Skip to main content
SpringerLink
Log in

First Results of a Formal Analysis of the Network Time Security Specification

  • Conference paper
  • First Online:
Security Standardisation Research (SSR 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9497))

Included in the following conference series:

Abstract

This paper presents a first formal analysis of parts of a draft version of the Network Time Security specification. It presents the protocol model on which we based our analysis, discusses the decision for using the model checker ProVerif and describes how it is applied to analyze the protocol model. The analysis uncovers two possible attacks on the protocol. We present those attacks and show measures that can be taken in order to mitigate them and that have meanwhile been incorporated in the current draft specification.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Timestamp \(T_i\) corresponds to the reading of the respective system clock at time \(t_i\).

  2. 2.

    The assumption that there is only one attacker is made for simplification. The assumed situation is equivalent to a situation where several attackers are cooperating, or to a situation where one attacker is being helped by one or more dishonest agents, see Reference [32].

  3. 3.

    Note that the NTS specification includes negotiation of hash functions as part of the protocol. However, as stated under Assumption 3, all cryptography is assumed to be unbreakable. Therefore, algorithm negotiation has been ignored for our analysis. It might be interesting to include these steps in future analysis, to look for downgrade attacks.

  4. 4.

    The computer was running a 64 bit version of Windows 7 on an Intel i5 dual core at 2.6 GHz, with 8 GB of RAM.

  5. 5.

    Having “infinitely many” iterations is what is modeled for the analysis. In practice, this will obviously be a finite number.

  6. 6.

    The reason why Goals 7 and 8 do not hold for this model is that Countermeasure 11 only defends against Attack 10, not against Attack 12.

References

  1. Abadi, M.: Security protocols: principles and calculi. In: Aldini, A., Gorrieri, R. (eds.) FOSAD 2007. LNCS, vol. 4677, pp. 1–23. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  2. Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. In: Proceedings of the 28th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2001, pp. 104–115. ACM, New York (2001). http://doi.acm.org/10.1145/360204.360213

  3. Archer, M.: Proving correctness of the basic TESLA multicast stream authentication protocol with TAME. In: Workshop on Issues in the Theory of Security, pp. 14–15 (2002)

    Google Scholar 

  4. Basin, D., Capkun, S., Schaller, P., Schmidt, B.: Formal Reasoning About Physical Properties of Security Protocols. ACM Trans. Inf. Syst. Secur. 14(2), 16:1–16:28 (2011)

    Article  MATH  Google Scholar 

  5. Behrmann, G., David, A., Larsen, K.G.: A tutorial on Uppaal. In: Bernardo, M., Corradini, F. (eds.) SFM-RT 2004. LNCS, vol. 3185, pp. 200–236. Springer, Heidelberg (2004). http://dx.doi.org/10.1007/978-3-540-30080-9_7

    Chapter  Google Scholar 

  6. Blanchet, B., Smyth, B., Cheval, V.: ProVerif 1.88: automatic cryptographic protocol verifier, user manual and tutorial. Technical report, INRIA Paris-Rocquencourt, 08 2013

    Google Scholar 

  7. Blanchette, J.C., Nipkow, T.: Nitpick: a counterexample generator for higher-order logic based on a relational model finder. In: Kaufmann, M., Paulson, L.C. (eds.) ITP 2010. LNCS, vol. 6172, pp. 131–146. Springer, Heidelberg (2010). http://dblp.uni-trier.de/db/conf/itp/itp2010.html#BlanchetteN10

    Chapter  Google Scholar 

  8. Cremers, C.J.F.: The scyther tool: verification, falsification, and analysis of security protocols. In: Gupta, A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 414–418. Springer, Heidelberg (2008). http://dx.doi.org/10.1007/978-3-540-70545-1_38

    Chapter  Google Scholar 

  9. Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. Inf. Theory 29(2), 198–208 (1983)

    Article  MathSciNet  MATH  Google Scholar 

  10. Durgin, N.A., Lincoln, P., Mitchell, J.C.: Multiset rewriting and the complexity of bounded security protocols. J. Comput. Secur. 12(2), 247–311 (2004). http://content.iospress.com/articles/journal-of-computer-security/jcs215

