| < draft-ietf-ntp-cms-for-nts-message-01.txt | draft-ietf-ntp-cms-for-nts-message-02.txt > | |||
|---|---|---|---|---|
| NTP Working Group D. Sibold | NTP Working Group D. Sibold | |||
| Internet-Draft PTB | Internet-Draft PTB | |||
| Intended status: Standards Track S. Roettger | Intended status: Standards Track S. Roettger | |||
| Expires: July 26, 2015 Google Inc. | Expires: September 7, 2015 Google Inc. | |||
| K. Teichel | K. Teichel | |||
| PTB | PTB | |||
| R. Housley | R. Housley | |||
| Vigil Security | Vigil Security | |||
| January 22, 2015 | March 06, 2015 | |||
| Protecting Network Time Security Messages with the Cryptographic Message | Protecting Network Time Security Messages with the Cryptographic Message | |||
| Syntax (CMS) | Syntax (CMS) | |||
| draft-ietf-ntp-cms-for-nts-message-01.txt | draft-ietf-ntp-cms-for-nts-message-02.txt | |||
| Abstract | Abstract | |||
| This document describes a convention for using the Cryptographic | This document describes a convention for using the Cryptographic | |||
| Message Syntax (CMS) to protect the messages in the Network Time | Message Syntax (CMS) to protect the messages in the Network Time | |||
| Security (NTS) protocol. NTS provides authentication of time servers | Security (NTS) protocol. NTS provides authentication of time servers | |||
| as well as integrity protection of time synchronization messages | as well as integrity protection of time synchronization messages | |||
| using Network Time Protocol (NTP) or Precision Time Protocol (PTP). | using Network Time Protocol (NTP) or Precision Time Protocol (PTP). | |||
| Requirements Language | Requirements Language | |||
| skipping to change at page 1, line 46 ¶ | skipping to change at page 1, line 46 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on July 26, 2015. | This Internet-Draft will expire on September 7, 2015. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2015 IETF Trust and the persons identified as the | Copyright (c) 2015 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 33 ¶ | skipping to change at page 2, line 33 ¶ | |||
| 2. CMS Conventions for NTS Message Protection . . . . . . . . . 3 | 2. CMS Conventions for NTS Message Protection . . . . . . . . . 3 | |||
| 2.1. Fields of the employed CMS Content Types . . . . . . . . 5 | 2.1. Fields of the employed CMS Content Types . . . . . . . . 5 | |||
| 2.1.1. ContentInfo . . . . . . . . . . . . . . . . . . . . . 5 | 2.1.1. ContentInfo . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 2.1.2. SignedData . . . . . . . . . . . . . . . . . . . . . 6 | 2.1.2. SignedData . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 2.1.3. EnvelopedData . . . . . . . . . . . . . . . . . . . . 8 | 2.1.3. EnvelopedData . . . . . . . . . . . . . . . . . . . . 8 | |||
| 3. Implementation Notes: ASN.1 Structures and Use of the CMS . . 9 | 3. Implementation Notes: ASN.1 Structures and Use of the CMS . . 9 | |||
| 3.1. Preliminaries . . . . . . . . . . . . . . . . . . . . . . 9 | 3.1. Preliminaries . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 3.2. Unicast Messages . . . . . . . . . . . . . . . . . . . . 9 | 3.2. Unicast Messages . . . . . . . . . . . . . . . . . . . . 9 | |||
| 3.2.1. Association Messages . . . . . . . . . . . . . . . . 9 | 3.2.1. Association Messages . . . . . . . . . . . . . . . . 9 | |||
| 3.2.2. Cookie Messages . . . . . . . . . . . . . . . . . . . 10 | 3.2.2. Cookie Messages . . . . . . . . . . . . . . . . . . . 10 | |||
| 3.2.3. Time Synchronization Messages . . . . . . . . . . . . 10 | 3.2.3. Time Synchronization Messages . . . . . . . . . . . . 11 | |||
| 3.3. Broadcast Messages . . . . . . . . . . . . . . . . . . . 11 | 3.3. Broadcast Messages . . . . . . . . . . . . . . . . . . . 11 | |||
| 3.3.1. Broadcast Parameter Messages . . . . . . . . . . . . 11 | 3.3.1. Broadcast Parameter Messages . . . . . . . . . . . . 11 | |||
| 3.3.2. Broadcast Time Synchronization Message . . . . . . . 12 | 3.3.2. Broadcast Time Synchronization Message . . . . . . . 12 | |||
| 3.3.3. Broadcast Keycheck . . . . . . . . . . . . . . . . . 12 | 3.3.3. Broadcast Keycheck . . . . . . . . . . . . . . . . . 13 | |||
| 4. Certificate Conventions . . . . . . . . . . . . . . . . . . . 13 | 4. Certificate Conventions . . . . . . . . . . . . . . . . . . . 13 | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 14 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 14 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 7.1. Normative References . . . . . . . . . . . . . . . . . . 14 | 7.1. Normative References . . . . . . . . . . . . . . . . . . 14 | |||
| 7.2. Informative References . . . . . . . . . . . . . . . . . 14 | 7.2. Informative References . . . . . . . . . . . . . . . . . 14 | |||
| Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 14 | Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 15 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 1. Introduction | 1. Introduction | |||
| This document provides details on how to construct NTS messages in | This document provides details on how to construct NTS messages in | |||
| practice. NTS provides secure time synchronization with time servers | practice. NTS provides secure time synchronization with time servers | |||
| using Network Time Protocol (NTP) [RFC5905] or Precision Time | using Network Time Protocol (NTP) [RFC5905] or Precision Time | |||
| Protocol (PTP) [IEEE1588]. Among other things, this document | Protocol (PTP) [IEEE1588]. Among other things, this document | |||
| describes a convention for using the Cryptographic Message Syntax | describes a convention for using the Cryptographic Message Syntax | |||
| (CMS) [RFC5652] to protect messages in the Network Time Security | (CMS) [RFC5652] to protect messages in the Network Time Security | |||
| skipping to change at page 9, line 34 ¶ | skipping to change at page 9, line 34 ¶ | |||
| 3.2.1. Association Messages | 3.2.1. Association Messages | |||
| 3.2.1.1. Message Type: "client_assoc" | 3.2.1.1. Message Type: "client_assoc" | |||
| This message is structured according to the NTS-Plain archetype. | This message is structured according to the NTS-Plain archetype. | |||
| There is no data necessary besides that which is transported in the | There is no data necessary besides that which is transported in the | |||
| NTS message object, which is an ASN.1 object of type | NTS message object, which is an ASN.1 object of type | |||
| "ClientAssocData" and structured as follows: | "ClientAssocData" and structured as follows: | |||
| ClientAssocData ::= SEQUENCE { | ClientAssocData ::= SEQUENCE { | |||
| nonce NTSNonce, | ||||
| clientId SubjectKeyIdentifier, | clientId SubjectKeyIdentifier, | |||
| digestAlgos DigestAlgorithmIdentifiers, | digestAlgos DigestAlgorithmIdentifiers, | |||
| keyEncAlgos KeyEncryptionAlgorithms, | keyEncAlgos KeyEncryptionAlgorithms, | |||
| contentEncAlgos ContentEncryptionAlgorithms | contentEncAlgos ContentEncryptionAlgorithms | |||
| } | } | |||
| 3.2.1.2. Message Type: "server_assoc" | 3.2.1.2. Message Type: "server_assoc" | |||
| This message is structured according to the NTS-Signed archetype. | This message is structured according to the NTS-Signed archetype. | |||
| There is no data necessary besides that which is transported in the | There is no data necessary besides that which is transported in the | |||
| NTS message object, which is an ASN.1 object of type | NTS message object, which is an ASN.1 object of type | |||
| "ServerAssocData" and structured as follows: | "ServerAssocData" and structured as follows: | |||
| ServerAssocData ::= SEQUENCE { | ServerAssocData ::= SEQUENCE { | |||
| nonce NTSNonce, | ||||
| clientId SubjectKeyIdentifier, | clientId SubjectKeyIdentifier, | |||
| digestAlgos DigestAlgorithmIdentifiers, | ||||
| choiceDigestAlgo DigestAlgorithmIdentifier, | choiceDigestAlgo DigestAlgorithmIdentifier, | |||
| keyEncAlgos KeyEncryptionAlgorithms, | ||||
| choiceKeyEncAlgo KeyEncryptionAlgorithmIdentifier, | choiceKeyEncAlgo KeyEncryptionAlgorithmIdentifier, | |||
| contentEncAlgos ContentEncryptionAlgorithms | ||||
| choiceContentEncAlgo ContentEncryptionAlgorithmIdentifier | choiceContentEncAlgo ContentEncryptionAlgorithmIdentifier | |||
| } | } | |||
| 3.2.2. Cookie Messages | 3.2.2. Cookie Messages | |||
| 3.2.2.1. Message Type: "client_cook" | 3.2.2.1. Message Type: "client_cook" | |||
| This message is structured according to the NTS-Certified archetype. | This message is structured according to the NTS-Certified archetype. | |||
| There is no data necessary besides that which is transported in the | There is no data necessary besides that which is transported in the | |||
| NTS message object, which is an ASN.1 object of type | NTS message object, which is an ASN.1 object of type | |||
| skipping to change at page 11, line 39 ¶ | skipping to change at page 12, line 4 ¶ | |||
| type "TimeResponseSecurityData", with the following structure: | type "TimeResponseSecurityData", with the following structure: | |||
| TimeResponseSecurityData ::= | TimeResponseSecurityData ::= | |||
| SEQUENCE { | SEQUENCE { | |||
| nonce_t NTSNonce, | nonce_t NTSNonce, | |||
| } | } | |||
| 3.3. Broadcast Messages | 3.3. Broadcast Messages | |||
| 3.3.1. Broadcast Parameter Messages | 3.3.1. Broadcast Parameter Messages | |||
| 3.3.1.1. Message Type: "client_bpar" | 3.3.1.1. Message Type: "client_bpar" | |||
