Wei Dong,Xiaojin Liu

DOI: https://doi.org/10.1109/tii.2015.2495147

IF: 12.3

2015-01-01

IEEE Transactions on Industrial Informatics

Abstract:Time synchronization is crucial for cyber-physical systems (CPSs), e.g., wireless sensor and actuator networks. Cyber physical security is an important yet challenging problem. In particular, attacks to the time synchronization service may incur data distortion or even malfunction of the whole system. Sybil attack is one of the most common attack types for sensor networks, where a node illegitimately claims multiple identities. Existing secure time-synchronization protocols; however, cannot well address Sybil attacks in the time synchronization process. We propose a robust and secure time-synchronization protocol (RTSP) to defend against Sybil attacks. Different from previous secure timesync protocols, RTSP employs a novel graph theoretical approach, which is able to perform anomaly detection at the message level instead of the node level. This fine-grained detection ability enables RTSP to become robust against Sybil attacks, as well as node compromise and message manipulation attacks. Extensive experimental results show the effectiveness of our proposed protocol.

Andreas Finkenzeller,Oliver Butowski,Emanuel Regnath,Mohammad Hamad,Sebastian Steinhorst

2024-02-07

Abstract:High-precision time synchronization is a vital prerequisite for many modern applications and technologies, including Smart Grids, Time-Sensitive Networking (TSN), and 5G networks. Although the Precision Time Protocol (PTP) can accomplish this requirement in trusted environments, it becomes unreliable in the presence of specific cyber attacks. Mainly, time delay attacks pose the highest threat to the protocol, enabling attackers to diverge targeted clocks undetected. With the increasing danger of cyber attacks, especially against critical infrastructure, there is a great demand for effective countermeasures to secure both time synchronization and the applications that depend on it. However, current solutions are not sufficiently capable of mitigating sophisticated delay attacks. For example, they lack proper integration into the PTP protocol, scalability, or sound evaluation with the required microsecond-level accuracy. This work proposes an approach to detect and counteract delay attacks against PTP based on cyclic path asymmetry measurements over redundant paths. For that, we provide a method to find redundant paths in arbitrary networks and show how this redundancy can be exploited to reveal and mitigate undesirable asymmetries on the synchronization path that cause the malicious clock divergence. Furthermore, we propose PTPsec, a secure PTP protocol and its implementation based on the latest IEEE 1588-2019 standard. With PTPsec, we advance the conventional PTP to support reliable delay attack detection and mitigation. We validate our approach on a hardware testbed, which includes an attacker capable of performing static and incremental delay attacks at a microsecond precision. Our experimental results show that all attack scenarios can be reliably detected and mitigated with minimal detection time.

Cryptography and Security,Networking and Internet Architecture

Eyal Itkin,Avishai Wool

DOI: https://doi.org/10.1109/tdsc.2017.2748583

2020-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:The Precision Time Protocol (PTP) aims to provide highly accurate and synchronized clocks. Its defining standard, IEEE 1588, has a security section (“Annex K”) which relies on symmetric-key cryptography. In this paper we present a detailed threat analysis of the PTP standard, in which we highlight the security properties that should be addressed by any security extension. During this analysis we identify a sequence of new attacks and suggest non-cryptographic network-based defenses that mitigate them. We then suggest to replace Annex K's symmetric cryptography by an efficient elliptic-curve Public-Key signatures. We implemented all our attacks to demonstrate their effectiveness, and also implemented and evaluated both the network and cryptographic defenses. Our results show that the proposed schemes are extremely practical, and much more secure than previous suggestions.

computer science, information systems, software engineering, hardware & architecture

Waleed Alghamdi,Michael Schukat

DOI: https://doi.org/10.3390/s22103671

IF: 3.9

2022-05-12

Sensors

Abstract:The Precision Time Protocol (PTP) as described in IEEE 1588–2019 provides a sophisticated mechanism to achieve microsecond or even sub-microsecond synchronization of computer clocks in a well-designed and managed network, therefore meeting the needs of even the most time-sensitive industrial and financial applications. However, PTP is prone to many security threats that impact on a correct clock synchronization, leading to potentially devastating consequences. Here, the most vicious attacks are internal attacks, where a threat actor has full access to the infrastructure including any cryptographic keys used. This paper builds on existing research on the impact of internal attack strategies on PTP networks. It shows limitations of existing security approaches to tackle internal attacks and proposes a new security approach using a trusted supervisor node (TSN), in line with prong D as specified in IEEE 1588–2019. A TSN collects and analyzes delay and offset outputs of monitored slaves, as well as timestamps embedded in PTP synchronization messages, allowing it to detect abnormal patterns that point to an attack. The paper distinguishes between two types of TSN with different capabilities and proposes two different detection algorithms. Experiments show the ability of the proposed method to detect all internal PTP attacks, while outlining its limitations.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Robert Annessi,Joachim Fabini,Felix Iglesias,Tanja Zseby