    Article  Google Scholar 

  11. Ganeriwal, S., Pöpper, C., Capkun, S., Srivastava, M.B.: Secure time synchronization in sensor networks (E-SPS). In: Proceedings of 2005 ACM Workshop on Wireless Security (WiSe 2005), pp. 97–106. ACM, Sept 2005

    Google Scholar 

  12. Hopcroft, P., Lowe, G.: Analysing a stream authentication protocol using model checking. Int. J. Inf. Secur. 3(1), 2–13 (2004)

    Article  Google Scholar 

  13. Housley, R.: Cryptographic Message Syntax (CMS). RFC 5652, RFC Editor, September 2009. http://www.rfc-editor.org/rfc/rfc5652.txt

  14. IEEE: IEEE Standard for a Precision Clock Synchronization Protocol for Networked Measurement and Control Systems (2008). http://ieeexplore.ieee.org/servlet/opac?punumber=4579757

  15. Krawczyk, H., Bellare, M., Canetti, R.: HMAC: Keyed-Hashing for Message Authentication. RFC 2104, RFC Editor, 02 1997. http://www.rfc-editor.org/rfc/rfc2104.txt

  16. Levine, J.: A Review of Time and Frequency Transfer Methods. Metrologia 45(6), 162–174 (2008)

    Article  Google Scholar 

  17. Li, L., Sun, J., Liu, Y., Dong, J.S.: TAuth: verifying timed security protocols. In: Merz, S., Pang, J. (eds.) ICFEM 2014. LNCS, vol. 8829, pp. 300–315. Springer, Heidelberg (2014). http://dx.doi.org/10.1007/978-3-319-11737-9_20

    Google Scholar 

  18. Meier, S., Schmidt, B., Cremers, C., Basin, D.: The TAMARIN prover for the symbolic analysis of security protocols. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 696–701. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  19. Milius, S., Sibold, D., Teichel, K.: An Attack Possibility on Time Synchronization Protocols Secured with TESLA-Like Mechanisms, Draft version: https://www8.cs.fau.de/staff/milius/AttackPossibilityTimeSyncTESLA.pdf

  20. Mills, D., Haberman, B.: Network Time Protocol Version 4: Autokey Specification. RFC 5906, RFC Editor, 06 2010. http://www.rfc-editor.org/rfc/rfc5906.txt

  21. Mills, D., Martin, J., Burbank, J., Kasch, W.: Network Time Protocol Version 4: Protocol and Algorithms Specification. RFC 5905, RFC Editor, 06 2010. http://www.rfc-editor.org/rfc/rfc5905.txt

  22. Mizrahi, T.: Security Requirements of Time Protocols in Packet Switched Networks. RFC 7384, RFC Editor, 10 2014. http://www.rfc-editor.org/rfc/rfc7384.txt

  23. Nipkow, T., Wenzel, M., Paulson, L.C.: Isabelle/HOL: A Proof Assistant for Higher-order Logic. Springer, Heidelberg (2002)

    Book  MATH  Google Scholar 

  24. Paulson, L.C.: The inductive approach to verifying cryptographic protocols. J. Comput. Secur. 6(1–2), 85–128 (1998)

    Article  Google Scholar 

  25. Perrig, A., Song, D., Canetti, R., Tygar, J.D., Briscoe, B.: Timed Efficient Stream Loss-Tolerant Authentication (TESLA): Multicast Source Authentication Transform Introduction. RFC 4082, RFC Editor, 06 2005. http://www.rfc-editor.org/rfc/rfc4082.txt

  26. Röttger, S.: Analysis of the NTP Autokey Procedures, 2 2012. http://zero-entropy.de/autokey_analysis.pdf

  27. Ryan, M.D., Smyth, B.: Applied pi calculus. In: Cortier, V., Kremer, S. (eds.) Formal Models and Techniques for Analyzing Security Protocols, Chap. 6. IOS Press (2011). http://www.bensmyth.com/files/Smyth10-applied-pi-calculus.pdf

  28. Saeedloei, N., Gupta, G.: Timed \(\pi \)-calculus. In: Abadi, M., Lluch Lafuente, A. (eds.) TGC 2013. LNCS, vol. 8358, pp. 119–135. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

