Modernize Your PKI → Optimize Productivity → Reduce Risks    |Here’s how to replace Microsoft PKI with EJBCA

About Time

In my previous blog, I talked about the necessity of a Time Stamping Authority (TSA) in regards to non-repudiation. In this blog we are going to have a closer look at time itself, talk about why accurate time is important, and how to achieve accurate time in your own organization.

What is time?

According to Wikipedia, Time is defined as, “a part of the measuring system used to sequence events, to compare the durations of events and the intervals between them, and to quantify rates of change such as the motions of objects.”

The starting point of time is based in Greenwich, England, the home of Greenwich Mean Time (GMT) since 1884. Every time zone on this planet uses GMT as the source. In the last century, people have placed great importance on determining how to make time accurate. On January 1st, 1972 atomic time was established in response to this need, and “Coordinated Universal Time” aka “UTC” was born. This is the only source of accurate time on the planet. The atomic time clock is adjusted by leap seconds to maintain synchronicity with GMT.

UTC is derived from TAI (International Atomic Time) and is maintained by International Bureau of Weights and Measures (Bureau international des poids et mesures, acronymed “BIPM”) in Sèvres, France. TAI is currently ahead of UTC by 34 seconds, as of January 1st, 2009.

UTC is widely used by different computer systems and organizations. For example, a Time Stamping Authority is using UTC.

Network Time Protocol

Almost every computer system in the world uses the Network Time Protocol (NTP) to synchronize their internal local clock. NTP is intended to keep a system functioning in real time. However, there are several reasons that a computer or system could lose the ability to maintain accurate time. Simple things such as a lengthy gap in the system’s connection to the internet, loss of power or battery life, or even a large fluctuation in the hardware’s temperature, can cause the system to lose accurate time.

In many businesses, losing accurate time on their system, even by just the slightest seconds, could potentially cause great harm. For example:

  • Buying and selling on the stock market
  • Aviation traffic control and position reporting
  • Intrusion detection; location and reporting
  • Secure document timestamps, with cryptographic certification, like a Time Stamping Authority

The best solution to ensure that there are no obstacles for the NTP to overcome is for your system to use your own Master Clock, otherwise known as a Stratum-1. This device attaches directly to the network and uses the NTP protocol to distribute accurate time. By using a Stratum-1, you eliminate the need for the NTP to have an internet connection and you will reduce the risk of having inaccurate time.

Stratum-1

The reference clock, called a Stratum-0 device, is assumed to be accurate and has little or no delay associated with it. A Stratum-0 device cannot be connected to the network; instead, it is directly connected to a computer that will act as a Stratum-1 server.

Because a Stratum-1 time server is directly connected to a Stratum-0 source (GPS, radio clocks, CDMA), it will act as a primary network time standard.

Stratum-1 time server stats (very stable)

Stratum-2

A Stratum-2 time server is connected to a Stratum-1 time server over the network. A Stratum-3 time server is connected to a Stratum-2 time server, and so on.

Stratum-2 time server stats (less stable due physical network distance)

Local clock stats using Stratum-1 and Stratum-2 time servers (Frequency is less stable due physical network distance)

Overview of a NTP network:

Time and PKI

When it comes to PKI, an accurate time is essential. The Issuing CA, and the computer system that uses the certificate, need to have synchronized time. If the end user’s computer doesn’t have the same time as the Issuing CA, you could run into trouble.

Running a (CA) cluster relies on time even more. With a two-node cluster, for example, each node needs to have the same time or data will be out of sync and possibly corrupted.

A Time Stamping Server needs to have an accurate time for legal purposes. Therefore, it is advisable to have your own, physical, Stratum-1 Time Server, on your own network, to not have to rely totally on the internet time servers. This ensures that your time stamps are accurate and your system is the most efficient.

Microsoft has a build-in NTP client in most of their Windows Operating Systems. It is called SNTP (Simple Network Time Protocol). SNTP is not as accurate as using a NTP client, as the time difference with SNTP can be to 1 or 2 seconds. Thus, I advise you to use a NTP client available at ntp.org.