DOI: https://doi.org/10.48550/arXiv.1811.08569

2018-11-21

Cryptography and Security

Abstract:Clock synchronization has become essential to modern societies since many critical infrastructures depend on a precise notion of time. This paper analyzes security aspects of high-precision clock synchronization protocols, particularly their alleged protection against delay attacks when clock synchronization traffic is encrypted using standard network security protocols such as IPsec, MACsec, or TLS. We use the Precision Time Protocol (PTP), the most widely used protocol for high-precision clock synchronization, to demonstrate that statistical traffic analysis can identify properties that support selective message delay attacks even for encrypted traffic. We furthermore identify a fundamental conflict in secure clock synchronization between the need of deterministic traffic to improve precision and the need to obfuscate traffic in order to mitigate delay attacks. A theoretical analysis of clock synchronization protocols isolates the characteristics that make these protocols vulnerable to delay attacks and argues that such attacks cannot be prevented entirely but only be mitigated. Knowledge of the underlying communication network in terms of one-way delays and knowledge on physical constraints of these networks can help to compute guaranteed maximum bounds for slave clock offsets. These bounds are essential for detecting delay attacks and minimizing their impact. In the general case, however, the precision that can be guaranteed in adversarial settings is orders of magnitude lower than required for high-precision clock synchronization in critical infrastructures, which, therefore, must not rely on a precise notion of time when using untrusted networks.

Lakshay Narula,Todd E. Humphreys

DOI: https://doi.org/10.1109/jstsp.2018.2835772

IF: 7.695

2018-08-01

IEEE Journal of Selected Topics in Signal Processing

Abstract:This paper establishes a fundamental theory of secure clock synchronization. Accurate clock synchronization is the backbone of systems managing power distribution, financial transactions, telecommunication operations, database services, etc. Some clock synchronization (time transfer) systems, such as the global navigation satellite systems, are based on one-way communication from a master to a slave clock. Others, such as the network transport protocol, and the IEEE 1588 precision time protocol (PTP), involve two-way communication between the master and slave. This paper shows that all one-way time transfer protocols are vulnerable to replay attacks that can potentially compromise timing information. A set of conditions for secure two-way clock synchronization is proposed and proved to be necessary and sufficient. It is shown that IEEE 1588 PTP, although a two-way synchronization protocol, is not compliant with these conditions, and is therefore insecure. Requirements for secure IEEE 1588 PTP are proposed, and a second example protocol is offered to illustrate the range of compliant systems.

engineering, electrical & electronic

Jianping He,Jiming Chen,Peng Cheng,Xianghui Cao

DOI: https://doi.org/10.1109/tpds.2013.150

IF: 5.3

2014-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:Time synchronization is a fundamental requirement for the wide spectrum of applications with wireless sensor networks (WSNs). However, most existing time synchronization protocols are likely to deteriorate or even to be destroyed when the WSNs are attacked by malicious intruders. This paper is concerned with secure time synchronization for WSNs under message manipulation attacks. Specifically, the theoretical analysis and simulation results are first provided to demonstrate that the maximum consensus based time synchronization (MTS) protocol would be invalid under message manipulation attacks. Then, a novel secured maximum consensus based time synchronization (SMTS) protocol is proposed to detect and invalidate message manipulation attacks. Furthermore, we prove that SMTS is guaranteed to converge with simultaneous compensation of both clock skew and offset. Extensive numerical results show the effectiveness of our proposed protocol.

Jiajun Shen,Dongqin Feng

DOI: https://doi.org/10.1109/hpcc.2014.115

2014-01-01

Abstract:With the development of the industrial informatization, the problems of security in field device layer have been gradually exposed, which mainly involves specified industrial communication protocols. Clock synchronization protocol, as one of the most important industrial communication protocols, ensures the real-time performance of industrial control system. Considering that the related researches have not yet formed a mature system, we propose a new method for analyzing the vulnerability of clock synchronization protocol in this article. In this method, SPN(stochastic petri net) is introduced as a modeling tool, while IEEE 1588 PTP clock synchronization protocol is regarded as the research object. An SPN(stochastic petri net) model is strictly built according to the protocol. Then, steady-state probability expressions are obtained by the isomorphic Markov chain. Through changing trigger rate of transitions of several pivotal states which are related to vulnerability, the influences of each parameter has on the model could be quantitatively reflected in the result of simulation in order to analyze vulnerability of clock synchronization protocol by determining the critical factors that affect protocol's vulnerability.

