Abstract
This paper presents a first formal analysis of parts of a draft version of the Network Time Security specification. It presents the protocol model on which we based our analysis, discusses the decision for using the model checker ProVerif and describes how it is applied to analyze the protocol model. The analysis uncovers two possible attacks on the protocol. We present those attacks and show measures that can be taken in order to mitigate them and that have meanwhile been incorporated in the current draft specification.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Timestamp \(T_i\) corresponds to the reading of the respective system clock at time \(t_i\).
- 2.
The assumption that there is only one attacker is made for simplification. The assumed situation is equivalent to a situation where several attackers are cooperating, or to a situation where one attacker is being helped by one or more dishonest agents, see Reference [32].
- 3.
Note that the NTS specification includes negotiation of hash functions as part of the protocol. However, as stated under Assumption 3, all cryptography is assumed to be unbreakable. Therefore, algorithm negotiation has been ignored for our analysis. It might be interesting to include these steps in future analysis, to look for downgrade attacks.
- 4.
The computer was running a 64 bit version of Windows 7 on an Intel i5 dual core at 2.6 GHz, with 8 GB of RAM.
- 5.
Having “infinitely many” iterations is what is modeled for the analysis. In practice, this will obviously be a finite number.
- 6.
References
Abadi, M.: Security protocols: principles and calculi. In: Aldini, A., Gorrieri, R. (eds.) FOSAD 2007. LNCS, vol. 4677, pp. 1–23. Springer, Heidelberg (2007)
Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. In: Proceedings of the 28th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2001, pp. 104–115. ACM, New York (2001). http://doi.acm.org/10.1145/360204.360213
Archer, M.: Proving correctness of the basic TESLA multicast stream authentication protocol with TAME. In: Workshop on Issues in the Theory of Security, pp. 14–15 (2002)
Basin, D., Capkun, S., Schaller, P., Schmidt, B.: Formal Reasoning About Physical Properties of Security Protocols. ACM Trans. Inf. Syst. Secur. 14(2), 16:1–16:28 (2011)
Behrmann, G., David, A., Larsen, K.G.: A tutorial on Uppaal. In: Bernardo, M., Corradini, F. (eds.) SFM-RT 2004. LNCS, vol. 3185, pp. 200–236. Springer, Heidelberg (2004). http://dx.doi.org/10.1007/978-3-540-30080-9_7
Blanchet, B., Smyth, B., Cheval, V.: ProVerif 1.88: automatic cryptographic protocol verifier, user manual and tutorial. Technical report, INRIA Paris-Rocquencourt, 08 2013
Blanchette, J.C., Nipkow, T.: Nitpick: a counterexample generator for higher-order logic based on a relational model finder. In: Kaufmann, M., Paulson, L.C. (eds.) ITP 2010. LNCS, vol. 6172, pp. 131–146. Springer, Heidelberg (2010). http://dblp.uni-trier.de/db/conf/itp/itp2010.html#BlanchetteN10
Cremers, C.J.F.: The scyther tool: verification, falsification, and analysis of security protocols. In: Gupta, A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 414–418. Springer, Heidelberg (2008). http://dx.doi.org/10.1007/978-3-540-70545-1_38
Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. Inf. Theory 29(2), 198–208 (1983)
Durgin, N.A., Lincoln, P., Mitchell, J.C.: Multiset rewriting and the complexity of bounded security protocols. J. Comput. Secur. 12(2), 247–311 (2004). http://content.iospress.com/articles/journal-of-computer-security/jcs215
Ganeriwal, S., Pöpper, C., Capkun, S., Srivastava, M.B.: Secure time synchronization in sensor networks (E-SPS). In: Proceedings of 2005 ACM Workshop on Wireless Security (WiSe 2005), pp. 97–106. ACM, Sept 2005
Hopcroft, P., Lowe, G.: Analysing a stream authentication protocol using model checking. Int. J. Inf. Secur. 3(1), 2–13 (2004)
Housley, R.: Cryptographic Message Syntax (CMS). RFC 5652, RFC Editor, September 2009. http://www.rfc-editor.org/rfc/rfc5652.txt
IEEE: IEEE Standard for a Precision Clock Synchronization Protocol for Networked Measurement and Control Systems (2008). http://ieeexplore.ieee.org/servlet/opac?punumber=4579757
Krawczyk, H., Bellare, M., Canetti, R.: HMAC: Keyed-Hashing for Message Authentication. RFC 2104, RFC Editor, 02 1997. http://www.rfc-editor.org/rfc/rfc2104.txt
Levine, J.: A Review of Time and Frequency Transfer Methods. Metrologia 45(6), 162–174 (2008)
Li, L., Sun, J., Liu, Y., Dong, J.S.: TAuth: verifying timed security protocols. In: Merz, S., Pang, J. (eds.) ICFEM 2014. LNCS, vol. 8829, pp. 300–315. Springer, Heidelberg (2014). http://dx.doi.org/10.1007/978-3-319-11737-9_20
