[Docs] [txt|pdf|xml|html] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]

Versions: (draft-schiff-ntp-chronos) 00 01 02

Network Working Group                                    N. Rozen-Schiff
Internet-Draft                                                  D. Dolev
Intended status: Informational            Hebrew University of Jerusalem
Expires: September 5, 2020                                    T. Mizrahi
                                        Huawei Network.IO Innovation Lab
                                                             M. Schapira
                                          Hebrew University of Jerusalem
                                                           March 4, 2020

A Secure Selection and Filtering Mechanism for the Network Time Protocol
                               Version 4


   The Network Time Protocol version 4 (NTPv4), as defined in RFC 5905,
   is the mechanism used by NTP clients to synchronize with NTP servers
   across the Internet.  This document specifies an extension to the
   NTPv4 client, named Chronos, which is used as a "watchdog" alongside
   NTPv4, and provides improved security against time shifting attacks.
   Chronos involves changes to the NTP client's system process only and
   is backwards compatible with NTPv4 servers.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on September 5, 2020.

Copyright Notice

   Copyright (c) 2020 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents

Rozen-Schiff, et al.    Expires September 5, 2020               [Page 1]

Internet-Draft         NTP Extention with Chronos             March 2020

   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Conventions Used in This Document . . . . . . . . . . . . . .   4
     2.1.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   4
     2.2.  Terms and Abbreviations . . . . . . . . . . . . . . . . .   4
     2.3.  Notations . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  Extension to the NTP System Process . . . . . . . . . . . . .   4
     3.1.  Chronos' System Process . . . . . . . . . . . . . . . . .   5
   4.  Chronos' Pseudocode . . . . . . . . . . . . . . . . . . . . .   6
   5.  Precision vs. Security  . . . . . . . . . . . . . . . . . . .   7
   6.  Chronos' Threat Model and Security Guarantees . . . . . . . .   7
     6.1.  Security Analysis Overview  . . . . . . . . . . . . . . .   8
   7.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   9
   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   9
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   9
     9.1.  Normative References  . . . . . . . . . . . . . . . . . .   9
     9.2.  Informative References  . . . . . . . . . . . . . . . . .   9
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  10

1.  Introduction

   NTPv4, as defined in RFC 5905 [RFC5905], is vulnerable to time
   shifting attacks, in which the attacker's goal is to shift the local
   time at an NTP client.  See [Chronos_paper] for details.  Time
   shifting attacks on NTP are possible even if all NTP communications
   are encrypted and authenticated.  This document introduces an
   improved system process that incorporates an algorithm called
   Chronos.  Chronos is backwards compatible with NTPv4 and serves as an
   NTPv4 client's "watchdog" for time shifting attacks.  An NTP client
   that runs Chronos is interoperable with [RFC5905]-compatible NTPv4

   Chronos is a background mechanism that continuously maintains a
   virtual "Chronos" clock update and compares it to NTPv4's clock
   update.  When the gap between the two updates exceeds a certain
   threshold (specified in Section 6), this is interpreted as the client
   experiencing a time shifting attack.  In this case, Chronos is used
   to update the client's clock, and NTPv4 is operated in the background

Rozen-Schiff, et al.    Expires September 5, 2020               [Page 2]

Internet-Draft         NTP Extention with Chronos             March 2020

   until the gap between NTPv4 and Chronos' updates are again below this
   threshold, and hence NTPv4 is safe to use again.

   Due to Choronos operating in the background, the client clock's
   precision and accuracy are precisely as in NTPv4 while not
   experiencing a time-shifting attack.  When under attack, Chronos
   prevents the clock from being shifted by the attacker, thus still
   preserving high accuracy and precision (as discussed in Section 6).

