Accurate, Unspoofable Time Source
I need an unspoofable and accurate time source.
Short of setting up my own atomic clock (unless that's easier than it sounds) how could I accomplish this?
It's not that I don't trust the NTP pools; I don't have any assurance of who I am talking to.
Solution 1:
One of the previous answers mentioned MD5 auth but failed to mention the pubkey authentication available in NTP4. Many national labs provide md5/autokey enabled time services.
I do not understand what your threat model is; if someone is capable of and willing to spoof your GPS signal you have bigger issues than what time it is. That being said you could combine a local refclock using GPS or CDMA and then augment this time signal with authenticated time from some of the national labs that provide authenticated time services. This way if your GPS signal is spoofed you could still rely on the authenticated time from the national labs.
GPS:
For as little as $40 and some soldering you could set up a local GPS+PPS time source with a Sure Electronics GPS evaluation board. Occasionally you can find a CDMA refclock for fairly cheap on ebay if you can not receive a GPS signal in your data center.
Authenticated NTP Service:
NIST, NRC, and INRIM (national labs for US, Canada and Italy) provide MD5 authenticated time services. Unlike NIST and INRIM the CRC md5 service is not free. Autokey authenticated time service is available from OBSPM and INRIM (the french and italian national labs) and they provide this service for free. There are surely other national labs with authenticated time but you are going to need to google for them.
Links for authenticated time from national labs:
NIST:
http://www.nist.gov/pml/div688/grp40/auth-ntp.cfm
NRC:
http://www.nrc-cnrc.gc.ca/eng/services/inms/calibration-services/time-frequency.html#Authenticated
OBSPM:
http://syrte.obspm.fr/informatique/ntp_infos.php
https://syrte.obspm.fr/informatique/ntp_keys.php
INRIM:
http://www.inrim.it/ntp/
http://www.inrim.it/ntp/auth_i.shtml
Solution 2:
My advice would be to trust NTP -- It's by no means secure, but I'm not aware of any major attack vectors, and it's as secure as your selection of peers (which are in tern as secure as your DNS resolution and your routing table).
If you need to consider other alternatives here are a few (accuracy/security in parentheses):
Your own atomic clock as a PPS source. (Über acurate. Damn near unspoofable)
(These are available on eBay. It's not impossible to set up - there are lots of time nerds that have them and your NTP daemon can use them as a time source. You will need to handle leap seconds.)A GPS receiver. (Super accurate. Very hard to spoof).
(GPS signals CAN be overridden/spoofed but that's a specialist attack that would require some effort to carry out. A total failure of the GPS system is unlikely, as is a complete shutdown.)NTP (Very accurate. Spoofable with some effort)
(The chances of someone attacking you via your time source are pretty slim, and if you configure your NTP daemon against several of the pool servers any outliers or false-tickers will be discarded.
Note that this assumes you trust your DNS at least as far as you can drop-kick it.)A stabilized quartz oscillator as a PPS source. (Not very accurate. Damn near unspoofable)
(Depending on the oscillator this may not be any more accurate than your computer's clock. Expect to have to correct the time periodically, and you will need to handle leap seconds.)Your computer's internal clock. (More accurate than an hourglass. Damn near unspoofable.)
(For any modern application that cares about time this is pretty much unusable.)
Solution 3:
NTP isn't a secure protocol (well, there is an authentication mechanism, but it's not widely used, and MD5 auth isn't terribly secure) - no matter what internet time server you're talking to, you don't really know that you're talking to them. Trustworthiness of the pools aside (I don't like them because their strata are all over the place, NIST has good sources for internet NTP), internet NTP doesn't meet your requirement.
A hardware clock on the local network is really the only way you can be assured that your connection isn't being intercepted - and even then, only if your local area network's security is able to assure you of that.