Configuring autokey

Use the Autokey Configuration tab on the NTP Configuration page for the Network IPS appliance to configure the appliance to use the necessary algorithms, passwords, and encryption schemes to authenticate with NTP servers that use autokey authentication.

About this task

Navigating in the Network IPS Local Management Interface: Manage System Settings > Appliance > NTP Configuration

Navigating in the SiteProtector™ system: select the NTP Configuration policy

Autokey: If both the server and the client are located outside of the firewall, they can use autokey authentication. Autokey authentication uses certificate-based key exchanges that are also known as "challenge/response" exchanges. This method of authentication is best used to authenticate servers to clients. For example, this method works well if a central server outside the firewall authenticates to several lower strata servers that are also outside the firewall. These lower strata servers use internal hardware pieces (NICs) to provide NTP access to clients inside the firewall. This option is available for only NTP version 4.

The appliance uses the configurations on this tab for all NTP servers that use the autokey exchanges.

FIPS mode: To be FIPS-compliant, use the following options:
Setting FIPS-compliant option
Message Digest Algorithm SHA-1
Encryption Scheme DSA-SHA-1, RSA-SHA256, RSA-SHA384, RSA-SHA512
Enable identity scheme Clear the Enable identity scheme check box.
NIST-compliant: To be NIST-compliant, use the following options:
Setting NIST-compliant option
Message Digest Algorithm SHA-1
Encryption Scheme DSA-SHA-1, RSA-SHA256, RSA-SHA384, RSA-SHA512
Enable identity scheme Clear the Enable identity scheme check box.

Procedure

  1. Click the Autokey Configuration tab.
  2. Select a Message Digest Algorithm. This option must match the message digest algorithm of the NTP server. The appliance uses this algorithm to communicate to all NTP servers that use autokey exchanges.
  3. In the Certificate and Host Key area, enable the Use Client Password feature, if needed. Use this option to protect the certificate of the client and the host key with a password.
  4. Select an Encryption Scheme. The client uses this scheme to generate its host key and certificate. The client needs the key and certificate to communicate with the NTP server. The NTP server also uses this scheme to verify the digital signature of the packets that are sent from the client.
  5. Click Enable identity scheme to use an identity scheme for authentication. Autokey exchanges use identity schemes to prove the identity of a remote system. Using identity schemes prevents man-in-the-middle attacks. The appliance supports three identity schemes: Schnorr (IFF), Guillou-Quisquater (GQ), and Mu-Varadharajan (MV).
    Notes:
    • If you use identity schemes, you must import a group key for each NTP server or each group of NTP servers that use autokey exchanges.
    • You cannot enable NTP identity schemes in FIPS mode because the algorithms that are used by the identity schemes are not FIPS-compliant.
    • You cannot enable NTP identity schemes when you are configuring the appliance as NIST-compliant because the algorithms that are used by the identity schemes are not NIST-compliant.
  6. In the Group keys area, click the Add icon to import a group key.
  7. In the Edit Group keys window, click the Select key file to import.
  8. Add or edit parameters for the group key file in the Server Identity Parameters field.