TIME TRAVEL

It seems that, although every computer has a clock, none of them appear to be synchronized—unless the computer in question is running the Network Time Protocol (NTP). With NTP, you can synchronize against truly accurate time sources such as the atomic clocks run by NIST, the U.S. Naval Observatory, or counterparts in other countries around the world.

So, what does accurate timekeeping have to do with computer forensics? Keeping a consistent sense of time is critical for many computer-forensic-related activities.

Financial organizations rely on accurate timekeeping for their transactions. Many authentication systems, Kerberos being the most prominent example, use dated tickets to control access to systems and resources. Investigating incidents that involve multiple computers is much easier when the timestamps on files and in logs are in sync.

NTP began as a tool that permitted researchers to synchronize workstation clocks to within milliseconds or better. With the growth of the Internet, the mechanisms that enabled NTP clients and servers to securely exchange time data have gone from sufficiently secure to not nearly secure enough. A new version, NTP 4, seeks to fix that, while providing a model for automatic configuration and key exchange. Let’s take a look at time-synchronization systems, and how you can securely use them to set all your clocks accurately.

Time Matters

Why bother having accurate clocks? Isn’t the one that comes in your desktop PC or your Sun Enterprise server adequate? The answer is that accurate timekeeping is an advanced science, an avocation practiced by hundreds of scientists around the world, and the paltry clock chip you have in your PC or expensive server winds up being a bit less accurate than your Swatch watch for several reasons.

Computer clocks, like most electronic clocks, detect the oscillations of a quartz crystal and calculate the passing time based on these oscillations. Not all quartz crystals are the same to begin with, but put one inside of a nice, hot computer that’s also cool whenever it’s turned off, and the crystal’s frequency tends to wander. Also, Unix systems base their notion of time on interrupts generated by the hardware clock. Delays in processing these interrupts cause Unix system clocks to lose time—slowly, but erratically. These small changes in timekeeping are what time scientists call jitter.

Over time, scientists and programmers have developed different techniques for synchronizing clocks over TCP/IP or other network protocols. The time protocol provides a server’s notion of time in a machine-readable format, and there’s also an Internet Control Message Protocol (ICMP) timestamp message. Though these remain available Internet standards, neither is currently sufficient for accurate timekeeping, and, hence, both are considered out-of-date. The Unix r commands include rdate, which permits setting a local clock based on a remote server. There are modem-based programs that contact NIST timeservers and fetch a time message (along with an estimate of round-trip time to account for latency), which you can still use today.

The NTP software includes drivers for a large number of devices—radios that listen to time signals such as WWV, Global Positioning System (GPS) receivers, and even atomic clocks—that serve as references for stratum-one servers. The University of Delaware site includes lists of stratum-one servers in the United States; you can also find stratum-one servers through Web search engines.

Below stratum-one servers are many stratum-two servers, and stratum-three servers are below that, and so on. NTP supports up to 15 different stratums, but being closer to the top implies being closer to the most accurate source of time. To improve each server’s notion of time, servers in the same stratum may peer (that is, act as equals) and perform the same timestamp exchanges done by NTP clients. NTP servers and clients don’t blindly accept another system’s notion of time, even if it comes from a higher stratum. This was NTP’s only security provision for a while.

Clock Filters

Automatically accepting another system’s statement about the current time can be harmful: Suppose the timekeeping system has been taken over by an attacker who needs to turn back the clock so that a replay attack can function. NTP guards against this in several ways.

First, NTP assumes that time moves forward, not backward, although small backward changes are acceptable. Also, if a system has been using NTP, the NTP software assumes that changes in a local clock will be small, generally less than a second. This makes controlling a local clock or making large changes literally a time-consuming process—even a one-second change is a big deal.

NTP goes beyond this by collecting timestamps from many different servers (and peers, if appropriate). NTP maintains a queue comprised generally of eight samples and uses carefully crafted algorithms to compute the best approximation of exact time. For example, the outlyers in the sample (the timestamps with the largest divergence) are discarded. The remaining set of samples is then used to calculate what the local clock should read. On Unix systems, a special system call, adjtime(), makes small adjustments to system time. With multiple sources, the influence of a single, compromised timeserver (a falseticker, in NTP jargon) is completely avoided. You can modify the configuration of ntpd to label a timeserver as untrusted. You can also use the configuration to list trusted timeservers and peers.

By the late 1980s, version 2 had been released. NTP 2 included digital signatures based on a shared secret key so that servers and peers could sign NTP data and prevent an attacker from spoofing packets. NTP uses UDP packets (on port 123), which are easy to spoof because of their stateless nature (no connection setup, as in TCP).

Autokey

Version 4 of NTP is (most likely) still an Internet draft. Working versions of NTP 4 are being tested, and version 4 may have entered the IETF standards track by the time you read this book.

The most interesting aspects of version 4 are the security improvements. A system called the autokey uses public key algorithms combined with a list of one-way hashes. When a client contacts an NTP server, the client can collect a certificate that contains the server’s public key and independently verifies it. Then, using the enclosed public key, the client can check the signature sent by the server containing a list of keyids. The keyids are used with session keys to perform a quick digital signature check based on MD5.

Using public key cryptography for signing timestamps is just too slow. Public key encryption algorithms aren’t only slow (compared to private key algorithms such as RC4), they’re also inconsistent in that the amount of time used to encrypt may vary by a factor of two—something very unpleasant for those obsessed with keeping accurate time. Using the list of keyids reduces the need for public key encryption to once an hour on average.

Version 4 also supports the Diffie-Hellman key exchange for peers, so that peers can exchange private session keys. Multicast updates of clients are also supported and use the client/server autokey for setting up security.

Next, let’s look at how trade secret information and other sensitive data can easily be identified and secreted using any number of techniques. It is possible to hide diskettes within diskettes and to hide entire computer hard disk drive partitions.