First Results of a Formal Analysis of the Network Time Security Specification

  • Kristof Teichel
  • Dieter Sibold
  • Stefan Milius
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9497)


This paper presents a first formal analysis of parts of a draft version of the Network Time Security specification. It presents the protocol model on which we based our analysis, discusses the decision for using the model checker ProVerif and describes how it is applied to analyze the protocol model. The analysis uncovers two possible attacks on the protocol. We present those attacks and show measures that can be taken in order to mitigate them and that have meanwhile been incorporated in the current draft specification.


Time synchronization Security protocols Formal verification Model checking ProVerif 

Supplementary material


  1. 1.
    Abadi, M.: Security protocols: principles and calculi. In: Aldini, A., Gorrieri, R. (eds.) FOSAD 2007. LNCS, vol. 4677, pp. 1–23. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  2. 2.
    Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. In: Proceedings of the 28th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2001, pp. 104–115. ACM, New York (2001).
  3. 3.
    Archer, M.: Proving correctness of the basic TESLA multicast stream authentication protocol with TAME. In: Workshop on Issues in the Theory of Security, pp. 14–15 (2002)Google Scholar
  4. 4.
    Basin, D., Capkun, S., Schaller, P., Schmidt, B.: Formal Reasoning About Physical Properties of Security Protocols. ACM Trans. Inf. Syst. Secur. 14(2), 16:1–16:28 (2011)CrossRefzbMATHGoogle Scholar
  5. 5.
    Behrmann, G., David, A., Larsen, K.G.: A tutorial on Uppaal. In: Bernardo, M., Corradini, F. (eds.) SFM-RT 2004. LNCS, vol. 3185, pp. 200–236. Springer, Heidelberg (2004). CrossRefGoogle Scholar
  6. 6.
    Blanchet, B., Smyth, B., Cheval, V.: ProVerif 1.88: automatic cryptographic protocol verifier, user manual and tutorial. Technical report, INRIA Paris-Rocquencourt, 08 2013Google Scholar
  7. 7.
    Blanchette, J.C., Nipkow, T.: Nitpick: a counterexample generator for higher-order logic based on a relational model finder. In: Kaufmann, M., Paulson, L.C. (eds.) ITP 2010. LNCS, vol. 6172, pp. 131–146. Springer, Heidelberg (2010). CrossRefGoogle Scholar
  8. 8.
    Cremers, C.J.F.: The scyther tool: verification, falsification, and analysis of security protocols. In: Gupta, A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 414–418. Springer, Heidelberg (2008). CrossRefGoogle Scholar
  9. 9.
    Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. Inf. Theory 29(2), 198–208 (1983)MathSciNetCrossRefzbMATHGoogle Scholar
  10. 10.
    Durgin, N.A., Lincoln, P., Mitchell, J.C.: Multiset rewriting and the complexity of bounded security protocols. J. Comput. Secur. 12(2), 247–311 (2004). CrossRefGoogle Scholar
  11. 11.
    Ganeriwal, S., Pöpper, C., Capkun, S., Srivastava, M.B.: Secure time synchronization in sensor networks (E-SPS). In: Proceedings of 2005 ACM Workshop on Wireless Security (WiSe 2005), pp. 97–106. ACM, Sept 2005Google Scholar
  12. 12.
    Hopcroft, P., Lowe, G.: Analysing a stream authentication protocol using model checking. Int. J. Inf. Secur. 3(1), 2–13 (2004)CrossRefGoogle Scholar
  13. 13.
    Housley, R.: Cryptographic Message Syntax (CMS). RFC 5652, RFC Editor, September 2009.
  14. 14.
    IEEE: IEEE Standard for a Precision Clock Synchronization Protocol for Networked Measurement and Control Systems (2008).
  15. 15.
    Krawczyk, H., Bellare, M., Canetti, R.: HMAC: Keyed-Hashing for Message Authentication. RFC 2104, RFC Editor, 02 1997.
  16. 16.
    Levine, J.: A Review of Time and Frequency Transfer Methods. Metrologia 45(6), 162–174 (2008)CrossRefGoogle Scholar
  17. 17.
    Li, L., Sun, J., Liu, Y., Dong, J.S.: TAuth: verifying timed security protocols. In: Merz, S., Pang, J. (eds.) ICFEM 2014. LNCS, vol. 8829, pp. 300–315. Springer, Heidelberg (2014). Google Scholar
  18. 18.
    Meier, S., Schmidt, B., Cremers, C., Basin, D.: The TAMARIN prover for the symbolic analysis of security protocols. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 696–701. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  19. 19.
    Milius, S., Sibold, D., Teichel, K.: An Attack Possibility on Time Synchronization Protocols Secured with TESLA-Like Mechanisms, Draft version:
  20. 20.
    Mills, D., Haberman, B.: Network Time Protocol Version 4: Autokey Specification. RFC 5906, RFC Editor, 06 2010.
  21. 21.
    Mills, D., Martin, J., Burbank, J., Kasch, W.: Network Time Protocol Version 4: Protocol and Algorithms Specification. RFC 5905, RFC Editor, 06 2010.
  22. 22.
    Mizrahi, T.: Security Requirements of Time Protocols in Packet Switched Networks. RFC 7384, RFC Editor, 10 2014.
  23. 23.
    Nipkow, T., Wenzel, M., Paulson, L.C.: Isabelle/HOL: A Proof Assistant for Higher-order Logic. Springer, Heidelberg (2002) CrossRefzbMATHGoogle Scholar
  24. 24.
    Paulson, L.C.: The inductive approach to verifying cryptographic protocols. J. Comput. Secur. 6(1–2), 85–128 (1998)CrossRefGoogle Scholar
  25. 25.
    Perrig, A., Song, D., Canetti, R., Tygar, J.D., Briscoe, B.: Timed Efficient Stream Loss-Tolerant Authentication (TESLA): Multicast Source Authentication Transform Introduction. RFC 4082, RFC Editor, 06 2005.
  26. 26.
    Röttger, S.: Analysis of the NTP Autokey Procedures, 2 2012.
  27. 27.
    Ryan, M.D., Smyth, B.: Applied pi calculus. In: Cortier, V., Kremer, S. (eds.) Formal Models and Techniques for Analyzing Security Protocols, Chap. 6. IOS Press (2011).
  28. 28.
    Saeedloei, N., Gupta, G.: Timed \(\pi \)-calculus. In: Abadi, M., Lluch Lafuente, A. (eds.) TGC 2013. LNCS, vol. 8358, pp. 119–135. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  29. 29.
    Sibold, D., Teichel, K., Röttger, S.: Network time security. Technical report, IETF Secretariat, 07 2013.
  30. 30.
    Sibold, D., Teichel, K., Röttger, S., Housley, R.: Protecting network time security messages with the cryptographic message syntax (CMS). Technical report, IETF Secretariat, 10 2014.
  31. 31.
    Sun, K., Ning, P., Wang, C.: TinySeRSync: secure and resilient time synchronization in wireless sensor networks. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS 2006, pp. 264–277. ACM, New York (2006)Google Scholar
  32. 32.
    Syverson, P., Meadows, C., Cervesato, I.: Dolev-yao is no better than machiavelli. In: Degano, P. (ed.) First Workshop on Issues in the Theory of Security – WITS 2000, pp. 87–92, Jul 2000.

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.Physikalisch-Technische BundesanstaltBraunschweigGermany
  2. 2.Chair for Theoretical Computer ScienceFriedrich-Alexander Universität Erlangen-NürnbergErlangenGermany

Personalised recommendations