[Git][NTPsec/ntpsec][master] More detailed description of authentication.
Eric S. Raymond
gitlab at mg.gitlab.com
Tue Nov 1 14:06:00 UTC 2016
Eric S. Raymond pushed to branch master at NTPsec / ntpsec
7915df14 by Eric S. Raymond at 2016-11-01T10:05:43-04:00
More detailed description of authentication.
- - - - -
1 changed file:
@@ -19,6 +19,7 @@ include::includes/hand.txt
* link:#packet[Mode 6 packet structure]
* link:#varlists[Variable-Value Lists]
* link:#requests[Mode 6 Requests]
@@ -86,10 +87,6 @@ padded to a 4-octet boundary. Responses may be multiple UDP packets;
they may arrive out of order, and the client is responsible for
reassembling the payloads.
-Some requests require authentication. This is accomplished by
-shipping a trailer consisting of a key dentifier and an MD5 digest of
-the header and payload generated with that identifier.
== Variable-Value Lists ==
@@ -384,6 +381,26 @@ containing one string-valued variable, "nonce". The value need not by
interpreted by the client, only replayed as part of a following MRU-list
+== Authentication ==
+Authenticated requests require a MAC (message authentication code)
+trailer following the payload data, if any. Such requests must be
+padded to an 8-octet boundary, with those bytes not included in the
+header count field.
+The contents of the MAC trailer consists of:
+1. The 32-bit identifier of the signing key in network byte order.
+2. A cryptographic hash of the following octet spans, in order.
+First, the password entered to use the signing key, then the request
+header fields, then the payload.
+The cryptographic hash is normally MD5, but if ntpd is built with
+OpenSSL support it is possible to select any of the hash types supported
+by that library on a per-key basis.
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/7915df14873c125307f1e08a0508fe817b98a15c
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the vc