Network Working Group	David L. Mills
Technical Report 06-1-1	University of Delaware
	January 2006


The Autokey Security Architecture,
Protocol and Algorithms

Abstract

This report is an update of a previous report TR 03-2-1 of the same name and author and 
published in February, 2003. It describes the Autokey security model for authenticating servers 
to clients using the Network Time Protocol (NTP) and public key cryptography. its design is 
based on the premise that IPSEC schemes cannot be adopted intact, since that would preclude 
stateless servers and severely compromise timekeeping accuracy. In addition, PKI schemes 
presume authenticated time values are always available to enforce certificate lifetimes; however, 
cryptographically verified timestamps require interaction between the timekeeping function and 
authentication function in ways not yet considered by the IETF.

This report includes the Autokey requirements analysis, design principles and protocol 
specification. A detailed description of the protocol states, events and transition functions is 
included. A prototype of the Autokey design based on this report has been implemented, tested 
and documented in the NTP Version 4 (NTPv4) software distribution for Unix, Windows and 
VMS at http://www.ntp.org.

Keywords: network security, public-key infrastructure, digital signatures, computer time 
synchronization

Sponsored by: DARPA Information Technology Office Order G409, Contract F30602-98-1-
0225, and Digital Equipment Corporation Research Agreement 1417.

Table of Contents

1.	Introduction	1

2.	NTP Security Model	2

3.	Approach	4

4.	Autokey Cryptography	5

5.	Secure Groups	8

6.	Identity Schemes	11

7.	Autokey Operations	13

8.	Public Key Signatures and Timestamps	15

9.	Autokey Protocol Overview	16

10.	Autokey State Machine	17

10.1	State Variables	19

10.2	Protocol Messages	22

10.3	Protocol State Transitions	23

10.3.1	Server Dance	23

10.3.2	Broadcast Dance	24

10.3.3	Symmetric Dance	25

10.4	Error Recovery	26

11.	References	27

Appendix A.	Packet Formats	29

A.1	Header Field Formats	29

A.2	Extension Field Formats	30

Appendix B.	Cryptographic Key and Certificate Management	32

Appendix C.	Autokey Error Checking	34

C.1	Packet Processing Rules	34

C.2	Timestamps, Filestamps and Partial Ordering	35

Appendix D.	Security Analysis	37

D.1	Protocol Vulnerability	37

D.2	Clogging Vulnerability	38

Appendix E.	Identity Schemes	40

E.1	Certificates	40

E.2	Private Certificate (PC) Scheme	41

E.3	Trusted Certificate (TC) Scheme	42

E.4	Schnorr (IFF) Scheme	43

E.5	Guillard-Quisquater (GQ) Scheme	44

E.6	Mu-Varadharajan (MV) Identity Scheme	46

E.7	Interoperability Issues	50

Appendix F.	File Examples	52

F.1	RSA-MD5cert File and ASN.1 Encoding	52

F.2	RSAkey File and ASN.1 Encoding	53

F.3	IFFpar File and ASN.1 Encoding	54

Appendix G.	ASN.1 Encoding Rules	54

G.1	COOKIE request, IFF response, GQ response, MV response	54

G.2	CERT response, SIGN request and response	55