That serious havoc can result if the computer clocks supporting stock trading, airline reservation, and transportation systems are terrorized is self-evident. A determined hacker or terrorist could crash an airplane, invalidate a corporate buyout, or dismantle the telephone system, not to mention steal credit cards and render online commerce unusable. When the AT&T telephone network suffered a meltdown on 15 January 1990, the most likely cause first imagined by the system operators was a terrorist attack.* Thus, NTP is sensitive to the issue of server authentication and the provision of cryptographically authenticated time values.
When available and enabled, symmetric key cryptography allows a client to verify that a server shares the same secret key. If practiced by all servers on the path to a primary server, these means ensure an unbroken chain of trust between the dependent clients and the primary servers. We call this chain, actually the transitive closure of the authentic relation.
In symmetric key cryptography, every message contains a message authentication code (MAC), which is appended to the NTP header in the message.
The MAC is calculated using a cryptographic hash algorithm that produces a mathematical fingerprint serving to uniquely identify each message. This calculation involves a secret key known only to the server and clients of that server. The server uses the key to construct the MAC; the client uses it to construct its own MAC. If the MAC values match, the client concludes the message indeed came from the intended server and could not have been manufactured by an intruder.
While symmetric key cryptography has been available for over 18 years, it has several shortcomings. The most obvious is the need to distribute keys in advance by secure means. Previously, this was done by generating a table of random keys and transmitting it to clients using PGP messaging or the equivalent. This scheme is complicated by the need to refresh the table contents when the keys get old. While these operations can be partially automated, it is necessary to hide the keys and procedures from prying hackers and Web robots.
In NTPv4, an alternate scheme based on public key cryptography has become available. Called Autokey, the scheme is based on two keys, one public and the other private. The private key is used to construct a digital signature and is never revealed. The public key is distributed by insecure means and used by the clients to verify the signature. The mathematical basis of public key cryptography is basically mature, and protocols based on them are widely available. The basic fact to recognize is that cryptographic media such as public certificates are ephemeral; that is, they have a defined lifetime relative to an ordinary calendar. The fact that valid certificates require correct time and correct time requires valid certificates creates a potential circularity.