  29. Sibold, D., Teichel, K., Röttger, S.: Network time security. Technical report, IETF Secretariat, 07 2013. https://datatracker.ietf.org/doc/draft-ietf-ntp-network-time-security/history/

  30. Sibold, D., Teichel, K., Röttger, S., Housley, R.: Protecting network time security messages with the cryptographic message syntax (CMS). Technical report, IETF Secretariat, 10 2014. https://datatracker.ietf.org/doc/draft-ietf-ntp-cms-for-nts-message/history/

  31. Sun, K., Ning, P., Wang, C.: TinySeRSync: secure and resilient time synchronization in wireless sensor networks. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS 2006, pp. 264–277. ACM, New York (2006)

    Google Scholar 

  32. Syverson, P., Meadows, C., Cervesato, I.: Dolev-yao is no better than machiavelli. In: Degano, P. (ed.) First Workshop on Issues in the Theory of Security – WITS 2000, pp. 87–92, Jul 2000. http://theory.stanford.edu/~iliano/papers/wits00.ps.gz

Download references

Author information

Authors and Affiliations

  1. Physikalisch-Technische Bundesanstalt, Bundesallee 100, 38116, Braunschweig, Germany

    Kristof Teichel & Dieter Sibold

  2. Chair for Theoretical Computer Science, Friedrich-Alexander Universität Erlangen-Nürnberg, Martensstr. 3, 91058, Erlangen, Germany

    Stefan Milius

Authors
  1. Kristof Teichel
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dieter Sibold
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Stefan Milius
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Kristof Teichel .

Editor information

Editors and Affiliations

  1. Hewlett Packard Laboratories, Bristol, United Kingdom

    Liqun Chen

  2. NICT, Tokyo, Japan

    Shin'ichiro Matsuo

A ProVerif Source Code

A ProVerif Source Code

In this appendix, we present some of the relevant ProVerif source code used for the preparation of this paper. There have been different code versions involved in the analysis:

  • Code version c030ut: It models protocol version 0.3.0 but has no dedicated type for hostnames.

  • Code version c030: It models protocol version 0.3.0 and does have a dedicated hostname type.

  • Code version c031: It models protocol version 0.3.1.

  • Code version c032: It models protocol version 0.3.2.

All of the code below is taken from code version c030, which formed the basis of the analysis. Presenting the other versions in full would take up a lot of space, whereas presenting only the differences is difficult. This is because although the changes between the different code versions are minor, they still include numerous lines that are spread far apart. Some comment lines and structuring have been left out for the presentation.

For any reader who is interested in access to the complete code (all code versions, ready for use with ProVerif), it is available under https://www8.cs.fau.de/staff/milius/ProVerif-NTS.rar.

1.1 A.1 Cryptographic Primitives

The first lines of the ProVerif source code form the cryptographic primitives that are needed.

figure h

1.2 A.2 Global Variables and Constants

Next we have the declarations of channels and other global variables and constants.

figure i

1.3 A.3 Events

The declarations of ProVerif “events” follow that are used for better traceability of what is happening in what order.

figure j
figure k
figure l

1.4 A.4 The Trusted Authority Process

The code then moves on to the processes by which the participants are modeled. We first present the process that models the trusted authority. Its only purpose is to generate and distribute certificates for server and client type participants.

figure m

1.5 A.5 The Server Side Processes

Inner Server Processes. Next are those processes that make up the model of the server. The first process represents the server module which deals with the certification message exchange.

figure n

The next process involves the server module whose purpose it is to execute the cookie message exchange as well as the required calculations.

figure o

Then the server module follows that takes care of the time synchronization message exchange.

figure p

Outer Server Process. We then see the “outer” server process whose purpose is simply to execute iterations of all the “inner” processes (the modules listed above in Appendix A.5).

figure q

1.6 A.6 The Client Side Processes

Inner Client Process. Moving on to the client side processes, there is first the “inner” process which takes care of the time synchronization message exchange, including the necessary checks on the MAC.

figure r

Outer Client Process. The “outer” client side process follows, which performs the initial message exchanges (server certification and cookie exchange) and then executes instantiations of the inner process.

figure s

Note that the first else-branch includes all the code below it. Note also the dedicated listener process given by

figure t

which is started when the client accepts a cookie and does not really represent client behavior according to the protocol, but only listens for the cookie on an open channel. This enables us to check for the loss of a cookie by querying whether the event cookieCompromised() is ever executed at all (see Appendix A.8).

