*
Bookmark and Share

The NIST Authenticated NTP Service

In addition to its Internet Time Service (ITS), NIST operates NTP servers that support authentication. The messages from these servers will be available only to registered users. The additional authentication will allow users to verify that the responses they receive actually originated from a NIST server and that they were not modified in transit either by a malicious third party or by a network error.

Except for the additional support required for authenticated NTP, the servers that will be used for this service are identical to the other NIST servers. However, these servers will support authenticated NTP only - not the other time formats and services supported by the other NIST servers. The clocks on these systems will be synchronized using direct, hardwired connections to the NIST ensemble of atomic clocks located in Boulder, Colorado and Fort Collins, Colorado.

The authentication overlay does not improve the accuracy or the traceability of the NTP message exchange using this server, which are limited primarily by the stability and inbound-outbound symmetry of the delay in the network connection between the client system and the NIST time server. Although network conditions vary widely, our tests suggest that most users should realize a timing accuracy of 50 milliseconds (0.050 seconds) or better when using this (or any other) NIST server. Users whose applications require millisecond-level timing accuracies or stabilities should consult NIST for more details and advice on realizing these requirements using the NIST digital services.

The time messages will be authenticated using symmetric-key encryption in a manner that is fully compatible with the published NTP documentation. (Autokey and asymmetric key modes will not be used.) Each registered user will be assigned a unique encryption key, which will be linked to the IP address of the user’s system. A registered user will be able to communicate with the authenticated server using this assigned encryption key or using a default key of 0, which is equivalent to disabling the encryption algorithm. Users who are not registered will not be able to connect to this server, but can use any of the other NIST servers, which will not be modified. 

See the list of NIST time servers.

The service will be provided at no charge, and user keys may be used to connect to any of the servers whose addresses are listed below.  Additional hardware will be added in the future if the demand for the service is sufficiently great to warrant it.

Users who wish to use this service service should send a letter to NIST using the US mail or FAX machine (e-mail is not acceptable). The request should contain the following information:

  * Name and postal street address of the organization or individual
  * Name and contact information for the system operator and an alternate name if possible. These should include the e-mail addresses and the preferred contact method.
  * Network IP address of the client system that will be used to query the NIST server. A network name is desirable but not required, since the system will authenticate the request using IP addresses only. Users may request up to 4 contiguous IP addresses that will share the same key.

This information should be sent to:

    Network Time Service
    Mail stop 847
    National Institute of Standards and Technology
    325 Broadway
    Boulder, Colorado 80305
    FAX: 303 497 6461

 NIST will reply with a key number and a key value. The reply will be by US mail only unless the requesting organization or individual specifies that a reply by FAX is acceptable. A reply by e-mail will never be used.

We will also provide instructions for how to add authentication to an existing generic NTP process. These instructions will explain how to add authentication to the daemon process ntpd and the single-query process ntpdate. The instructions found here should be adequate for most users. Users who have special requirements or who are using a custom version of NTP should contact NIST. We will provide as much assistance as possible. Users who wish to add authentication to the NTP process of a network appliance (such as a gateway, firewall or router) should contact the supplier to verify that the embedded NTP algorithm supports the symmetric key encryption algorithm.

User keys will expire at the end of each fiscal year (30 September) and can be renewed for an additional year. Each registered user will be sent a reminder early in September about the need for renewal.

Send questions or comments to Judah Levine.