Requirements for Secure Clock Synchronization

TL;DR

This paper develops a fundamental theory for secure clock synchronization, identifying vulnerabilities in existing protocols and proposing necessary and sufficient conditions for security, with practical implications for protocols like IEEE 1588 PTP.

Contribution

It introduces a comprehensive security framework for clock synchronization, revealing flaws in current protocols and proposing new secure requirements and alternative protocols.

Findings

One-way protocols are vulnerable to replay attacks.

IEEE 1588 PTP is insecure under current conditions.

Proposed conditions are necessary and sufficient for security.

Abstract

This paper establishes a fundamental theory of secure clock synchronization. Accurate clock synchronization is the backbone of systems managing power distribution, financial transactions, telecommunication operations, database services, etc. Some clock synchronization (time transfer) systems, such as the Global Navigation Satellite Systems (GNSS), are based on one-way communication from a master to a slave clock. Others, such as the Network Transport Protocol (NTP), and the IEEE 1588 Precision Time Protocol (PTP), involve two-way communication between the master and slave. This paper shows that all one-way time transfer protocols are vulnerable to replay attacks that can potentially compromise timing information. A set of conditions for secure two-way clock synchronization is proposed and proved to be necessary and sufficient. It is shown that IEEE 1588 PTP, although a two-way synchronization protocol, is not compliant with these conditions, and is therefore insecure. Requirements for secure IEEE 1588 PTP are proposed, and a second example protocol is offered to illustrate the range of compliant systems.