Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
18271
Views
26
Helpful
27
Replies

NTP Encryption

james.tribble
Level 1
Level 1

‎02-14-2017 06:55 AM - edited ‎03-08-2019 09:19 AM

Is Cisco going to provide SHA1 encryption to the NTP authentication parameter?  This is now required in the DOD realm. 

21 people had this problem
Labels:
0 Helpful
27 Replies 27

Philip D'Ath
VIP Alumni
VIP Alumni

‎02-14-2017 07:22 PM

Are you sure?  I can't imagine anyone wanting to specify SHA-1 use at this late stage in its like.  It should be something like SHA256 or better - if that really was the case.

Philip D'Ath
VIP Alumni
VIP Alumni
In response to Philip D'Ath

‎02-14-2017 07:24 PM

ps. SHA isn't an encryption cipher either.  It doesn't provide data confidentiality.  It's a cryptographic hash.

james.tribble
Level 1
Level 1
In response to Philip D'Ath

‎02-15-2017 03:24 AM

You are correct about encryption. The government now requires that ntp message are authenticated using SHA algorithm not md5 which is the only option in the current IOS.

joedansereau
Level 1
Level 1
In response to james.tribble

‎03-30-2017 11:54 AM

been trying for months to get an answer on when it will be implemented, nothing yet except go through your vendor support team and request an enhancement.

see NET0813 in the router, switch, & firewall STIGs for actual requirement. STIG says:

Check Content:
Review the network element configuration and verify that it is authenticating NTP messages received from the NTP server or peer using either PKI or a FIPS-approved message authentication code algorithm. FIPS-approved algorithms for authentication are the cipher-based message authentication code (CMAC) and the keyed-hash message authentication code (HMAC). AES and 3DES are NIST-approved CMAC algorithms. The following are NIST-approved HMAC algorithms: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256.

If the network element is not configured to authenticate received NTP messages using PKI or a FIPS-approved message authentication code algorithm, this is a finding.

Fix Text:
Configure the device to authenticate all received NTP messages using either PKI (supported in NTP v4) or a FIPS-approved message authentication code algorithm.

0 Helpful

steven.saenz.2.ctr
Level 1
Level 1
In response to joedansereau

‎08-14-2017 12:25 PM

Has anybody actually called their vendor about this? I would love to hear the result of this as I work in the DOD environment as well. CCRI is coming up and I figured somebody should have gotten this one figured out by now.

0 Helpful

jparker5772
Level 1
Level 1
In response to steven.saenz.2.ctr

‎10-24-2017 12:19 PM

I am curious if you got anything back on this?
0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Philip D'Ath

‎02-15-2017 04:43 AM

Are you sure?  I can't imagine anyone wanting to specify SHA-1 use at this late stage in its like

OP did say for DOD.  It probably only took them 10 years or so to agree on this standard.  ;)

0 Helpful

kenneth.quigley
Level 1
Level 1

‎11-30-2017 08:58 AM

MD5 is no longer an approved cryptographic hash algorithm.

Authenticating NTP messages received from the NTP server or peer must use either PKI or a FIPS-approved message authentication code algorithm. FIPS-approved algorithms for authentication are the cipher-based message authentication code (CMAC) and the keyed-hash message authentication code (HMAC). AES and 3DES are NIST-approved CMAC algorithms. The following are NIST-approved HMAC algorithms: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256.
0 Helpful

dlapier
Cisco Employee
Cisco Employee

‎01-11-2019 02:43 PM

I think we need to see standardization for other HMACs that are secure. See especially the following extension to NTPv4:

Message Authentication Code for the Network Time Protocol
draft-ietf-ntp-mac-06

which provides definitions for AES-CMAC and SHA256-HMAC within NTPv4.

0 Helpful

dustin.lopiccolo.ctr1
Level 1
Level 1
In response to dlapier

‎06-20-2019 05:11 PM

Cisco posted a bug on Apr 16,2019, no solution yet

"Support NIST approved HMAC algorithms based authentication in ntp protocol"

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvh71823

0 Helpful

kellymur
Cisco Employee
Cisco Employee

‎09-05-2019 05:20 PM

The requirement for SHA-1 and SHA-2 variants is detailed in NET0813, which can be found at public.cyber.mil (as of today).  This STIG does have a caveat, near the end, that permits the use of MD5 on systems that cannot configure SHA authentication.  It is still a finding, but it is downgraded to a CAT III finding.

 

I still concur with the OP.  It's 2019 and Cisco's own roadmap, Next Generation Encryption (NGE), has deprecated MD5 as a viable quantum-resistant algorithm for authentication.

 

Hope this helps.

0 Helpful

Dustin Bieghler
Level 1
Level 1

‎05-11-2020 12:42 PM

This may have gone under the radar but didn't Cisco add this to IOS XE 17 code?

Configuring NTP Authentication

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. ntp authenticate
  4. ntp authentication-key number { md5 | cmac-aes-128 | hmac-sha1 | hmac-sha2-256 } key
  5. ntp authentication-key number { md5 | cmac-aes-128 | hmac-sha1 | hmac-sha2-256 } key
  6. ntp authentication-key number { md5 | cmac-aes-128 | hmac-sha1 | hmac-sha2-256 } key
  7. ntp trusted-key key-number [- end-key ]
  8. ntp server ip-address key key-id
  9. end

 

0 Helpful

footerest
Level 1
Level 1
In response to Dustin Bieghler

‎12-30-2020 11:01 AM

As of 17.4.1 it still is not working.

0 Helpful

Roger3
Level 1
Level 1
In response to Dustin Bieghler

‎01-06-2022 09:26 AM

Has anyone actually got this to work?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card