Are you sure? I can't imagine anyone wanting to specify SHA-1 use at this late stage in its like. It should be something like SHA256 or better - if that really was the case.
You are correct about encryption. The government now requires that ntp message are authenticated using SHA algorithm not md5 which is the only option in the current IOS.
been trying for months to get an answer on when it will be implemented, nothing yet except go through your vendor support team and request an enhancement.
see NET0813 in the router, switch, & firewall STIGs for actual requirement. STIG says:
Review the network element configuration and verify that it is authenticating NTP messages received from the NTP server or peer using either PKI or a FIPS-approved message authentication code algorithm. FIPS-approved algorithms for authentication are the cipher-based message authentication code (CMAC) and the keyed-hash message authentication code (HMAC). AES and 3DES are NIST-approved CMAC algorithms. The following are NIST-approved HMAC algorithms: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256.
If the network element is not configured to authenticate received NTP messages using PKI or a FIPS-approved message authentication code algorithm, this is a finding.
Configure the device to authenticate all received NTP messages using either PKI (supported in NTP v4) or a FIPS-approved message authentication code algorithm.
Has anybody actually called their vendor about this? I would love to hear the result of this as I work in the DOD environment as well. CCRI is coming up and I figured somebody should have gotten this one figured out by now.
Are you sure? I can't imagine anyone wanting to specify SHA-1 use at this late stage in its like
OP did say for DOD. It probably only took them 10 years or so to agree on this standard. ;)
I think we need to see standardization for other HMACs that are secure. See especially the following extension to NTPv4:
which provides definitions for AES-CMAC and SHA256-HMAC within NTPv4.
Cisco posted a bug on Apr 16,2019, no solution yet
"Support NIST approved HMAC algorithms based authentication in ntp protocol"
The requirement for SHA-1 and SHA-2 variants is detailed in NET0813, which can be found at public.cyber.mil (as of today). This STIG does have a caveat, near the end, that permits the use of MD5 on systems that cannot configure SHA authentication. It is still a finding, but it is downgraded to a CAT III finding.
I still concur with the OP. It's 2019 and Cisco's own roadmap, Next Generation Encryption (NGE), has deprecated MD5 as a viable quantum-resistant algorithm for authentication.
Hope this helps.