How to use Network Time Security on your system

But what is Network Time Security (NTS)? To understand NTS, first we have to get familiar with NTP.

NTP, Network Time Protocol is a networking protocol for clock synchronization. In simple terms this protocol helps your system to get correct time. RFC 5905 lays the ground rule for NTP.

Now, NTS is an improvement over NTP. It is made of two different parts.

  • NTS key exchange: When using TLS the NTP client and server exchanges key materials.
  • NTS authentication: This part ensures that the time synchronization packets are authenticated using the key materials from the step one.

NTS is defined in RFC 8915.

To read more on the subject I found this blog post from Netnod. While this is an useful resource, but this does not explain how to use NTS on my Fedora laptop, which uses chrony for time sync.

Which servers to use?

I am using servers from 2 providers - Netnod and Cloudflare. Since I am based in Sweden I will be using :

  • sth1.nts.netnod.se
  • sth2.nts.netnod.se

Both of above mentioned servers are for the users located near Stockholm.

For everyone who are not close enough to Stockholm they can use

  • nts.netnod.se

I will further be using the NTS server from Cloudflare, because they have their servers at 180 cities around the globe.

  • time.cloudflare.com

Update /etc/chrony.conf

I am adding the following configuration to my /etc/chrony.conf. My configuration adds the NTS servers to use and further disables NTP servers received by DHCP.

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (https://www.pool.ntp.org/join.html).

server sth1.nts.netnod.se iburst nts
server sth2.nts.netnod.se iburst nts
server nts.netnod.se iburst nts
server time.cloudflare.com iburst nts

# Use NTP servers from DHCP.
#sourcedir /run/chrony-dhcp

Now restart the chronyd service, sudo systemctl restart chronyd.

We can verify that the system is using NTS with the following command:

$ sudo chronyc -N authdata
Name/IP address             Mode KeyID Type KLen Last Atmp  NAK Cook CLen
=========================================================================
sth1.nts.netnod.se           NTS     1   15  256   24    0    0    8  100
sth2.nts.netnod.se           NTS     1   15  256   27    1    0    0    0
nts.netnod.se                NTS     1   15  256   24    0    0    8  100
time.cloudflare.com          NTS     1   15  256   24    0    0    8  100

The different headers are as follows:

  • Name/IP address: Name of the server.
  • Mode : Which authentication mechanism has been used. In our case it should be NTS.
  • KeyID: it is a number starting at zero and incremented by one with each successful key establishment using the NTS-KE protocol,
  • Type: Which algorithm is used for authentication. Here 15 means AEAD-AES-SIV-CMAC-256
  • KLen: Length of the key in bits.
  • Last: How long ago the last successful key establishment has been taken place. The time is mentioned in seconds. The letters m, h, d or y indicate minutes, hours, days, or years.
  • Atmp: Number of attempts to perform the key establishment since the last successful key establishment. Any number larger than 1 indicates a problem with the network or server.
  • NAK: If an NTS NAK was received since the last request.
  • Cook: Number of NTS cookies chrony currently possesses.
  • CLen: Length of the last cookie used in bytes.

Ubuntu 22.04 uses systemd-timesyncd, which still does not support NTS. One can follow the discussion here.

Show Comments