6000-100AppB.fm Rev. D TimeVault™ User’s Manual B-99
B
MD5 Authentication and NTP Broadcast Mode
B.1 Introduction to MD5
MD5 is a security protocol that can be used to authenticate NTP client-server
communications, ensuring that a received NTP time packet is free from tampering. For
example, if the server receives an NTP request packet with the wrong MD5 key (i.e., a key
that hasn’t been configured by the user in TimeVault), then the server ignores the request.
A similar mechanism exists on the client side. If the client makes a request with a specific
key, and the response does not have the same key, then the client assumes the packet can
not be trusted and discards it.
Symmetricom’s version of MD5 is compatible with all versions of NTP client software
furnished by Dr. David Mills at the University of Delaware. MD5 was drafted into a
standard by MIT Laboratory for Computer Science and RSA Security, Inc. MD5
authentication means the information within the NTP packet is guaranteed to be unaltered
and from a user having privileged access. Unlike other cryptographic ciphers, MD5 does
not hide the data within the packet. The MD5 authenticated NTP packet is still readable.
This means MD5 is faster to generate than other cryptographic protocols, and as Dr. Mills
notes, there is no reason to hide the actual time from anyone. Further, MD5 does not
suffer from any export restrictions. You could think of MD5 as a very sophisticated NTP
data checksum that is calculated over the data, socket address, and a private key of an NTP
time packet. It is extremely difficult to reverse generate.
The MD5 cryptographic key identifier and cryptographic message digest are appended to
the end of a normal NTP packet and the two pieces of information are referred to together
as an MD5 signature. The key identifier is the first field in the signature, and it is a 32-bit
integer in the range from 1 to 4294967295 (0xFFFFFFFF) – do not use zero as a key
identifier. This number specifies an index into a table of many possible MD5 keys.
An MD5 key is an ASCII alpha/numeric character string that is from 1 to 32 characters in
length. The key is most secure when all 32 characters are filled with numbers and letters
chosen at random. The ASCII key string is combined with the NTP packet data and
results in a secure message digest.