A cryptographic desk clock: time transfer protocol
Check out the different parts:
- Part I: protocol for a cryptographic desk clock (this page)
- Part II: time reference
- Part II: agreement protocols
- … sometime in the future … client implementation
Slightly annoying fact: clocks are normally synced with a protocol (NTP - Network Time Protocol) that provides zero cryptographic guarantees. On the surface this is totally fine, but when we start composing security-sensitive protocols (think certificate expiration checks, audit logs or time-bound credentials), we need to turn a blind eye…
Not today! let’s build a simple cryptographic desk clock to set the House Standard Time in proper cryptographic fashion. Here is the limited edition, mission-critical clock sitting in my home office:
Protocol #
The protocol we’ll be using for clock synchronization is roughtime. This is a pretty new protocol introduced in by Adam Langley (Google). It’s pretty barebones, and simple enough you can write a client in an evening — so much fun.
roughtime is essentially a challenge-response protocol. The client sends a random 32-byte challenge to the server, which replies with a signed message containing the client challenge and the current time. (There’s some machinery to make this efficient, like packing requests in a Merkle tree, but this isn’t important now.)
Since you’re probably familiar with NTP, here are the key differences:
| Roughtime | NTP | |
|---|---|---|
| Target time precision | Coarse: ~seconds. Fine for human consumption, certificate expiration | Excellent. Sub-second |
| Security model | Excellent. Architecture tolerates a few actively malicious servers, no SPOF. Network is considered untrusted: packets are cryptographically protected | Bad. Network is assumed trusted (there are some extensions for adding a secure transport layer) |
| Protocol maturity | Very new, although very simple and solid | Golden standard |
| Software/libraries availability | Bad. DIY land, mostly one-off efforts that get abandoned. Mostly targeting beefy machines, almost nothing for embedded targets | Excellent, very mature. Reference implementation has been maintained for 20 years, multiple implementations |
| Software/libraries quality | Good. Mostly written in memory safe languages | Vary a lot |
| Server ecosystem maturity | Very bad. Highly concentrated, few players. Main developer (Google) seems to have abandoned development. Cloudflare runs servers. Google is still offering this without any availability guarantees | Very good. There are global pools of NTP servers. |
| Who uses it? Current deployments | ??? probably a few nerds, unclear | Virtually everywhere. time.apple.com, etc |
| Client code complexity | apart from crypto, easy | very easy if high precision isn’t required, high otherwise. Reference implementation is extremely complex 100k LoC of C |
| Suitable for embedded? | Suboptimal. The public-key signature scheme is ed25519, which is notoriously RAM-hungry, plus needs SHA512 code | yes |
| History, context, motivation | Introduced in 2016 by Adam Langley (Google) to solve Google needs. Little public involvement after initial release | Introduced around 1985 by Dave L. Mills, who continued improving it on a life-long effort |
| Algorithms | Marzullo, ed25519, Merkle trees | Marzullo, phase-locked loop |