Posted October 19, 2011on:
Authentication Response Processing
– The Server NTP Response message length MUST be 68 bytes. If the message length does not meet this requirement, the authentication fails.
– The client MUST ignore the Key Identifier subfield of the Server NTP Response message (as should any recipient of the Server NTP Response message).
– The client uses the NetrLogonComputeClientDigestto compute crypto-checksums for the first 48 bytes of the Server NTP Response message, with the following input parameters:
- ServerName MUST be set to NULL.
- DomainName MUST be set to the value of the Trusted Domain element.
- Message MUST refer to the first 48 bytes of the Server NTP Response message.
- MessageSize MUST be set to 48.
– The NetrLogonComputeClientDigest method computes two crypto-checksums using the pair of passwords associated with the trusted account.
– The client compares each computed crypto-checksum with the Crypto-Checksum subfield in the Server NTP Response message. If the Crypto-Checksum subfield matches any of the computed crypto-checksums, the authentication succeeds. Otherwise, the authentication fails. A client MUST compare all computed crypto-checksums before determining that the authentication has failed; however, it SHOULD NOT continue to compare crypto-checksums after it has determined that at least one of its computed crypto-checksums matches the Crypto-Checksum subfield.
– If authentication succeeds, the client continues processing the response to synchronize time the same way it occurs in the base NTP protocolIf authentication fails, the response MUST be ignored, and the client MUST NOT perform time synchronization using the response.
– When a client requests authentication, the Client NTP Request message length is 68 bytes. The client sets the Authenticator field of the Client NTP Request ,writing the least significant 31 bits of the value into the least significant 31 bits of the Key Identifier subfield of the authenticator, and then writing the Key Selector value into the most significant bit of the Key Identifier subfield.
– The client SHOULD set the Mode field of the request to Symmetric Active if the client is a time source. The syntax and semantics for the Mode field of the Client NTP Request message Appendix A.
– The client sends the Client NTP Request message to the server as it does in the base Network Time Protocol.
– The following diagram illustrates the client logic for processing a Server NTP Response message received in response to a Client NTP Request message that requested authentication.
Part of Web Browser