| This first broadcast message is structured according to the NTS-Plain | This first broadcast message is structured according to the NTS-Plain | |||
| archetype. There is no data necessary besides that which is | archetype. There is no data necessary besides that which is | |||
| transported in the NTS message object, which is an ASN.1 object of | transported in the NTS message object, which is an ASN.1 object of | |||
| type "BroadcastParameterRequest" and structured as follows: | type "BroadcastParameterRequest" and structured as follows: | |||
| BroadcastParameterRequest ::= | BroadcastParameterRequest ::= | |||
| SEQUENCE { | SEQUENCE { | |||
| nonce NTSNonce, | ||||
| clientId SubjectKeyIdentifier | clientId SubjectKeyIdentifier | |||
| } | } | |||
| 3.3.1.2. Message Type: "server_bpar" | 3.3.1.2. Message Type: "server_bpar" | |||
| This message is structured according to "NTS-Signed". There is no | This message is structured according to "NTS-Signed". There is no | |||
| data necessary besides that which is transported in the NTS message | data necessary besides that which is transported in the NTS message | |||
| object, which is an ASN.1 object of type "BroadcastParameterResponse" | object, which is an ASN.1 object of type "BroadcastParameterResponse" | |||
| and structured as follows: | and structured as follows: | |||
| BroadcastParameterResponse ::= | BroadcastParameterResponse ::= | |||
| SEQUENCE { | SEQUENCE { | |||
| nonce NTSNonce, | ||||
| oneWayAlgo1 DigestAlgorithmIdentifier, | oneWayAlgo1 DigestAlgorithmIdentifier, | |||
| oneWayAlgo2 DigestAlgorithmIdentifier, | oneWayAlgo2 DigestAlgorithmIdentifier, | |||
| lastKey OCTET STRING (SIZE (16)), | lastKey OCTET STRING (SIZE (16)), | |||
| intervalDuration BIT STRING, | intervalDuration BIT STRING, | |||
| disclosureDelay INTEGER, | disclosureDelay INTEGER, | |||
| nextIntervalTime BIT STRING, | nextIntervalTime BIT STRING, | |||
| nextIntervalIndex INTEGER | nextIntervalIndex INTEGER | |||
| } | } | |||
| 3.3.2. Broadcast Time Synchronization Message | 3.3.2. Broadcast Time Synchronization Message | |||
| skipping to change at page 14, line 22 ¶ | skipping to change at page 14, line 32 ¶ | |||
| To be written. | To be written. | |||
| 7. References | 7. References | |||
| 7.1. Normative References | 7.1. Normative References | |||
| [ASN1] International Telecommunication Union, "Abstract Syntax | [ASN1] International Telecommunication Union, "Abstract Syntax | |||
| Notation One (ASN.1): Specification of basic notation", | Notation One (ASN.1): Specification of basic notation", | |||
| ITU-T Recommendation X.680, November 2008. | ITU-T Recommendation X.680, November 2008. | |||
| [IEEE1588] | ||||
| IEEE Instrumentation and Measurement Society. TC-9 Sensor | ||||
| Technology, "IEEE standard for a precision clock | ||||
| synchronization protocol for networked measurement and | ||||
| control systems", 2008. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, | [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, | |||
| RFC 5652, September 2009. | RFC 5652, September 2009. | |||
| [RFC5905] Mills, D., Martin, J., Burbank, J., and W. Kasch, "Network | ||||
| Time Protocol Version 4: Protocol and Algorithms | ||||
| Specification", RFC 5905, June 2010. | ||||
| 7.2. Informative References | 7.2. Informative References | |||
| [I-D.ietf-ntp-network-time-security] | [I-D.ietf-ntp-network-time-security] | |||
| Sibold, D., Roettger, S., and K. Teichel, "Network Time | Sibold, D., Roettger, S., and K. Teichel, "Network Time | |||
| Security", draft-ietf-ntp-network-time-security-06 (work | Security", draft-ietf-ntp-network-time-security-07 (work | |||
| in progress), January 2015. | in progress), March 2015. | |||
| [IEEE1588] | ||||
| IEEE Instrumentation and Measurement Society. TC-9 Sensor | ||||
| Technology, "IEEE standard for a precision clock | ||||
| synchronization protocol for networked measurement and | ||||
| control systems", 2008. | ||||
| [RFC5905] Mills, D., Martin, J., Burbank, J., and W. Kasch, "Network | ||||
| Time Protocol Version 4: Protocol and Algorithms | ||||
| Specification", RFC 5905, June 2010. | ||||
| Appendix A. ASN.1 Module | Appendix A. ASN.1 Module | |||
| The ASN.1 module contained in this appendix defines the id-kp- | The ASN.1 module contained in this appendix defines the id-kp- | |||
| NTSserver object identifier. | NTSserver object identifier. | |||
| NTSserverKeyPurpose | NTSserverKeyPurpose | |||
| { TBD } | { TBD } | |||
| DEFINITIONS IMPLICIT TAGS ::= | DEFINITIONS IMPLICIT TAGS ::= | |||
| End of changes. 18 change blocks. | ||||
| 20 lines changed or deleted | 26 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||