The IETF Committee (Internet Engineering Task Force), which develops the protocols and architecture of the Internet, the formation of an RFC for the NTS (Network Time Security) protocol and published an associated specification under the identifier . RFC received the status of "Proposed Standard", after which work will begin on giving RFC the status of a draft standard (Draft Standard), which actually means the complete stabilization of the protocol and taking into account all the comments made.
The standardization of NTS is an important step to improve the security of time synchronization services and protect users from attacks that imitate the NTP server to which the client connects. Malicious manipulation of setting the wrong time can be used to compromise the security of other time-aware protocols such as TLS. For example, changing the time can lead to incorrect interpretation of data about the validity of TLS certificates. Until now, NTP and symmetric encryption of communication channels did not make it possible to guarantee that the client interacts with the target, and not a spoofed NTP server, and key authentication has not gained popularity because it is too complicated to configure.
NTS uses Public Key Infrastructure (PKI) elements and allows the use of TLS and Authenticated Encryption with Associated Data (AEAD) encryption to cryptographically secure client-server communications over NTP (Network Time Protocol). NTS includes two separate protocols: NTS-KE (NTS Key Establishment to handle initial authentication and key negotiation over TLS) and NTS-EF (NTS Extension Fields, responsible for encryption and authentication of the time synchronization session). NTS adds several extended fields to NTP packets and stores all state information only on the client side using a cookie passing mechanism. Network port 4460 is allocated for processing connections via the NTS protocol.
The first implementations of a standardized NTS are proposed in recently published issues ΠΈ . provides an independent implementation of an NTP client and server that is used to synchronize the exact time in various Linux distributions, including Fedora, Ubuntu, SUSE/openSUSE, and RHEL/CentOS. led by Eric S. Raymond and is a fork of the reference NTPv4 protocol implementation (NTP Classic 4.3.34. memory and strings).
Source: opennet.ru