De-jun Li,Gang Wang,Can-jun Yang,Bo Jin,Yan-hu Chen

DOI: https://doi.org/10.1631/jzus.c1300084

2013-01-01

Abstract:An IEEE 1588 based application scheme was proposed to achieve accurate time synchronization for a deep seafloor observatory network based on the communication topological structure of the Zhejiang University Experimental and Research Observatory. The principles of the network time protocol (NTP) and precision time protocol (PTP) were analyzed. The framework for time synchronization of the shore station, undersea junction box layer, and submarine science instrument layer was designed. NTP and PTP network signals were decoded by a PTP master clock on a shore station that receives signals from the Global Positioning System and the BeiDou Navigation Satellite System as reference time sources. These signals were remotely transmitted by a subsea optical-electrical composite cable through an Ethernet passive optical network. Accurate time was determined by time synchronization devices in each layer. Synchronization monitoring experiments performed within a laboratory environment indicated that the proposed system is valid and has the potential to realize microsecond accuracy to satisfy the time synchronization requirements of a high-precision seafloor observatory network.

Nikhil Tripathi,Neminath Hubballi

DOI: https://doi.org/10.48550/arXiv.2005.01783

2020-05-15

Abstract:Network Time Protocol (NTP) is used by millions of hosts in Internet today to synchronize their clocks. Clock synchronization is necessary for many network applications to function correctly. Unsynchronized clock may lead to failure of various core Internet services including DNS and RPKI based interdomain routing and opens path for more sophisticated attacks. In this paper, we describe a new attack which can prevent a client configured in NTP's broadcast mode from synchronizing its clock with the server. We test the attack in real networks and show that it is effective in both authenticated and unauthenticated broadcast/multicast modes of NTP. We also perform experiments to measure the overall attack surface by scanning the entire IPv4 address space and show that NTP broadcast mode is being used in the wild by several low stratum (highly accurate) hosts. We also suggest few countermeasures to mitigate the proposed attack.

Cryptography and Security,Networking and Internet Architecture

Yarin Perry,Neta Rozen Schiff,Michael Schapira

DOI: https://doi.org/10.14722/NDSS.2021.24302

Abstract:—The Network Time Protocol (NTP) synchronizes time across computer systems over the Internet and plays a crucial role in guaranteeing the correctness and security of many Internet applications. Unfortunately, NTP is vulnerable to so called time shifting attacks. This has motivated proposals and standardization efforts for authenticating NTP communications and for securing NTP clients . We observe, however, that, even with such solutions in place, NTP remains highly exposed to attacks by malicious timeservers . We explore the implications for time computation of two attack strategies: (1) compromising existing NTP timeservers, and (2) injecting new timeservers into the NTP timeserver pool. We first show that by gaining control over fairly few existing timeservers, an opportunistic attacker can shift time at state-level or even continent-level scale. We then demonstrate that injecting new timeservers with disproportionate influence into the NTP timeserver pool is alarmingly simple, and can be leveraged for launching both large-scale opportunistic attacks, and strategic, targeted attacks. We discuss a promising approach for mitigating such attacks.

Computer Science

Zang Li,Wenyuan Xu,Robert D. Miller,Wade Trappe

DOI: https://doi.org/10.1145/1161289.1161297

2006-01-01

Abstract:Although conventional cryptographic security mechanisms are essential to the overall problem of securing wireless networks, these techniques do not directly leverage the unique properties of the wireless domain to address security threats. The properties of the wireless medium are a powerful source of domain-specific information that can complement and enhance traditional security mechanisms. In this paper, we propose to utilize the fact that the radio channel decorre-lates rapidly in space, time and frequency in order to to establish new forms of authentication and confidentiality that operate at the physical layer and can be used to facilitate cross-layer security paradigms. Specifically, for authentication services, we illustrate two channel probing techniques that can be used to verify the authenticity of a transmitter. Similarly, for confidentiality, we examine several strategies for establishing shared secrets/keys between two communicators using the wireless medium. These strategies range from extracting keys from channel state information, to utilizing the channel variability to secretly disseminate keys. We then validate the feasibility of using physical layer techniques for securing wireless systems by presenting results from experiments involving the USRP/GNURadio software defined radio platform.