Meier, S., Schmidt, B., Cremers, C., Basin, D.: The TAMARIN prover for the symbolic analysis of security protocols. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 696–701. Springer, Heidelberg (2013)
Milius, S., Sibold, D., Teichel, K.: An Attack Possibility on Time Synchronization Protocols Secured with TESLA-Like Mechanisms, Draft version: https://www8.cs.fau.de/staff/milius/AttackPossibilityTimeSyncTESLA.pdf
Mills, D., Haberman, B.: Network Time Protocol Version 4: Autokey Specification. RFC 5906, RFC Editor, 06 2010. http://www.rfc-editor.org/rfc/rfc5906.txt
Mills, D., Martin, J., Burbank, J., Kasch, W.: Network Time Protocol Version 4: Protocol and Algorithms Specification. RFC 5905, RFC Editor, 06 2010. http://www.rfc-editor.org/rfc/rfc5905.txt
Mizrahi, T.: Security Requirements of Time Protocols in Packet Switched Networks. RFC 7384, RFC Editor, 10 2014. http://www.rfc-editor.org/rfc/rfc7384.txt
Nipkow, T., Wenzel, M., Paulson, L.C.: Isabelle/HOL: A Proof Assistant for Higher-order Logic. Springer, Heidelberg (2002)
Paulson, L.C.: The inductive approach to verifying cryptographic protocols. J. Comput. Secur. 6(1–2), 85–128 (1998)
Perrig, A., Song, D., Canetti, R., Tygar, J.D., Briscoe, B.: Timed Efficient Stream Loss-Tolerant Authentication (TESLA): Multicast Source Authentication Transform Introduction. RFC 4082, RFC Editor, 06 2005. http://www.rfc-editor.org/rfc/rfc4082.txt
Röttger, S.: Analysis of the NTP Autokey Procedures, 2 2012. http://zero-entropy.de/autokey_analysis.pdf
Ryan, M.D., Smyth, B.: Applied pi calculus. In: Cortier, V., Kremer, S. (eds.) Formal Models and Techniques for Analyzing Security Protocols, Chap. 6. IOS Press (2011). http://www.bensmyth.com/files/Smyth10-applied-pi-calculus.pdf
Saeedloei, N., Gupta, G.: Timed \(\pi \)-calculus. In: Abadi, M., Lluch Lafuente, A. (eds.) TGC 2013. LNCS, vol. 8358, pp. 119–135. Springer, Heidelberg (2014)
Sibold, D., Teichel, K., Röttger, S.: Network time security. Technical report, IETF Secretariat, 07 2013. https://datatracker.ietf.org/doc/draft-ietf-ntp-network-time-security/history/
Sibold, D., Teichel, K., Röttger, S., Housley, R.: Protecting network time security messages with the cryptographic message syntax (CMS). Technical report, IETF Secretariat, 10 2014. https://datatracker.ietf.org/doc/draft-ietf-ntp-cms-for-nts-message/history/
Sun, K., Ning, P., Wang, C.: TinySeRSync: secure and resilient time synchronization in wireless sensor networks. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS 2006, pp. 264–277. ACM, New York (2006)
Syverson, P., Meadows, C., Cervesato, I.: Dolev-yao is no better than machiavelli. In: Degano, P. (ed.) First Workshop on Issues in the Theory of Security – WITS 2000, pp. 87–92, Jul 2000. http://theory.stanford.edu/~iliano/papers/wits00.ps.gz
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A ProVerif Source Code
A ProVerif Source Code
In this appendix, we present some of the relevant ProVerif source code used for the preparation of this paper. There have been different code versions involved in the analysis:
-
Code version c030ut: It models protocol version 0.3.0 but has no dedicated type for hostnames.
-
Code version c030: It models protocol version 0.3.0 and does have a dedicated hostname type.
-
Code version c031: It models protocol version 0.3.1.
-
Code version c032: It models protocol version 0.3.2.
All of the code below is taken from code version c030, which formed the basis of the analysis. Presenting the other versions in full would take up a lot of space, whereas presenting only the differences is difficult. This is because although the changes between the different code versions are minor, they still include numerous lines that are spread far apart. Some comment lines and structuring have been left out for the presentation.
For any reader who is interested in access to the complete code (all code versions, ready for use with ProVerif), it is available under https://www8.cs.fau.de/staff/milius/ProVerif-NTS.rar.
1.1 A.1 Cryptographic Primitives
The first lines of the ProVerif source code form the cryptographic primitives that are needed.
1.2 A.2 Global Variables and Constants
Next we have the declarations of channels and other global variables and constants.
1.3 A.3 Events
The declarations of ProVerif “events” follow that are used for better traceability of what is happening in what order.
1.4 A.4 The Trusted Authority Process
The code then moves on to the processes by which the participants are modeled. We first present the process that models the trusted authority. Its only purpose is to generate and distribute certificates for server and client type participants.
1.5 A.5 The Server Side Processes
Inner Server Processes. Next are those processes that make up the model of the server. The first process represents the server module which deals with the certification message exchange.
The next process involves the server module whose purpose it is to execute the cookie message exchange as well as the required calculations.
Then the server module follows that takes care of the time synchronization message exchange.
Outer Server Process. We then see the “outer” server process whose purpose is simply to execute iterations of all the “inner” processes (the modules listed above in Appendix A.5).
1.6 A.6 The Client Side Processes
Inner Client Process. Moving on to the client side processes, there is first the “inner” process which takes care of the time synchronization message exchange, including the necessary checks on the MAC.
Outer Client Process. The “outer” client side process follows, which performs the initial message exchanges (server certification and cookie exchange) and then executes instantiations of the inner process.
Note that the first else-branch includes all the code below it. Note also the dedicated listener process given by
which is started when the client accepts a cookie and does not really represent client behavior according to the protocol, but only listens for the cookie on an open channel. This enables us to check for the loss of a cookie by querying whether the event cookieCompromised() is ever executed at all (see Appendix A.8).
1.7 A.7 The Environment Process
Here, we present the global ProVerif process which takes care of instantiating all participants.
1.8 A.8 ProVerif Queries
Now we present the ProVerif queries. We first consider those queries that concern the cookie exchange.
Sanity – Cookie Exchange. This query makes sure that there is some cookie \(x\) which is accepted by the honest client \(A\) as coming from the honest server \(B\), i. e. the cookie exchange can be completed successfully.
This query holds for all four code versions.
Weak Authenticity – Cookie. This query ensures that if the honest client \(A\) accepts a cookie \(x\) for communication with the honest server \(B\), then \(B\) has in fact generated \(x\) and released it into the network (note that this gives no guarantee that \(B\) intended \(x\) for communication with \(A\) in particular).
Applying this query to the different ProVerif code versions yields the following results:
-
It does not hold for code version c030ut. The attack that ProVerif discovers is the first one described in Sect. 6.
-
It holds for the code versions c030, c031, and c032.
Authenticity – Cookie. This query strengthens the guarantee acquired with the previous query: it ensures that if the honest client \(A\) accepts a cookie \(x\) for communication with the honest server \(B\), then \(B\) has in fact issued \(x\) based on \(A\)’s public key, and has also encrypted the appropriate message with said public key. This is the query that corresponds to Goal 9.
The results for this query are as follows:
-
It does not hold for code version c030ut. Authenticity for the cookie would require weak authenticity for it, which is not given (see above). Also, the Man-in-the-Middle attack described in Sect. 6 works on this version.
-
It does not hold for code version c030. Again, the corresponding attack is the Man-in-the-Middle attack described in Sect. 6.
-
It holds for the code versions c031, and c032
Secrecy – Cookie. This query asserts that if the honest client \(A\) accepts a cookie \(x\), then the attacker does not know \(x\). This is realized via the event cookieCompromised() from the dedicated listener process as described in Appendix A.6. This query corresponds to Goal 8.
-
This query does not hold for code version c030ut and neither does it hold for c030: Both of the possible attacks enable Mallory to make Alice accept a cookie that Mallory knows. In the case of the Blind-signature attack she manufactures said cookie herself; in the case of the Man-in-the-Middle attack she maliciously re-distributes a valid key, signed by Bob.
-
This query holds for the code versions c031 and c032.
Next, we take a look at some queries that concern the time synchronization message exchange.
Sanity – Time Synchronization. This query checks whether it is possible for the protocol to be run such that the honest client \(A\) successfully accepts a timesync response as valid and authentic from the honest server \(B\).
This query holds for all four code versions.
Authenticity – Time Synchronization. This query ensures that if a timesync message \(t\) is accepted by the honest client \(A\) as authentic from an honest server \(B\), then \(B\) has really issued a message with the exact time data as in \(t\) and secured it with the cookie which is generated based on \(A\)’s public key. This query corresponds to Goal 7.
-
As might be expected due to the lack of cookie secrecy, this query also does not hold for code version c030ut and neither does it hold for c030. Since for these code versions Mallory can gain access to cookies that Alice accepts as valid, she can use those cookies to generate time synchronization packets with maliciously manufactured synchronization information that Alice will accept.
-
This query holds for the code versions c031 and c032.
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Teichel, K., Sibold, D., Milius, S. (2015). First Results of a Formal Analysis of the Network Time Security Specification. In: Chen, L., Matsuo, S. (eds) Security Standardisation Research. SSR 2015. Lecture Notes in Computer Science(), vol 9497. Springer, Cham. https://doi.org/10.1007/978-3-319-27152-1_12
Download citation
DOI: https://doi.org/10.1007/978-3-319-27152-1_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-27151-4
Online ISBN: 978-3-319-27152-1
eBook Packages: Computer ScienceComputer Science (R0)