to assign due consideration to documents that have the benefit of
running code, which may serve as evidence of valuable experimentation
and feedback that have made the implemented protocols more mature.
It is up to the individual working groups to use this information as
they see fit".
8.1. Implementation 1
Organization: Hebrew University of Jerusalem
Implementers: Neta Rozen-Schiff, May Yaaron, Noam Caspi and Shahar
Cohen
Maturity: Proof-of-Concept Prototype
This implementation was used to check consistency and to ensure
completeness of this specification.
8.1.1. Coverage
This implementation covers the complete specification.
8.1.2. Licensing
The code is released under the MIT license.
The source code is available at: https://github.com/netars/chronos
8.1.3. Contact Information
Contact Martin Langer: neta.r.schiff@gmail.com
8.1.4. Last Update
The implementation was updated in June 2022.
8.2. Implementation 2
Organization: Network Time Foundation (NTF)
Implementers: Neta Rozen-Schiff, Danny Mayer, juergen perlinger and
Harlan Stenn.
Contact Martin Langer: neta.r.schiff@gmail.com
Maturity: in progress (https://khronos.nwtime.org/).
9. Acknowledgements
The authors would like to thank Erik Kline, Miroslav Lichvar, Danny
Mayer, Karen O'Donoghue, Dieter Sibold, Yaakov. J. Stein, Harlan
Stenn, Hal Murray, Marcus Dansarie, Geoff Huston, Roni Even, Benjamin
Schwartz, Tommy Pauly, Rob Sayre, Dave Hart and Ask Bjorn Hansen for
valuable contributions to this document and helpful discussions and
comments.
10. IANA Considerations
This memo includes document has no request to IANA.
11. IANA actions.
9. References
11.1.
9.1. Normative References
[RFC5905] Mills, D., Martin, J., Ed., Burbank, J., and W. Kasch,
"Network Time Protocol Version 4: Protocol and Algorithms
Specification", RFC 5905, DOI 10.17487/RFC5905, June 2010,
<https://www.rfc-editor.org/info/rfc5905>.
[RFC7384] Mizrahi, T., "Security Requirements of Time Protocols in
Packet Switched Networks", RFC 7384, DOI 10.17487/RFC7384,
October 2014, <https://www.rfc-editor.org/info/rfc7384>.
[RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running
Code: The Implementation Status Section", BCP 205,
[RFC8033] Pan, R., Natarajan, P., Baker, F., and G. White,
"Proportional Integral Controller Enhanced (PIE): A
Lightweight Control Scheme to Address the Bufferbloat
Problem", RFC 7942, 8033, DOI 10.17487/RFC7942, July 2016,
<https://www.rfc-editor.org/info/rfc7942>. 10.17487/RFC8033, February 2017,
<https://www.rfc-editor.org/info/rfc8033>.
[RFC8915] Franke, D., Sibold, D., Teichel, K., Dansarie, M., and R.
Sundblad, "Network Time Security for the Network Time
Protocol", RFC 8915, DOI 10.17487/RFC8915, September 2020,
<https://www.rfc-editor.org/info/rfc8915>.
11.2.
9.2. Informative References
[Ananke_paper]
[Ananke] Perry, Y., Rozen-Schiff, N., and M. Schapira, "Preventing
(Network) Time Travel with Chronos", "A Devil of
a Time: How Vulnerable is NTP to Malicious Timeservers?",
Network and Distributed Systems Security (NDSS) Symposium,
Virtual, DOI 10.14722/ndss.2021.24302, February 2021,
<https://www.ndss-symposium.org/wp-content/uploads/
ndss2021_1A-2_24302_paper.pdf>.
[Khronos_paper]
[Khronos] Deutsch, O., Rozen-Schiff, N., Dolev, D., and M. Schapira,
"Preventing (Network) Time Travel with Chronos", Network
and Distributed Systems Security (NDSS) Symposium, San
Diego, CA, USA, DOI 10.14722/ndss.2018.23231, February
2018, <https://www.ndss-symposium.org/wp-
content/uploads/2018/02/ndss2018_02A-2_Deutsch_paper.pdf>.
Acknowledgements
The authors would like to thank Erik Kline, Miroslav Lichvar, Danny
Mayer, Karen O'Donoghue, Dieter Sibold, Yaakov. J. Stein, Harlan
Stenn, Hal Murray, Marcus Dansarie, Geoff Huston, Roni Even, Benjamin
Schwartz, Tommy Pauly, Rob Sayre, Dave Hart, and Ask Bjorn Hansen for
valuable contributions to this document and helpful discussions and
comments.
Authors' Addresses
Neta Rozen-Schiff
Hebrew University of Jerusalem
Jerusalem
Israel
Phone: +972 2 549 4599
Email: neta.r.schiff@gmail.com
Danny Dolev
Hebrew University of Jerusalem
Jerusalem
Israel
Phone: +972 2 549 4588
Email: danny.dolev@mail.huji.ac.il
Tal Mizrahi
Huawei Network.IO Innovation Lab
Israel
Email: tal.mizrahi.phd@gmail.com
Michael Schapira
Hebrew University of Jerusalem
Jerusalem
Israel
Phone: +972 2 549 4570
Email: schapiram@huji.ac.il