Yang Li,Yujie Luo,Yichen Zhang,Ao Sun,Wei Huang,Shuai Zhang,Tao Zhang,Chuang Zhou,Li Ma,Jie Yang,Mei Wu,Heng Wang,Yan Pan,Yun Shao,Xing Chen,Ziyang Chen,Song Yu,Hong Guo,Bingjie Xu

2024-06-19

Abstract:Secure precision time synchronization is important for applications of Cyber-Physical Systems. However, several attacks, especially the Time Delay Attack (TDA), deteriorates the performance of time synchronization system seriously. Multiple paths scheme is thought as an effective security countermeasure to decrease the influence of TDA. However, the effective secure combination algorithm is still missed for precision time synchronization. In this paper, a secure combination algorithm based on Dempster-Shafer theory is proposed for multiple paths method. Special optimizations are done for the combination algorithm to solve the potential problems due to untrusted evidence. Theoretical simulation shows that the proposed algorithm works much better than Fault Tolerant Algorithm (FTA) and the attack detection method based on single path. And experimental demonstration proves the feasibility and superiority of the proposed algorithm, where the time stability with 27.97 ps, 1.57 ps, and 1.12 ps at average time 1s, 10s, 100s is achieved under TDA and local clock jump. The proposed algorithm can be used to improve the security and resilience of many importance synchronization protocol, such as NTP, PTP, and TWFTT.

Cryptography and Security

Michael Poernomo,H. Ferng,Mingfu Li

DOI: https://doi.org/10.1109/DASC-PICom-CBDCom-CyberSciTech49142.2020.00033

2020-08-01

Abstract:The current enhancements in the Internet of things (IoT) standardize a method to precisely synchronize computers or devices over the network. The precision time protocol (PTP) described in IEEE 1588 meets the necessity for higher accurate time synchronization. For achieving higher accuracy, security and resource issues arise. To tackle these issues, an authentication scheme for the lightweight PTP using the digital signature and polynomials is proposed in this paper. The proposed scheme is evaluated through the SimPy simulator and our simulation results show that our proposed scheme can outperform the closely related schemes in the literature.

Engineering,Computer Science

Xiaoming Duan,Nikolaos M. Freris,Peng Cheng

DOI: https://doi.org/10.1109/allerton.2016.7852364

2016-01-01

Abstract:Recently, the Secure Average Time Synchronization (SATS) protocol has been proposed and analyzed; this distributed clock synchronization protocol is capable of successfully tackling several attacks such as denial-of-service (DoS), message-delay, message duplication/repetition, and even a generic message manipulation. However, the collusion attack, in which neighboring malicious nodes may cooperate so as to strike stealthier attacks that are more difficult to handle, remains by and large an open problem. In the setup of SATS, we derive the fundamental asymptotic bounds in the number of malicious agents-as function of the benign ones-that can be efficiently handled without tampering accurate network-wide synchronization. Going a step further, we develop a risk model for collusions and use it to obtain even tighter bounds. In specific, we establish that SATS can handle 'many' malicious nodes with high probability: an order of almost square-root of the benign ones for the case of no risk, and almost linear when the risk of collusion is accounted. Last but not least, we analyze and experimentally assess an interesting phenomenon: the presence of attackers may lead to a convergence speedup of SATS, since malicious nodes can be effectively constrained from the network, thus affecting the algebraic connectivity of the graph corresponding to the network topology. Numerical simulations verify the theoretical results, i.e., collusions are avoided when the number of malicious nodes is bounded by the asymptotic bounds and the algebraic connectivity increases due to incorporating 'well behaved' malicious nodes.

Alex Minetto,Benoit Rat,Marco Pini,Brendan David Polidori,Ivan De Francesca,Luis Contreras Murillo,Fabio Dovis

DOI: https://doi.org/10.1109/jsyst.2023.3341243

IF: 4.802

2024-03-19

IEEE Systems Journal

Abstract:In recent years, the push for accurate and reliable time synchronization has gained momentum in critical infrastructures, especially in telecommunication networks, driven by the demands of 5G new radio and next-generation technologies that rely on submicrosecond timing accuracy for radio access network (RAN) nodes. Traditionally, atomic clocks paired with global navigation satellite systems (GNSS) timing receivers have served as grand master clocks, supported by dedicated network timing protocols. However, this approach struggles to scale with the increasing numbers of RAN intermediate nodes. To address scalability and high-accuracy synchronization, a more cost-effective and capillary solution is needed. Standalone GNSS timing receivers leverage ubiquitous satellite signals to offer stable timing signals but can expose networks to radio-frequency attacks due to the consequent proliferation of GNSS antennas. Our research introduces a solution by combining the white rabbit precise time protocol with a backup timing source logic acting in case of timing disruptive attacks against GNSS for resilient GNSS-based network synchronization. It has been rigorously tested against common jamming, meaconing, and spoofing attacks, consistently maintaining 2 ns relative synchronization accuracy between nodes, all without the need for an atomic clock.

