Symmetricom Time Server user manual NTP Broadcast Mode with MD5 Authentication

B.2 NTP Broadcast Mode with MD5 Authentication

An NTP broadcast timeserver with an NTP broadcast time client can be used for NTP version 4 with authentication.

The MD5 authentication protocol is optionally available for NTP versions 3 and 4. When a packet is received by NTP, it checks the key identification number in the packet against the private key in the “ntp.keys” file, then calculates the MD5 digest number and compares this number to the one sent in the packet. If the digest numbers do not agree, then the packet is ignored. Thus, only servers with trusted MD5 keys may send time to a client. The keys are known to both the NTP client and server through separate key files, usually named “ntp.keys” in the “/etc” directory. The name of the file and its location are determined by the “–k” option when the NTP program is invoked.

In actual practice, for normal NTP client-to-server communications using explicit IP addresses with multiple servers, it is not necessary to use MD5. That is because the NTP client spends a great deal of time filtering out packets with incorrect time. Anyone attempting to send false time to a NTP client would be discarded. However, when broadcast time is used, then the client accepts the packet more readily and in this case can be fooled. The same is true if only one NTP server is used to synchronize an NTP client and a network attacker substitutes a false NTP server for the good one. Under these conditions, the NTP client has nothing to judge the time against and, if the false information is persistent, then the client will be forced to eventually reset its time. In this case it is worth the extra processing load to use MD5.

Setting up an NTP broadcast server and NTP client using MD5 authentication requires modifications to the “ntp.keys” file.

Editing MD5 keys is covered in Chapter 4 (see the sections starting on page 4-70). The following discussion covers the use of an NTP broadcast timeserver with an NTP broadcast time client for NTP version 4 without authentication.