Fwd: Re: FullDisclosure: Security aspects of time synchronization infrastructure

[3APA3A <3APA3A () SECURITY NNOV RU>]

--This is a forwarded message
From: Robert Brown <eli () typhoon xnet com>
To: 3APA3A () security nnov ru <3APA3A () security nnov ru>
Date: Friday, August 20, 2004, 7:34:40 AM
Subject: FullDisclosure: Security aspects of time synchronization infrastructure

===8<==============Original message text===============
NB: I do not have membership in FullDisclosure mailing list; I only
read web archives.  If you desire, you may echo this message to the
list.  :-)

----------------

In your paper at:

   http://www.security.nnov.ru/advisories/timesync.asp

you state:

    If there is a host with reliable time on the network (that is host
    synchronized with some hardware source, like radio clocks, cesium
    clocks, GPS clocks, etc) - whole network will be finally, after some
    time, synchronized with this host.

Depending upon the criticality of the time sensitive applications on
the network, you might want to reconsider the use of "radio clocks"
and especially "GPS clocks".  These time sources are also subject to
attacks.  Any free air broadcast is subject to jamming.  This is
essentially a DoS.  Spoofing to provide incorrect time signal is also
possible with free air broadcast, but less easy to do.

Furthermore, in this age of global military instability, there is
alway the possibility of "tinkering" with GPS signals -- especially
the time base -- for the purpose of preventing uninformed receivers
getting correct time or position information.  In particular,
"meakoning" is likely to be used with navigational services to
deliberately mis-guide a vehicle and cause it to follow a trajectory
of the choosing of the GPS signal controlling force, instead of the
intended trajectory of the pilot of that vehicle -- human or
autonomous.  This is reason why military vehicles augment GPS
navigation with inertial navigation and other means, including Kalman
filtering to establish optimal point statistic for position and time
by combining all available positioning sources.  Meaconing may also be 
done with LORAN and OMEGA navigation signales as well.  Inertial
navigation is only completely self-contained positioning mechanism.

For these reasons, in certain applications, the time source should
only be one that is self contained and under the complete control of
the network administrator or owner.  

It is not always necessary for a network to be synchronized to
external world time; some applications only require that all the nodes
on the network be synchronized to each other.  In a case like this,
there can be certain advantage to deliberately running the entire
network at a time out of sync with the rest of the world, as this can
add immunity to attack.

How accurate your time needs to be, in terms of the frequency accuracy
and precision of the time base, is a function of the time sensitive
applications running on that network, and many such applications do
not necessarily require cesium quality time base; quartz is perfectly
adequate for many uses.  Line frequency clocks should be avoided
unless line frequency is under local control -- such as is the case
when you generate your own power, as on board a vehicle such as a ship 
or aircraft.

-- 
--------  "And there came a writing to him from Elijah"  [2Ch 21:12]  --------
R. J. Brown III  rj () elilabs com http://www.elilabs.com/~rj  voice 859 567-7311
Elijah Laboratories Inc.    P. O. Box 166, Warsaw KY 41095    fax 859 567-7311
-----  M o d e l i n g   t h e   M e t h o d s   o f   t h e   M i n d  ------

===8<===========End of original message text===========


-- 
~/ZARAZA
ЭНИАКам - по морде!  (Лем)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html