   Chronos achieves accurate synchronization even in the presence of
   powerful attackers who are in direct control of a large number of NTP
   servers: up to 1/3 of the servers in the pool (where the pool may
   consist of hundreds or even thousands of servers).  NTPv4 chooses a
   small subset of the NTP server pool (e.g. 4 servers), and
   periodically queries this subset of servers.  Thus, even if only 1/3
   of the servers in the pool are compromised, the small subset that is
   used by NTPv4 may consist of a majority of faulty servers.
   Conversely, Chronos constantly updates the set of servers it queries;
   in each poll interval Chronos randomly chooses a different subset of
   servers from the pool.  Thus, even if an attack is not detected in a
   given poll interval, Chronos is bound to detect the attack within a
   relatively small number of poll intervals.

   A Chronos client iteratively "crowdsources" time queries across NTP
   servers and applies a provably secure algorithm for eliminating
   "suspicious" responses and for averaging over the remaining
   responses.  Chronos is carefully engineered to minimize communication
   overhead so as to avoid overloading NTP servers.  Chronos' security
   was evaluated both theoretically and experimentally with a prototype
   implementation.  These evaluation results indicate that in order to
   successfully shift time at a Chronos client by over 100ms from the
   UTC, even a powerful man-in-the-middle attacker requires over 20
   years of effort in expectation.  The full paper is available at

   Chronos introduces a watchdog mechanism that is added to the client's
   system process and maintains a virtual clock value that is used as a
   reference for detecting attacks.  The virtual clock value computation
   differs from the current NTPv4 in two key aspects.  First, a Chronos
   client relies on a large number of NTP servers, from which only few
   servers to synchronize with are periodically chosen at random, in
   order to avoid overloading the servers.  Second, the selection
   algorithm of the virtual clock uses an approximate agreement
   technique to remove outliers, thus limiting the attacker's ability to
   contaminate the "time samples" (offsets) derived from the queried NTP
   servers.  These two elements of Chronos' design provide provable
   security guarantees against both man-in-the-middle attackers and
   attackers capable of compromising a large number of NTP servers.

Rozen-Schiff, et al.    Expires September 5, 2020               [Page 3]

Internet-Draft         NTP Extention with Chronos             March 2020

2.  Conventions Used in This Document

2.1.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in RFC 2119 [RFC2119].

2.2.  Terms and Abbreviations

   NTPv4                  Network Time Protocol version 4 [RFC5905].

   Selection process      Clock filter algorithm and system process

2.3.  Notations

      Describing Chronos algorithm, the following notation are used.

   | Notaion |                         Meaning                         |
   |    n    |     The number of candidate servers in the pool that    |
   |         |         Chronos can query (potentially hundreds)        |
   |    m    |  The number of servers that NTPv4 queries in each poll  |
   |         |                  interval (up to tens)                  |
   |    w    |  An upper bound on the distance of the local time from  |
   |         |     the UTC at any NTP server with an accurate clock    |
   |         |            (termed "truechimer" in [RFC5905])           |
   |   Cest  |   The client's estimation for the time that has passed  |
   |         | since its last synchronization to the server pool (sec) |
   |    B    |   An upper bound on the client's time estimation error  |
   |         |                         (ms/sec)                        |
   |   ERR   |    An upper bound on the client's error regarding his   |
   |         |   estimation of the time passed from the last update,   |
   |         |                  equals to B*Cest (ms)                  |
   |    K    |                      Panic trigger                      |
   |    tc   |    The current time [sec], as indicated by the virtual  |
   |         |         clock value that is computed by Chronos         |

                        Table 1: Chronos Notations

3.  Extension to the NTP System Process

   A client that runs Chronos as a watchdog, uses NTPv4 as in [RFC5905],
   and in the background runs a modification to the elements of the
   system process described in Section 11.2.1 and 11.2.2 in [RFC5905]

Rozen-Schiff, et al.    Expires September 5, 2020               [Page 4]

Internet-Draft         NTP Extention with Chronos             March 2020

   (namely, the Selection Algorithm and the Cluster Algorithm).  The
   NTPv4 conventional protocol periodically queries m servers in each
   poll interval.  In parallel the Chronos watchdog periodically queries
   a (variable) set of m servers in each Chronos poll interval.
   Specifically, in Chronos, after executing the clock filter algorithm
   as defined in Section 10 in [RFC5905], the client discards outliers
   by executing the procedure described in this section and the next.
   Then, the NTPv4 Combine Algorithm is used for computing the system
   peer offset, as specified in Section 11.2.3 in [RFC5905].  In each
   poll interval the Chronos virtual clock value is compared with the
   NTPv4 clock value, and if the difference exceeds a predetermined
   value, an attack is detected.

3.1.  Chronos' System Process

   At the first time the Chronos system process is executed, calibration
   is needed.  The calibration process generates a local pool of servers
   the client can synchronize with, consisting of n servers (up to
   hundreds).  To this end, the NTP client executes the peer process and
   clock filter algorithm as in Sections 9,10 in [RFC5905]
   (respectively), on an hourly basis, for 24 consecutive hours, and
   generates the union of all received NTP servers' IP addresses.
   Importantly, this process can also be executed in the background
   periodically, once in a long time (e.g., every few weeks/months).

   In each Chronos poll interval the Chronos system process randomly
   chooses a set of m servers (where n with magnitude of hundreds and m
   of tens) out of the local pool of n servers.  Then, out of the time-
   samples received from this chosen subset of servers, a third of the
   samples with the lowest offset value and a third of the samples with
   the highest offset value are discarded.

   Chronos checks that the following two conditions hold for the
   remaining samples:

   o  The maximal distance between every two time samples does not
      exceed 2w.

   o  The average value of the remaining samples is at distance at most
      ERR+2w from the client's local clock (as computed by Chronos).

   (where w, ERR are as described in Table 1.  Notice that ERR magnitude
   is approximately LAMBDA as defined in [RFC5905]).

   In the event that both of these conditions are satisfied, the average
   of the remaining samples is the "final offset".  Otherwise, a random
   partial of the interval is chosen, after which Chronos a new subset
   of servers is sampled, in the exact same manner.  This way, Chronos

Rozen-Schiff, et al.    Expires September 5, 2020               [Page 5]

Internet-Draft         NTP Extention with Chronos             March 2020

   client queries are spread across the time interval better in case of
   DoS atack on the NTP servers.  This resampling process continues in
   subsequent Chronos poll intervals until the two conditions are both
   satisfied or the number of times the servers are re-sampled exceeds a
   "Panic Trigger" (K in Table 1), in which case, Chronos enters a
   "Panic Mode".  Note that it is configurable whether the client allows
   panic mode or not.

   In panic mode, Chronos queries all the servers in the local server
   pool, orders the collected time samples from lowest to highest and
   eliminates the bottom third and the top third of the samples.  The
   client then averages over the remaining samples, and sets this
   average to be the new "final offset".

   As in [RFC5905], the final offset is passed on to the clock
   discipline algorithm for the purpose of steering the Chronos virtual
   clock to the correct time.  The Chronos virtual clock is then
   compared to the NTPv4 clock as part of the watchdog process.

   According to empirical observations (presented in [Chronos_paper]),
   setting w to be around 25 milliseconds provides both high time
   accuracy and good security.  Moreover, empirical analyses showed
   that, on average, approximately 83% of the servers' clocks are at
   most w-away from the UTC, and within 2w from each other, satisfying
   the first condition of Chronos' system process.

4.  Chronos' Pseudocode

   The pseudocode for Chronos' Time Sampling Scheme, which is invoked in
   each Chronos poll interval is as follows:

   counter := 0
   While counter < K do
      S := sample(m) //gather samples from (tens of) randomly chosen servers
      T := bi-side-trim(S,1/3) //trim the third lowest and highest values
      if (max(T) -min(T) <= 2w) and (|avg(T)-tc| < ERR + 2w) Then
          return avg(t)
      counter ++
      sleep(rand(0,1)*poll interval)
   // panic mode
   S := sample(n)
   T := bi-sided-trim(S,1/3) //trim bottom and top thirds;
   return avg(T)

Rozen-Schiff, et al.    Expires September 5, 2020               [Page 6]

Internet-Draft         NTP Extention with Chronos             March 2020

5.  Precision vs. Security

   Since NTPv4 updates the clock so long as time-shifting attacks are
   not detected, the precision and accuracy of a Chronos client are the
   same as NTPv4 when not under attack.  When under attack, Chronos,
   which changes the list of the sampled servers more frequently than
   NTPv4 [Chronos_paper], and without using some of the filters in
   NTPv4's system process, can potentially be less precise (though
   provably more accurate and secure than NTPv4, which is vulnerable to
   time-shifting attacks [RFC5905]).

   However, our experimental and empirical analyses of Chronos revealed
   that Chornos and NTPv4 exhibit the same level of precision and
   accuracy when not under attack, with Chronos maintaining this level
   even in the presence of time-shifting attacks.

6.  Chronos' Threat Model and Security Guarantees

   As explained above, Chronos repeatedly gathers time samples from
   small subsets of a large local pool of NTP servers.  The following
   form of a man-in-the-middle (MitM) Byzantine attacker is considered:
   the MitM attacker is assumed to control a subset of the servers in
   the local pool of servers and is capable of determining precisely the
   values of the time samples gathered by the Chronos client from these
   NTP servers.  The threat model thus encompasses a broad spectrum of
   MitM attackers, ranging from fairly weak (yet dangerous) MitM
   attackers only capable of delaying and dropping packets to extremely
   powerful MitM attackers who are in control of (even authenticated)
   NTP servers.  MitM attackers captured by this framework might be, for
   example, (1) in direct control of a fraction of the NTP servers
   (e.g., by exploiting a software vulnerability), (2) an ISP (or other
   Autonomous-System-level attacker) on the default BGP paths from the
   NTP client to a fraction of the available servers, (3) a nation state
   with authority over the owners of NTP servers in its jurisdiction, or
   (4) an attacker capable of hijacking (e.g., through DNS cache
   poisoning or BGP prefix hijacking) traffic to some of the available
   NTP servers.  The details of the specific attack scenario are
   abstracted by reasoning about MitM attackers in terms of the fraction
   of servers with respect to which the attacker has MitM capabilities.

   Chronos detects time-shifting attacks by constantly monitoring
   NTPv4's offset and the offset computed by Chronos, as explained
   above, and checking whether it exceeds a certain threshold (10ms by

   Analytical results (in [Chronos_paper]) indicate that in order to
   succeed in shifting time at a Chronos client by even a small amount
   (e.g., 100ms), even a powerful man-in-the-middle attacker requires

Rozen-Schiff, et al.    Expires September 5, 2020               [Page 7]

Internet-Draft         NTP Extention with Chronos             March 2020

   many years of effort (e.g., over 20 years in expectation).  See a
   brief overview of Chronos' security analysis below.

   Notably, Chronos provides protection from MitM attacks that cannot be
   achieved by cryptographic authentication protocols since even with
   such measures in place an attacker can still influence time by
   dropping/delaying packets.  However, adding an authentication and
   crypto-based security layer to Chronos will enhance its security
   guarantees and enable the detection of various spoofing and
   modification attacks.

   Chronos' security analysis is briefly described next.

6.1.  Security Analysis Overview

   Time-samples that are at most w away from the UTC are considered
   "good", whereas other samples are considered "malicious".  Two
   scenarios are considered:

   o  Less than 2/3 of the queried servers are under the attacker's

   o  The attacker controls more than 2/3 of the queried servers.

   The first scenario, where there are more than 1/3 good samples,
   consists of two sub-cases: (i) there is at least one good sample in
   the set of samples not eliminated by Chronos (that is, in the middle
   third of samples), and (ii) there are no good samples in the
   remaining set of samples.  In the first of these two cases (at least
   one good sample in the set of samples was not eliminated by Chronos),
   the other remaining samples, including those provided by the
   attacker, must be close to a good sample (for otherwise, the first
   condition of Chronos' system process in Section 3.1 is violated and a
   new set of servers is chosen).  This implies that the average of the
   remaining samples must be close to the UTC.  In the second case
   (there are no good samples in the set of remaining samples), since
   more than a third of the initial samples were good, both the
   (discarded) third lowest-value samples and the (discarded) third
   highest-value samples must each contain a good sample.  Hence, all
   the remaining samples are bounded from both above and below by good
   samples, and so is their average value, implying that this value is
   close to the UTC [RFC5905].

