Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
25147
Views
48
Helpful
32
Replies

NTP Encryption

james.tribble
Level 1
Level 1

ā€Ž02-14-2017 06:55 AM - edited ā€Ž03-08-2019 09:19 AM

Is Cisco going to provide SHA1 encryption to the NTP authentication parameter?  This is now required in the DOD realm. 

21 people had this problem
Labels:
32 Replies 32

Philip D'Ath
VIP Alumni
VIP Alumni

ā€Ž02-14-2017 07:22 PM

Are you sure?  I can't imagine anyone wanting to specify SHA-1 use at this late stage in its like.  It should be something like SHA256 or better - if that really was the case.

Philip D'Ath
VIP Alumni
VIP Alumni
In response to Philip D'Ath

ā€Ž02-14-2017 07:24 PM

ps. SHA isn't an encryption cipher either.  It doesn't provide data confidentiality.  It's a cryptographic hash.

james.tribble
Level 1
Level 1
In response to Philip D'Ath

ā€Ž02-15-2017 03:24 AM

You are correct about encryption. The government now requires that ntp message are authenticated using SHA algorithm not md5 which is the only option in the current IOS.

joedansereau
Level 1
Level 1
In response to james.tribble

ā€Ž03-30-2017 11:54 AM

been trying for months to get an answer on when it will be implemented, nothing yet except go through your vendor support team and request an enhancement.

see NET0813 in the router, switch, & firewall STIGs for actual requirement. STIG says:

Check Content:
Review the network element configuration and verify that it is authenticating NTP messages received from the NTP server or peer using either PKI or a FIPS-approved message authentication code algorithm. FIPS-approved algorithms for authentication are the cipher-based message authentication code (CMAC) and the keyed-hash message authentication code (HMAC). AES and 3DES are NIST-approved CMAC algorithms. The following are NIST-approved HMAC algorithms: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256.

If the network element is not configured to authenticate received NTP messages using PKI or a FIPS-approved message authentication code algorithm, this is a finding.

Fix Text:
Configure the device to authenticate all received NTP messages using either PKI (supported in NTP v4) or a FIPS-approved message authentication code algorithm.

steven.saenz.2.ctr
Level 1
Level 1
In response to joedansereau

ā€Ž08-14-2017 12:25 PM

Has anybody actually called their vendor about this? I would love to hear the result of this as I work in the DOD environment as well. CCRI is coming up and I figured somebody should have gotten this one figured out by now.

jparker5772
Level 1
Level 1
In response to steven.saenz.2.ctr

ā€Ž10-24-2017 12:19 PM

I am curious if you got anything back on this?
0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Philip D'Ath

ā€Ž02-15-2017 04:43 AM

Are you sure?  I can't imagine anyone wanting to specify SHA-1 use at this late stage in its like

OP did say for DOD.  It probably only took them 10 years or so to agree on this standard.  ;)

0 Helpful

kenneth.quigley
Level 1
Level 1

ā€Ž11-30-2017 08:58 AM

MD5 is no longer an approved cryptographic hash algorithm.

Authenticating NTP messages received from the NTP server or peer must use either PKI or a FIPS-approved message authentication code algorithm. FIPS-approved algorithms for authentication are the cipher-based message authentication code (CMAC) and the keyed-hash message authentication code (HMAC). AES and 3DES are NIST-approved CMAC algorithms. The following are NIST-approved HMAC algorithms: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256.

dlapier
Cisco Employee
Cisco Employee

ā€Ž01-11-2019 02:43 PM

I think we need to see standardization for other HMACs that are secure. See especially the following extension to NTPv4:

Message Authentication Code for the Network Time Protocol
draft-ietf-ntp-mac-06

which provides definitions for AES-CMAC and SHA256-HMAC within NTPv4.

dustin.lopiccolo.ctr1
Level 1
Level 1
In response to dlapier

ā€Ž06-20-2019 05:11 PM

Cisco posted a bug on Apr 16,2019, no solution yet

"Support NIST approved HMAC algorithms based authentication in ntp protocol"

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvh71823

kellymur
Cisco Employee
Cisco Employee

ā€Ž09-05-2019 05:20 PM

The requirement for SHA-1 and SHA-2 variants is detailed in NET0813, which can be found at public.cyber.mil (as of today).  This STIG does have a caveat, near the end, that permits the use of MD5 on systems that cannot configure SHA authentication.  It is still a finding, but it is downgraded to a CAT III finding.

 

I still concur with the OP.  It's 2019 and Cisco's own roadmap, Next Generation Encryption (NGE), has deprecated MD5 as a viable quantum-resistant algorithm for authentication.

 

Hope this helps.

Dustin Bieghler
Level 1
Level 1

ā€Ž05-11-2020 12:42 PM

This may have gone under the radar but didn't Cisco add this to IOS XE 17 code?

Configuring NTP Authentication

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. ntp authenticate
  4. ntp authentication-key number { md5 | cmac-aes-128 | hmac-sha1 | hmac-sha2-256 } key
  5. ntp authentication-key number { md5 | cmac-aes-128 | hmac-sha1 | hmac-sha2-256 } key
  6. ntp authentication-key number { md5 | cmac-aes-128 | hmac-sha1 | hmac-sha2-256 } key
  7. ntp trusted-key key-number [- end-key ]
  8. ntp server ip-address key key-id
  9. end

 

footerest
Level 1
Level 1
In response to Dustin Bieghler

ā€Ž12-30-2020 11:01 AM

As of 17.4.1 it still is not working.

0 Helpful

Roger3
Level 1
Level 1
In response to Dustin Bieghler

ā€Ž01-06-2022 09:26 AM

Has anyone actually got this to work?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card