NTP AUTOKEY
NTP Version 4 supports symmetric keys and additionally provides the so-called
AUTOKEY feature. The authentic of received time at the NTP clients is sufficiently
ensured by the symmetric key technique. In order to achieve a higher security, e.g.
against so-called replay attacks, it is important to change the used crypto keys from
time to time.
In networks with a lot of clients, this can lead to a logistic problem, because the
server key has to be changed on every single client. To help the administrator to
reduce this work (or even eliminate it completely), the NTP developers invented the
AUTOKEY feature, which works with a combination of group keys and public keys.
All NTP clients are able to verify the authentic of the time they received from the
NTP servers of their own AUTOKEY group by using this AUTOKEY technique.
The AUTOKEY features works by creating so-called secure groups, in which NTP
servers and clients are combined. There are three different kinds of members in such a
group:
a) Trusted Host
One or more trusted NTP servers. In order to become a “trusted” server, a NTP
server must own a self-signed certificate marked as “trusted”. It is good practice to
operate the trusted hosts of a secure group at the lowest stratum level (of this group).
b) Host
One ore more NTP servers, which do not own a „trusted“ certificate, but only a
self-signed certificate without this “trusted” mark.
c) Client
One ore more NTP client systems, which in contrast to the above mentioned
servers do not provide accurate time to other systems in the secure group. They only
receive time.
All members of this group (trusted hosts, hosts and clients) have to have the same
group key. This group key is generated by a so-called trusted authority (TA) and has
to be deployed manually to all members of the group by secure means (e.g. with the
UNIX SCP command). The role of a TA can be fulfilled by one of the trusted hosts of
the group, but an external TA can be used, too.
The used public keys can be periodically re-created (there are menu functions for this
available in the web interface and also in the CLI setup program, see “Generate new
NTP public key” in section “NTP Autokey” of the “Security Management” page) and
then distributed automatically to all members of the secure group. The group key
remains unchanged, therefore the manual update process for crypto keys for the
secure group is eliminated.
66
Содержание LANTIME
Страница 1: ...Technical Information Operating Instructions LANTIME SHSPZF ETX BGT...
Страница 47: ...Configuration Ethernet 47...
Страница 52: ...Configuration Notification 52...
Страница 56: ...Configuration Security 56...
Страница 69: ...Configuration Local 69...
Страница 77: ...Configuration Statistics 77...
Страница 110: ...Rear View LANTIME 110...
Страница 111: ...SUB D Connector Assignments 111...
Страница 113: ...Accuracy of frequency TCXO quartz standard 113...
Страница 118: ...HUMIDITY Relativ humidity 85 max TEMPERATURE RANGE 0 60 Celsius POWER SUPPLY 5 V approx 330 mA 118...
Страница 132: ...Menu Quick Reference 132...
Страница 145: ...IRIG Standard Format 145...
Страница 146: ...AFNOR Standard Format 146...