Preventing (Network) Time Travel with Chronos

Omer Deutsch, Neta Rozen Schiff, Danny Dolev, Michael Schapira

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

18 Scopus citations

Abstract

The Network Time Protocol (NTP) synchronizes time across computer systems over the Internet. Unfortunately, NTP is highly vulnerable to “time shifting attacks”, in which the attacker’s goal is to shift forward/backward the local time at an NTP client. NTP’s security vulnerabilities have severe implications for time-sensitive applications and for security mechanisms, including TLS certificates, DNS and DNSSEC, RPKI, Kerberos, BitCoin, and beyond. While technically NTP supports cryptographic authentication, it is very rarely used in practice and, worse yet, timeshifting attacks on NTP are possible even if all NTP communications are encrypted and authenticated. We present Chronos, a new NTP client that achieves good synchronization even in the presence of powerful attackers who are in direct control of a large number of NTP servers. Importantly, Chronos is backwards compatible with legacy NTP and involves no changes whatsoever to NTP servers. Chronos leverages ideas from distributed computing literature on clock synchronization in the presence of adversarial (Byzantine) behavior. A Chronos client iteratively “crowdsources” time queries across multiple NTP servers and applies a provably secure algorithm for eliminating “suspicious” responses and averaging over the remaining responses. Chronos is carefully engineered to minimize communication overhead so as to avoid overloading NTP servers. We evaluate Chronos’ security and network efficiency guarantees via a combination of theoretical analyses and experiments with a prototype implementation. Our results indicate that to succeed in shifting time at a Chronos client by over 100ms from the UTC, even a powerful man-in-the-middle attacker requires over 20 years of effort in expectation.

Original languageEnglish
Title of host publication25th Annual Network and Distributed System Security Symposium, NDSS 2018
PublisherThe Internet Society
ISBN (Electronic)1891562495, 9781891562495
DOIs
StatePublished - 2018
Event25th Annual Network and Distributed System Security Symposium, NDSS 2018 - San Diego, United States
Duration: 18 Feb 201821 Feb 2018

Publication series

Name25th Annual Network and Distributed System Security Symposium, NDSS 2018

Conference

Conference25th Annual Network and Distributed System Security Symposium, NDSS 2018
Country/TerritoryUnited States
CitySan Diego
Period18/02/1821/02/18

Bibliographical note

Publisher Copyright:
© 2018 25th Annual Network and Distributed System Security Symposium, NDSS 2018. All Rights Reserved.

Fingerprint

Dive into the research topics of 'Preventing (Network) Time Travel with Chronos'. Together they form a unique fingerprint.

Cite this