Re: [Ntp] The NTP WG has placed draft-schiff-ntp-chronos in state "Call For Adoption By WG Issued"

Neta R S <> Tue, 10 September 2019 08:16 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A7C051208C1 for <>; Tue, 10 Sep 2019 01:16:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id WFnxi0JApH1r for <>; Tue, 10 Sep 2019 01:16:48 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 66A821208B6 for <>; Tue, 10 Sep 2019 01:16:48 -0700 (PDT)
Received: by with SMTP id r134so12684042lff.12 for <>; Tue, 10 Sep 2019 01:16:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=VRhKvzpMOWqfkpy4qsxGoj4s6cI3FKIj+O4mozS74D8=; b=DcH8PvEkWRth1KNJ7drOiPO6w0sagKXO6qgH3+bkZYRzGpJwu1nlPLPx4Dki254TC6 4Ff3ywoU9i4c+MGNef2RdbB6HpQpdC2746QzGL6bVRjCcLrYuHH36jpkqoXvcWej/zIe vhTGDtqZ3njYZILao8+GVAHEkRr538L7uhfuGztJD6St+pCUU4y1NgiDbPorP0xjO6/J Iv1j6y0zgYZTwHaQg/9hCvllYCd8dILWTlw3PL7P5ObmMyTIkyBpVhXoik/n95jkVyRa TtY9zRVO7IQ6192Vrwzy1o6lnb+5e4rjKvFj8kdkaNRW6HUBhWKF498DJSvXnrRJ2lT9 ilZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VRhKvzpMOWqfkpy4qsxGoj4s6cI3FKIj+O4mozS74D8=; b=TMgYmlqi0PCydk+a8LN0Ixg5LHGNv9qCFZ1FBHj5qzTvoEKk954SdJTNQFRnfKIFWJ uJj6NeyhIF5xM+0h50iUUxa6bDe8eMxvX7rBUiuFzAw0Xx5NMZF5dwCRcibanHh3k5M8 ERvWnIqSEv1ZuIb28TjARH5FylI8XfyWLKR4XVzVi7RrAQ7tkJ0x0Nn+cvTNpGLdOfqK gsvSgjirQKnZKoBMPyD+I49FtYWD6ekb2PzJGofjlS4H5kXD83abOpLHM3jVsgrkJpO+ xuBMGbzMztFjClpqNGf0mJaVfFcRfkxPXKI+HGfi5IXQIbtOVo2p5NwORUbak93dRWgj SMFg==
X-Gm-Message-State: APjAAAXD7R9kpUAqfL37ROdm5njHY2Myg0OuHep/z19yxiEbUEEmRp6u 1iegoPdKgriJMuaof4OowZJRWeHUhdTy+jCUT2Q=
X-Google-Smtp-Source: APXvYqy9pZj0w3XARB7mxg8Y9SmbSzVAg4vz4VLTTVZrLBNiiw6aP7gRV9Zef1z5Uh+u5xWPwzw4vLoplvOFr1648Bs=
X-Received: by 2002:a19:6008:: with SMTP id u8mr16565574lfb.12.1568103406559; Tue, 10 Sep 2019 01:16:46 -0700 (PDT)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: Neta R S <>
Date: Tue, 10 Sep 2019 11:16:33 +0300
Message-ID: <>
To: Harlan Stenn <>
Content-Type: multipart/alternative; boundary="00000000000084e43005922e860b"
Archived-At: <>
Subject: Re: [Ntp] The NTP WG has placed draft-schiff-ntp-chronos in state "Call For Adoption By WG Issued"
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 10 Sep 2019 08:16:58 -0000

Hi Harlan,

Please see a brief description of Chronos threat model, Chronos algorithm
and security analysis below.

*Threat model: *Chronos considers a powerful form of man-in-the-middle
(MitM) Byzantine attacker, capable of determining precisely the values of
the time samples gathered by the Chronos client from
a subset of the NTP servers in its server pool (up to one-third of the

*A short reminder of Chronos' algorithm:*- Chronos client choose m servers
at random, queries them, orders their m samples according to their value,
drop the d lowest and highest samples.
- Then it tests the remaining set, and use its average as the new client's
clock only if the two conditions are satisfied:
1 - All the samples are close (up to 2w)
2 - Their average is close to the clients clock (up to ERR+2w)
Otherwise - the client resamples (choose again m servers at random, queries
them, orders them from low to high and drop the d lowest and the d highest
and tests the remaining set again).
After the client resamples (fails in the tests) K times, it moves to the
panic mode where all the servers are sampled.

*Security analysis*Chronos draft is based on the Chronos paper, which
provide a security analysis.
It was proved mathematically, that since Chronos use (slightly) more
servers to update, and choose them at random, the probability of successful
MitM attack decreases dramatically compares to NTPv4.
The improvement factor depends on the number of servers queries by Chronos
client at each update. For example, if the attacker controls 1/7 of the
servers in the pool, while querying 14 servers per update, Chronos client
can reduce its probability for timeshifthimg by a factor of approximately

Moreover, we considered the spectrum of feasible attack scenarios in order
to evaluate the
effectiveness of Chronos in thwarting timeshifting attacks.
The scenarios depend on how many malicious servers were queried.
We considered two scenarios:

*-  Scenario I: Less than m-d of the queried servers are under the
attacker’s control.*
It means, that there are more than d ''good'' samples (defined as up to w
away from the UTC).
In this scenario, there are two options:

1. There is at least one ''good'' sample in the remaining set, and then the
others should be close to it (according to condition 1, otherwise the
client resamples).
Then, the average of the samples in the remaining set (which is used to
update the client's clock) is close to the UTC.

2. There are no ''good'' samples in the remaining set. Thus, since there
are more than d ''good'' samples, the values of remain set are bounded by
''good'' samples.
Thus, the average of the remaining set is also close to the UTC

Therefore, these attack strategies are ineffective.

*- Scenario II:  More than m-d of the queried servers are under the
attacker’s control.*
In the worst case of this scenario, all the samples in the remaining set
are ''bad'' (more than w away from the UTC).
However, we proved in the paper that the probability of this scenario is
extremely low (since it requires malicious servers to be randomly chosen at
a much higher ratio than their ratio in the population – the pool).
Thus, the probability of repeated time shift is even exponentially lower –
Consequently, a significant time shift is practically infeasible

Moreover, we examined the probability of DoS attack on the servers by an
attacker who cause many clients to resample and reach the panic mode
multiple times.
We found that the probability of this attack is extremely low, even if the
client moves to panic mode directly after 3 times of resampling.

*Next step:*We are continuing to evaluate Chronos's performance and
security for different attack strategies and at different locations.

Detailed discussions (along with the parameters evaluation can be seen in
the full paper: