A Universally Composable Treatment of Network Time
Aanchal Malhotra from Boston University came to give a talk about her work on a universally composable treatment of network time. Here, I’ll give a brief overview of the work, but you can find more information in their paper.
So, what is the network time protocol (NTP)? It is the standardized time sync protocol, which was introduced in 1985. The initial goals were for robustness and load distribution, and some non-goals were peer authentication and data integrity. In fact, it is the longest running and ubiquitously available protocol in the Internet!
The network time protocol is very relevant for public key infrastructure (PKI), specifically for certificates and certificate revocation lists (CRLs). For a certificate and CRL, the client needs the real time and to sync with the issuer. To keep clients from accepting old/compromised certificates, the time must be accurate and securely communicated.
However, standard protocols for time synchronization are subvertible. It is easy to perform time shifting attacks by setting client clocks backward or forward so that clients will accept expired or revoked certificates. The main observation of their work is that attacks leverage unauthenticated NTP traffic.
Several works to define and analyze the security requirements of time sync protocols, and there are ongoing efforts to standardize secure NTP. However, we need to have accepted and formalized notions for time sync protocols.
Their work provides the following:
- Definitions for rigorous security notions for time sync protocols
- Show that these notions suffice for protocols that need real time
- Prove security of these protocols that realize these notions
- Show analysis is modular in universally composable security framework
How does NTP exactly work? At a high level, a client has a local clock, and a server has an even better clock. NTP provides a mechanism for the client to get the time from the server through a communication channel.
However, there limitations of the utility of the time delivered by NTP. There is a delay — the client gets time later than it initially requested because of network latency. There is also network asymmetry in estimating latency because the client to server latency might not be equal to the server to client latency.
A common way to think about and prove security is to use the universally composable (UC) security framework. I won’t go into too much detail about that here, and I won’t go into the detail about the proof here. However, I will outline some key insights.
One main challenge is that UC is asynchronous and event driven. There is no mechanism for modeling real time, but one insight is to model real time via a counter. For a multi server and client setting, there are nice bounds on “error” for the client clock when time is distributed in a hierarchical manner.
This work is interesting as they were able to formalize the security around NTP. I would like to see more of this work for protocols on the internet where security is paramount!
