NIST logo

Evaluation of Authenticated NTP Service


The Time and Frequency division of NIST is pleased to announce the start of a test of an addition to its Internet Time Service (ITS). This new service, which will operate initially in a test and evaluation mode, will add authentication to Network Time Protocol (NTP) messages transmitted from a new NIST time server that will be available only to registered users. The additional authentication will allow users to verify that the responses that they receive actually originated from a NIST server and that they were not modified in transit either by a malicious third party or by a network error.

Except for the additional support required for authenticated NTP, the server that will be used for this service is identical to the other NIST servers. However, this server will support authenticated NTP only - not the other time formats and services supported by the other NIST servers. Its clock will be synchronized using a direct, hardwired connection to the NIST ensemble of atomic clocks located in Boulder, Colorado.

The authentication overlay does not improve the accuracy or the traceability of the NTP message exchange using this server, which are limited primarily by the stability and inbound-outbound symmetry of the delay in the network connection between the client system and the NIST time server. Although network conditions vary widely, our tests suggest that most users should realize a timing accuracy of 50 milliseconds (0.050 seconds) or better when using this (or any other) NIST server. Users whose applications require millisecond-level timing accuracies or stabilities should consult NIST for more details and advice on realizing these requirements using the NIST digital services.

The time messages will be authenticated using symmetric-key encryption in a manner that is fully compatible with the published NTP documentation. (Autokey and asymmetric key modes will not be used.) Each registered user will be assigned a unique encryption key, which will be linked to the IP address of the user’s system. During the initial test phase of the service, a registered user will be able to communicate with the authenticated server using this assigned encryption key or using a default key of 0, which is equivalent to disabling the encryption algorithm. Users who are not registered will not be able to connect to this server, but can use any of the other NIST servers, which will not be modified. See the list of public servers.

The service will be provided at no charge during the initial test period, and the number of registered users will be limited only to the physical capacity of the single system that will be used for this purpose. Additional hardware will be added in the future if the demand for the service is sufficiently great to warrant it. We anticipate that the test and evaluation period will last at least until the end of September 2007, and registered users will be notified of any proposed change well before it is implemented.

Users who wish to participate in the test and evaluation phase of the service should send a letter to NIST using the US mail or a FAX machine (e-mail is not acceptable). The request should contain the following information:

  • Name and postal street address of the organization or individual
  • Name and contact information for the system operator and an alternate name if possible. These should include the e-mail addresses and the preferred contact method.
  • Network IP address of the client system that will be used to query the NIST server. A network name is desirable but not required, since the system will authenticate the request using IP addresses only. Users may request up to 4 contiguous IP addresses that will share the same key.

This information should be sent to:

Network Time Service
Mail stop 847
National Institute of Standards and Technology
325 Broadway
Boulder, Colorado 80305
FAX: 303 497 6461

If the capacity of the server used for the test is not saturated, NIST will reply with a key number and a key value. The reply will be by US mail only unless the requesting organization or individual specifies that a reply by FAX is acceptable. A reply by e-mail will never be used.

We will also provide instructions for how to add authentication to an existing generic NTP process. These instructions will explain how to add authentication to the daemon process ntpd and the single-query process ntpdate. The instructions found here should be adequate for most users. Users who have special requirements or who are using a custom version of NTP should contact NIST. We will provide as much assistance as possible. Users who wish to add authentication to the NTP process of a network appliance (such as a gateway, firewall or router) should contact the supplier to verify that the embedded NTP algorithm supports the symmetric key encryption algorithm.

This new service is being offered as an experiment only. There is no representation or guarantee that NIST will continue offering this service beyond the testing period, and there is no representation or guarantee of the performance levels of this test service. If the service is offered beyond the testing period, there may be service charges to users, and/or the service may be modified from its test form. NIST also reserves the right to terminate this test service at any time without prior notification to any registered users.

Send questions or comments to Judah Levine: