[ipxe-devel] SSL certificate validation and NTP
Terry Burton
tez at terryburton.co.uk
Thu Mar 29 17:56:38 UTC 2012
On 22 March 2012 17:37, Michael Brown <mbrown at fensystems.co.uk> wrote:
> On Thursday 22 Mar 2012 17:05:19 Phil Martin wrote:
>> I've been experimenting with the HTTPS functions in iPXE over the last
>> day or so. Since you've enabled the checking of the certificate
>> validity period, will you be including some sort of NTP functionality
>> to set the system clock before checking the certificate? Currently, if
>> for some reason a machine has lost time (or doesn't have a CMOS clock
>> at all), it will fail to boot over HTTPS as the certificate won't yet
>> be valid, according to the machine's clock at least. Perhaps it could
>> use the NTP servers at pool.ntp.org by default, but be overridden if
>> option 42 was specified in DHCP?
>
> Wouldn't that make the validity period check essentially worthless, since a
> man-in-the-middle attacker could simply fake the current NTP time? How can we
> do this securely?
Hi Michael, Phil,
NTP has a concept of authentication using shared secrets that can be
used for this. If a client sends an NTP request along with AUTH data
using a shared-key that the server recognises and can validate then
the response will be sent with corresponding AUTH data that the client
can validate.
Example below...
All the best,
Terry
----
Server ntp.conf:
enable auth
keys /etc/ntp.keys
trustedkey 3
...
Client/server ntp.keys:
3 M ezAPNJFR
For example:
17:52:28.356267 IP (tos 0xc0, ttl 64, id 0, offset 0, flags [DF],
proto UDP (17), length 96)
client.123 > server.123: [bad udp cksum 27a5!] NTPv4, length 68
Client, Leap indicator: (0), Stratum 14 (secondary
reference), poll 6s, precision -23
Root Delay: 0.000000, Root dispersion: 7.947509, Reference-ID:
127.127.1.0
Reference Timestamp: 3542028747.356243461 (2012/03/29 17:52:27)
Originator Timestamp: 0.000000000
Receive Timestamp: 0.000000000
Transmit Timestamp: 3542028748.356236875 (2012/03/29 17:52:28)
Originator - Receive Timestamp: 0.000000000
Originator - Transmit Timestamp: 3542028748.356236875
(2012/03/29 17:52:28)
Key id: 50331648
Authentication: 69ea2a997193392be59ecd1321bba405
17:52:28.356495 IP (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto
UDP (17), length 96)
server.123 > client.123: [udp sum ok] NTPv4, length 68
Server, Leap indicator: (0), Stratum 3 (secondary reference),
poll 6s, precision -20
Root Delay: 0.010879, Root dispersion: 0.073623, Reference-ID: upstream
Reference Timestamp: 3542027891.402116894 (2012/03/29 17:38:11)
Originator Timestamp: 3542028748.356236875 (2012/03/29 17:52:28)
Receive Timestamp: 3542028748.355720996 (2012/03/29 17:52:28)
Transmit Timestamp: 3542028748.355789840 (2012/03/29 17:52:28)
Originator - Receive Timestamp: -0.000515884
Originator - Transmit Timestamp: -0.000447024
Key id: 50331648
Authentication: 0349f16cd553156971b4c6d9f5274205
More information about the ipxe-devel
mailing list