1.7 A.7 The Environment Process

Here, we present the global ProVerif process which takes care of instantiating all participants.

figure u

1.8 A.8 ProVerif Queries

Now we present the ProVerif queries. We first consider those queries that concern the cookie exchange.

Sanity – Cookie Exchange. This query makes sure that there is some cookie \(x\) which is accepted by the honest client \(A\) as coming from the honest server \(B\), i. e. the cookie exchange can be completed successfully.

figure v

This query holds for all four code versions.

Weak Authenticity – Cookie. This query ensures that if the honest client \(A\) accepts a cookie \(x\) for communication with the honest server \(B\), then \(B\) has in fact generated \(x\) and released it into the network (note that this gives no guarantee that \(B\) intended \(x\) for communication with \(A\) in particular).

figure w

Applying this query to the different ProVerif code versions yields the following results:

  • It does not hold for code version c030ut. The attack that ProVerif discovers is the first one described in Sect. 6.

  • It holds for the code versions c030, c031, and c032.

Authenticity – Cookie. This query strengthens the guarantee acquired with the previous query: it ensures that if the honest client \(A\) accepts a cookie \(x\) for communication with the honest server \(B\), then \(B\) has in fact issued \(x\) based on \(A\)’s public key, and has also encrypted the appropriate message with said public key. This is the query that corresponds to Goal 9.

figure x

The results for this query are as follows:

  • It does not hold for code version c030ut. Authenticity for the cookie would require weak authenticity for it, which is not given (see above). Also, the Man-in-the-Middle attack described in Sect. 6 works on this version.

  • It does not hold for code version c030. Again, the corresponding attack is the Man-in-the-Middle attack described in Sect. 6.

  • It holds for the code versions c031, and c032

Secrecy – Cookie. This query asserts that if the honest client \(A\) accepts a cookie \(x\), then the attacker does not know \(x\). This is realized via the event cookieCompromised() from the dedicated listener process as described in Appendix A.6. This query corresponds to Goal 8.

figure y

  • This query does not hold for code version c030ut and neither does it hold for c030: Both of the possible attacks enable Mallory to make Alice accept a cookie that Mallory knows. In the case of the Blind-signature attack she manufactures said cookie herself; in the case of the Man-in-the-Middle attack she maliciously re-distributes a valid key, signed by Bob.

  • This query holds for the code versions c031 and c032.

Next, we take a look at some queries that concern the time synchronization message exchange.

Sanity – Time Synchronization. This query checks whether it is possible for the protocol to be run such that the honest client \(A\) successfully accepts a timesync response as valid and authentic from the honest server \(B\).

figure z

This query holds for all four code versions.

Authenticity – Time Synchronization. This query ensures that if a timesync message \(t\) is accepted by the honest client \(A\) as authentic from an honest server \(B\), then \(B\) has really issued a message with the exact time data as in \(t\) and secured it with the cookie which is generated based on \(A\)’s public key. This query corresponds to Goal 7.

figure aa

  • As might be expected due to the lack of cookie secrecy, this query also does not hold for code version c030ut and neither does it hold for c030. Since for these code versions Mallory can gain access to cookies that Alice accepts as valid, she can use those cookies to generate time synchronization packets with maliciously manufactured synchronization information that Alice will accept.

  • This query holds for the code versions c031 and c032.

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Teichel, K., Sibold, D., Milius, S. (2015). First Results of a Formal Analysis of the Network Time Security Specification. In: Chen, L., Matsuo, S. (eds) Security Standardisation Research. SSR 2015. Lecture Notes in Computer Science(), vol 9497. Springer, Cham. https://doi.org/10.1007/978-3-319-27152-1_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-27152-1_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-27151-4

  • Online ISBN: 978-3-319-27152-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation