April 15, 2023 (c) 1999 CertifiedTime.com all rights reserved
1
Certified Time Data Services…setting a stake for absolute credibility in
time data propagationTodd S. Glassey, CTO
CertifiedTime.com
S.P.O.C.K, The NSA’s Security Proof-Of-Concept Keystone
April 15, 2023 (c) 1999 CertifiedTime.com all rights reserved 2
CertifiedTime, Inc
CertifiedTime is a Trusted Timing Authority. CertifiedTime is a .COM Company
providing Secured and Audited access to Standard’s-certified Time Data for anyone needing an arm’s length from the source of the time data they use in their Digital transaction or event process.
April 15, 2023 (c) 1999 CertifiedTime.com all rights reserved 3
CertifiedTime
At CertifiedTime, we sell access to secured NIST or other NTA Certified Time Data over private networking service models; andProvide our commercial customers with a
comprehensive event audit to support their operational Audit and Transaction Logging Requirements.
April 15, 2023 (c) 1999 CertifiedTime.com all rights reserved 4
The Digital RevolutionThe Promise and the threat
The digital revolution brings a new level of capability to transaction processing. Bigger, faster, better, less overhead, no human involvement!To the bigger picture what this really means is
means both more risks and better proofing/audit models to address those
risks.
April 15, 2023 (c) 1999 CertifiedTime.com all rights reserved 5
The Digital RevolutionThe Promise and the threat
To the bigger picture what this really means is means both More risks, so that means that we need
better proofing/audit models to address those risks.
A much less expensive, per-event processing model; and the ability to manage larger amounts of data in the transaction infrastructure.
April 15, 2023 (c) 1999 CertifiedTime.com all rights reserved 6
Why a new source of time?
Why is a new source of “certifiable time data” necessary today? Initially you could blame it on Digital Telephony.30 years ago, most all DP operations got
timing data from their Telephone Carrier,
April 15, 2023 (c) 1999 CertifiedTime.com all rights reserved 7
Why a new source of time?
The Telco’s needed the timing data there and the Time Data was accurate because the Telco’s used it to synch-up between inter-exchange and distance switching.
But from a security analysis standpoint, even this time data would have been unacceptable by the emerging audit standards of the 21st century.
April 15, 2023 (c) 1999 CertifiedTime.com all rights reserved 8
As it turns out…
One of the things we want to get across to this group is that creating and deploying time data securely over a network is based on a number of factors.
These factors leverage and compliment each other to create a stronger and reliable whole.
April 15, 2023 (c) 1999 CertifiedTime.com all rights reserved 9
NIST has tried to address this on the
Internet…By deploying a number of time servers wherever they
could find housing for them. This put the time servers in laboratories and other unsecured
environments as a local resource for the operators.It also made the Servers high-traffic parts of people’s
networks so they gave the servers what-ever public connectivity they had left over.
To be really effective the servers need to be within several hops of the end users.
Not budgeted for these efforts.
April 15, 2023 (c) 1999 CertifiedTime.com all rights reserved 10
USNO also addresses this with its public access time servers
But the demand is growing astronomically and like NIST they do not have the budget to operates these indefinitely.. Their public timeservers also have the same access
and loading problems that the NIST Machines do.And like the NIST Servers, to be really effective the
servers need to be within several hops of the end users
April 15, 2023 (c) 1999 CertifiedTime.com all rights reserved 11
To answer this need, …we decided we had to
create a systemA system that could securely deliver
time to Host OS platforms through existing channels. To do this we had to not only understand the
problems and the physics of delivering time –reliably, but also with something never before needed, a clear level of provability, which meant an integrated audit and proofing model.
April 15, 2023 (c) 1999 CertifiedTime.com all rights reserved 12
The bad news first…So we looked at NTP today and the Time
Servers deployed around the Internet, and the bad news is… that because of how NTP currently operates, in a
UDP based impulse mode; and with its vulnerabilities; and how the time servers were deployed over the
unauthenticated Internet networking model… that there is a problem.
NTP events are unanchored. That is unprovable.
April 15, 2023 (c) 1999 CertifiedTime.com all rights reserved 13
The bad news first…What this means to Customers relying on
NTP as their time data protocol, that currently there are really no reliable or
provable mechanisms over the Open Internet to deliver commercially reliable time data to a computer.
They just don’t exist.
April 15, 2023 (c) 1999 CertifiedTime.com all rights reserved 14
The bad news first…
Hold on – it gets worse.the really bad news is that even
“Keyed” GPS is no better for creating a trust-anchor for commercial digital transaction processing.
April 15, 2023 (c) 1999 CertifiedTime.com all rights reserved 15
For the DOD, what does this mean for SIPRnet…
Our feeling is also that SIPRnet users will suffer the same problems that Internet Users do only potentially worseThe network may be secured but what about the
time servers and internal threat vectors themselves?
April 15, 2023 (c) 1999 CertifiedTime.com all rights reserved 16
For the DOD, what does this mean for SIPRnet…
Also SIPRnet users may also be adversely affected because the Encryption Overhead in the SIPRnet routerswill potentially adversely affect the proofing of the
Time transfer audit model. The expected amounts of SIPRnet traffic wont
make this any easier either, such that it will be important to have another secured time-services network to plumb critical clients with.
April 15, 2023 (c) 1999 CertifiedTime.com all rights reserved 17
But take heart, there is an answer!
For trust-sensitive commercial clients, the good news is that there is a solution… its their own private point-to-point, single-
hop connection to a Federally-Certified NIST or USNO Time Server.
April 15, 2023 (c) 1999 CertifiedTime.com all rights reserved 18
But take heart, there is an answer!
This provides connections are plumbed across a closed and private network, securely; 1 terminus per router port;
compartmentalization is enforced in the routers
Comes with a commercial grade audit model attached to boot.
April 15, 2023 (c) 1999 CertifiedTime.com all rights reserved 19
Why NIST Traceability
NIST has put together a consortium of time bases unifying North America on a single time base, theirs.
NIST, being a Non-Military Standards Laboratory is trusted by nations the world over. While its not usually an issue, the USNO is a part of the NRL and the DoD and so for some other Countries this caused them to shy away from the time base services.
April 15, 2023 (c) 1999 CertifiedTime.com all rights reserved 20
Why NIST Traceability
NIST and the USNO will likely join forces at some point to produce UTC-USA in a weighted access model similar to what CertifiedTime is putting together.
So NIST Traceability and USNO will potentially be synonymous as UTC-USA and ultimately as UTC-Earth or UTC-Sol.
April 15, 2023 (c) 1999 CertifiedTime.com all rights reserved 21
Certified Timing Center NIST-Traceability
“Traceability” is provided by an unbroken chain between the NIST Time and Frequency Laboratories and the Certified Timing Centers
April 15, 2023 (c) 1999 CertifiedTime.com all rights reserved 22
A Network of Regional Certified Timing Centers
Certified Timing Centers provide NIST-Traceable Timing Services for computer synchronization throughout North America
April 15, 2023 (c) 1999 CertifiedTime.com all rights reserved 23
Initial Certified Timing Centers
Washington (VA #1)
nist1.dc.certifiedtime.com Online
NIST Timeserver, 10Mb/S terminus
New York City(Manhattan #1)
nist1.nyc.certifiedtime.com Online
NIST Timeserver, 10Mb/S terminus
San Jose, California
nist1.sjc.certifiedtime.com (online)
NIST/USNO Timeserver, 10Mb/S terminus,
Atlanta, Georgia nist1.atl.certifiedtime.com 1Q2000
NIST Timeserver, 10Mb/S terminus
April 15, 2023 (c) 1999 CertifiedTime.com all rights reserved 24
Additional Certified Timing Centers
Chicagonist1.chi.certifiedtime.com 1Q2000
NIST Timeserver, 10Mb/S terminus
Seattlenist1.sea.certifiedtime.com 1Q2000
NIST Timeserver, 10Mb/S terminus
Dallasnist1.dal.certifiedtime.com 1Q2000
NIST/USNO Timeserver, 10Mb/S terminus,
Los Angeles nist1.la.certifiedtime.com 1Q2000
NIST Timeserver, 10Mb/S terminus
April 15, 2023 (c) 1999 CertifiedTime.com all rights reserved 25
Timing Center Topology
Ringing North America with UTC Traceable Stratum-1 Time ServersHigh
Bandwidth
AccessSecured
Operations
April 15, 2023 (c) 1999 CertifiedTime.com all rights reserved 26
Timing Center Protocols
Internet based Stratum-1 service to clientsNetwork Time Protocol (NTP)Simple NTP (SNTP)Secured NTP (When available) Time Protocol
Regional ACTS Dial-in (With Circuit Auditing)
April 15, 2023 (c) 1999 CertifiedTime.com all rights reserved 27
Driving Standards to build ‘Market Acceptance’
CertifiedTime.com is actively working with standards groups to ‘build-in’ for acceptance of certifiable time in all types in EC Transaction and Enhanced Audit Models
April 15, 2023 (c) 1999 CertifiedTime.com all rights reserved 28
Contacting usTodd Glassey, Chief Technical Officer
(831) 438-7811
CertifiedTime, IncSuite 2702007 Hamilton AveSan Jose, Ca., 95125(408) 371-5300