The NTP version installed on NetClock supports the Autokey Protocol. The Autokey Protocol uses the OpenSSL library which provides security capabilities including message digests, digital signatures and encryption schemes. The Autokey Protocol provides a means for NTP to authenticate and establish a chain of trusted NTP servers.
NTP Autokey: Support & Limitations
Currently, NetClock supports only the IFF (Identify Friend or Foe) Autokey Identity Scheme. The NetClock product web interface automates the configuration of the IFF using the MD5 digests and RSA keys and certificates. At this time the configuration of other key types or other digests is not supported.
Note: When you configure NTP Autokey, you must disable the NTP service first, and then re-enable it after Autokey configuration is completed.
The IFF Autokey Support is demonstrated in the figure below. The IFF identity scheme is used with Multiple Stratum NTP Time Servers. The example below shows 3 Stratum layers. Stratum 1 NTP Servers are close to the physical time references. All Stratum 1 servers can be Trusted Hosts. One of them is the trusted route used to generate the IFF Group/Client Key. This defines the IFF Group.
All other group members generate Group Certificate and RSA public/private keys using MD5 digest. Each group member must share the common IFF Group/Client Key. Stratum 2 NTP servers are also members of the Group. All NTP Stratum 1 servers are Trusted Hosts. The NTP servers closest to the actual time reference (Stratum 1) should be designated trusted. A single Stratum 1 NTP server generates the IFF Group/Client Keys. There is NO group name feature supported. The Group can use the same passphrase (password) or different passphrases for each client.
An NTP Server Group member is configured by enabling Autokey and creating certificate and public/private key pair while not enabling the Client Only selection. A Client Only NTP server is configured by enabling Autokey and creating certificate and public/private key pair and enabling the Client Only selection.
Note: Passphrases can be identical for all group members and Client NTP Servers. Or passphrases can be the same for group members and a different passphrase shared between the Client Only NTP Servers.
IFF Autokey configuration example