computer science, information systems,telecommunications,engineering, electrical & electronic,operations research & management science

Philipp Jeitner,Haya Shulman,Michael Waidner

DOI: https://doi.org/10.1109/DSN48063.2020.00043

2020-10-19

Abstract:We demonstrate the first practical off-path time shifting attacks against NTP as well as against Man-in-the-Middle (MitM) secure Chronos-enhanced NTP. Our attacks exploit the insecurity of DNS allowing us to redirect the NTP clients to attacker controlled servers. We perform large scale measurements of the attack surface in NTP clients and demonstrate the threats to NTP due to vulnerable DNS.

Cryptography and Security,Networking and Internet Architecture

Jason Anderson,Sherman Lo,Todd Walter

2024-07-18

Abstract:As TESLA-enabled GNSS for authenticated positioning reaches ubiquity, receivers must use an onboard, GNSS-independent clock and carefully constructed time synchronization algorithms to assert the authenticity afforded. This work provides the necessary checks and synchronization protocols needed in the broadcast-only GNSS context. We provide proof of security for each of our algorithms under a delay-capable adversary. The algorithms included herein enable a GNSS receiver to use its onboard, GNSS-independent clock to determine whether a message arrived at the correct time, to determine whether its onboard, GNSS-independent clock is safe to use and when the clock will no longer be safe in the future due to predicted clock drift, and to resynchronize its onboard, GNSS-independent clock. Each algorithm is safe to use even when an adversary induces delays within the protocol. Moreover, we discuss the implications of GNSS authentication schemes that use two simultaneous TESLA instances of different authentication cadences. To a receiver implementer or standards author, this work provides the necessary implementation algorithms to assert security and provides a comprehensive guide on why these methods are required.

Cryptography and Security

Marc Frei,Jonghoon Kwon,Seyedali Tabaeiaghdaei,Marc Wyss,Christoph Lenzen,Adrian Perrig

DOI: https://doi.org/10.48550/arXiv.2207.06116

2022-07-13

Networking and Internet Architecture

Abstract:Many critical computing applications rely on secure and dependable time which is reliably synchronized across large distributed systems. Today's time synchronization architectures are commonly based on global navigation satellite systems at the considerable risk of being exposed to outages, malfunction, or attacks against availability and accuracy. This paper describes a practical instantiation of a new global, Byzantine fault-tolerant clock synchronization approach that does not place trust in any single entity and is able to tolerate a fraction of faulty entities while still maintaining synchronization on a global scale among otherwise sovereign network topologies. Leveraging strong resilience and security properties provided by the path-aware SCION networking architecture, the presented design can be implemented as a backward compatible active standby solution for existing time synchronization deployments. Through extensive evaluation, we demonstrate that over 94% of time servers reliably minimize the offset of their local clocks to real-time in the presence of up to 20% malicious nodes, and all time servers remain synchronized with a skew of only 2 ms even after one year of reference clock outage.

K.Zhang,M. Spanghero,P. Papadimitratos

DOI: https://doi.org/10.1109/PLANS46316.2020.9110224

2022-02-22

Abstract:Global navigation satellite systems (GNSS) provide pervasive accurate positioning and timing services for a large gamut of applications, from Time based One-Time Passwords (TOPT), to power grid and cellular systems. However, there can be security concerns for the applications due to the vulnerability of GNSS. It is important to observe that GNSS receivers are components of platforms, in principle having rich connectivity to different network infrastructures. Of particular interest is the access to a variety of timing sources, as those can be used to validate GNSS-provided location and time. Therefore, we consider off-the-shelf platforms and how to detect if the GNSS receiver is attacked or not, by cross-checking the GNSS time and time from other available sources. First, we survey different technologies to analyze their availability, accuracy, and trustworthiness for time synchronization. Then, we propose a validation approach for absolute and relative time. Moreover, we design a framework and experimental setup for the evaluation of the results. Attacks can be detected based on WiFi supplied time when the adversary shifts the GNSS provided time, more than 23.942us; with Network Time Protocol (NTP) supplied time when the adversary-induced shift is more than 2.046ms. Consequently, the proposal significantly limits the capability of an adversary to manipulate the victim GNSS receiver.

Cryptography and Security