Cloudflare Secures Time With Roughtime Protocol Service

As part of its Crypto Week series of announcements, Cloudflare debuts a new service to help organizations cryptographically secure time.

Cloudflare Roughtime

If time is money, then how important is it to secure the integrity of time itself? Time across many computing devices is often synchronized via the Network Time Protocol (NTP), which isn't a secure approach, but there is another option.

On Sept. 21, Cloudflare announced that it is deploying a new authenticated time service called Roughtime, in an effort to secure certain timekeeping efforts. The publicly available service is based on an open-source project of the same name that was started by Google.

"NTP is the dominant protocol used for time synchronisation and, although recent versions provide for the possibility of authentication, in practice that‘s not used," Google's project page for Roughtime states. " Most computers will trust an unauthenticated NTP reply to set the system clock meaning that a MITM [man-in-the-middle] attacker can control a victim’s clock and, probably, violate the security properties of some of the protocols listed above."

Roughtime is a UDP-based protocol that benefits from cryptographic protection to help maintain integrity and limit the risk of MITM attacks. In addition, the Roughtime protocol includes measures to help protect it from being used as an amplifier for distributed denial-of-service (DDoS) attacks. Since at least 2014, attackers have been abusing the insecurity of NTP to help reflect and amplify DDoS attacks.

Cloudflare intends to use its Roughtime service to help validate the proper expiration date of SSL/TLS certificates. Without the ability to properly verify time, an attacker could to trick a user or server into accepting a certificate that has already expired.

"Our Roughtime servers get their time from the system clock of Cloudflare's servers, which are monitored for consistency and accuracy," Nick Sullivan, head of cryptography at Cloudflare, told eWEEK.

By publicly exposing the Roughtime service, Cloudflare's goal is to spur interest and possible adoption of the Roughtime protocol where it makes sense. Although Roughtime can be used to help secure timekeeping on the internet, it is not necessarily a direct replacement for NTP for a number of reasons.

"The Roughtime protocol does not take latency into account [like NTP does], so depending on how far the user is from the Roughtime server, they could differ by as much as a second," Sullivan said.

Additionally, Sullivan said he doesn't see Roughtime as a replacement for NTP because it doesn't have all the machinery to give microsecond-level precision. Roughtime's main use case is making sure that roughly correct time can be obtained from a set of semi-trusted servers in an auditable way, he said. 

Sullivan said there work is also being done in the broader IT community for secure variants of NTP that Cloudflare is actively monitoring.

Deploying Roughtime

Cloudflare's Roughtime service is freely available at on port 2002 for anyone who wants to use it. For those who want to deploy their own own Roughtime services, Sullivan said it's quite simple to deploy and not very costly from a resource consumption standpoint.

"Each timestamp requires one elliptic curve signature, which can be computed efficiently even on older hardware," Sullivan said. "That said, the main benefit of Roughtime comes from using multiple servers run by independent organizations."

Sullivan added that running a Roughtime service locally can help against on-path attackers, but doesn't protect you from compromise of the time server itself.

Cryptography Week

The launch of the Roughtime service is the last in a series of announcements Cloudflare has made during the week, which the company has dubbed Crypto Week. 

On Sept. 17, Cloudflare announced an InterPlanetary File System (IPFS) gateway that enables users to benefit from the IPFS peer-to-peer filesystem for distributed content delivery. On Sept. 18, the company announced new tools to make DNSSEC (DNS security extensions) easier to use and deploy. The news was followed on Sept. 19 with the RPKI (Resource Public Key Infrastructure) effort to help secure BGP (Border Gateway Protocol). Then on Sept. 20, the company announced the Cloudflare Onion Service to help users who want to stay anonymous with the Tor network.

"Cloudflare's mission is to help build a better internet, so at any given moment there are a dozen ongoing projects that are focused on different areas that need improvement," Sullivan said. "This year we had several of these initiatives based on cryptography that were ready for launch around the same time, so we decided to package them up together and announce them as a prelude to Cloudflare's birthday week announcements."

Cloudflare is set to celebrate its eighth birthday during the week of Sept. 24. During Cloudflare's 2017 Birthday Week, the company made multiple announcements, including new security and streaming services.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.