   In the second scenario, where the attacker controls more than 2/3 of
   the queried servers, the worst possibility for the client is that all
   remaining samples are malicious (i.e., more than w away from the
   UTC).  However, as proved in [Chronos_paper], the probability of this
   scenario is extremely low even if the attacker controls a large

Rozen-Schiff, et al.    Expires September 5, 2020               [Page 8]

Internet-Draft         NTP Extention with Chronos             March 2020

   fraction (e.g., 1/4) of the servers in the local pool.  The
   probability that the attacker repeatedly succeeds in realising this
   scenario decays exponentially, rendering the probability of a
   significant time shift negligible.  See [Chronos_paper] for details.

   Beyond evaluating the probability of an attacker successfully
   shifting time at the client's clock, we also evaluated the
   probability that the attacker succeeds in launching a DoS attack on
   the servers by causing many clients to enter panic mode (and so query
   all the servers in their local pools).  This probability too is
   negligible even for an attacker in control of a large number of
   servers in clients' local server pools.  See [Chronos_paper]for

   Further details about Chronos's threat model and security guarantees
   can be found in [Chronos_paper].

7.  Acknowledgements

   The authors would like to thank Erik Kline, Miroslav Lichvar, Danny
   Mayer, Karen O'Donoghue, Dieter Sibold, Yaakov.  J.  Stein, and
   Harlan Stenn, for valuable contributions to this document and helpful
   discussions and comments.

8.  IANA Considerations

   This memo includes no request to IANA.

9.  References

9.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,

   [RFC5905]  Mills, D., Martin, J., Ed., Burbank, J., and W. Kasch,
              "Network Time Protocol Version 4: Protocol and Algorithms
              Specification", RFC 5905, DOI 10.17487/RFC5905, June 2010,

9.2.  Informative References

Rozen-Schiff, et al.    Expires September 5, 2020               [Page 9]

Internet-Draft         NTP Extention with Chronos             March 2020

              Deutsch, O., Schiff, N., Dolev, D., and M. Schapira,
              "Preventing (Network) Time Travel with Chronos", 2018,

   [RFC2629]  Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629,
              DOI 10.17487/RFC2629, June 1999,

   [RFC3552]  Rescorla, E. and B. Korver, "Guidelines for Writing RFC
              Text on Security Considerations", BCP 72, RFC 3552,
              DOI 10.17487/RFC3552, July 2003,

   [RFC5226]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
              IANA Considerations Section in RFCs", RFC 5226,
              DOI 10.17487/RFC5226, May 2008,

              Patton, C., "Roughtime: Securing Time with Digital
              Signatures", 2018,

Authors' Addresses

   Neta Rozen-Schiff
   Hebrew University of Jerusalem

   Phone: +972 2 549 4599
   Email: neta.r.schiff@gmail.com

   Danny Dolev
   Hebrew University of Jerusalem

   Phone: +972 2 549 4588
   Email: danny.dolev@mail.huji.ac.il

Rozen-Schiff, et al.    Expires September 5, 2020              [Page 10]

Internet-Draft         NTP Extention with Chronos             March 2020

   Tal Mizrahi
   Huawei Network.IO Innovation Lab

   Email: tal.mizrahi.phd@gmail.com

   Michael Schapira
   Hebrew University of Jerusalem

   Phone: +972 2 549 4570
   Email: schapiram@huji.ac.il

Rozen-Schiff, et al.    Expires September 5, 2020              [Page 11]

Html markup produced by rfcmarkup 1.129d, available from https://tools.ietf.org/tools/rfcmarkup/