Cloudflare, the San Francisco-based company that provides DDoS mitigation, cloud security, and distributed domain name server services to thousands of enterprise and individual customers, today took the wraps off of a free time service that supports both Network Time Protocol (NTP) — the dominant protocol for obtaining time over the internet — and the emerging Network Time Security (NTS) protocol.
Developers can now use time.cloudflare.com, which is available on Cloudflare’s datacenters in over 180 cities globally, as the source of time for devices by pointing them at time.cloudflare.com:1234 or directly at time.cloudflare.com. Cloudflare says that work on NTS clients is ongoing.
As Aanchal Malhotra, a graduate research assistant at Boston University and former intern on the Cloudflare cryptography team, explains in a blog post, NTP was designed to synchronize time between systems communicating over unreliable networks. Since its standardization in 1985, it’s become a core part of widely deployed tools that use timestamps to limit certificate and signature validity periods. Time synchronization ensures that events on different machines can be correlated accurately, moreover, and two-factor authentication employs rolling numbers that rely on accurate clocks.
NTP works well for the most part — clients send query packets out to servers that then respond with their clock times, after which the clients compute an estimate of the difference between their clocks and the remote clocks while compensating for network delay. But even the latest version — NTP version 4, which was completed in 2010 — contains flaws that can be exploited by malicious parties to launch attacks by shifting time or denying service to NTP clients.
For instance, an attacker could instruct a server to fragment — or break up — a large packet. Because the server doesn’t know the IP addresses of the network elements on its path, this packet could be sent from any source IP, including an NTP server. The attacker, then, could make an NTP server fragment its NTP response packet for a victim NTP client, and spoof overlapping response fragments containing their timestamp values to fool the client into assembling a packet with legitimate fragments and the attacker’s insertions.
The recently proposed NTS protocol addresses this and other vulnerabilities with a two-step process. In the first phase, an NTS key exchange establishes the necessary key material between the NTP client and the server, using the Transport Layer Security (TLS) handshake. After the keys are exchanged, the TLS channel is closed and the protocol enters the second phase, during which the results of the TLS handshake are used to authenticate NTP time synchronization packets via extension fields.
Cloudflare says that all of its datacenters are synchronized with stratum 1 time service providers, and that they implement the latest NTS IETF draft (the NTS standard has yet to be finalized) and require TLS v1.3. The company furthermore says that its servers’ proximity to users should reduce asymmetry in packet paths and jitter (a measurement of variance in latency), potentially “significantly” improving capacity and quality in regions with a dearth of NTP servers.
“Most NTP implementations are currently working on NTS support, and we expect that the next few months will see broader introduction as well as advancement of the current draft protocol,” wrote Malhotra. “We hope that our service will spur faster adoption of this important improvement to internet security … Now with our free public time service we provide a trustworthy, widely available alternative to another insecure legacy protocol. It’s all a part of our mission to help make a faster, reliable, and more secure internet for everyone.”