WO2015049138A1 - Secure transmission of time synchronization packets - Google Patents

Secure transmission of time synchronization packets Download PDF

Info

Publication number
WO2015049138A1
WO2015049138A1 PCT/EP2014/070347 EP2014070347W WO2015049138A1 WO 2015049138 A1 WO2015049138 A1 WO 2015049138A1 EP 2014070347 W EP2014070347 W EP 2014070347W WO 2015049138 A1 WO2015049138 A1 WO 2015049138A1
Authority
WO
WIPO (PCT)
Prior art keywords
packet
time synchronization
encrypted
time
master
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/EP2014/070347
Other languages
English (en)
French (fr)
Inventor
Amaresh PARIDA
Pronoy DEBNATH
Parag Narayanrao Pote
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alcatel Lucent SAS
Original Assignee
Alcatel Lucent SAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alcatel Lucent SAS filed Critical Alcatel Lucent SAS
Publication of WO2015049138A1 publication Critical patent/WO2015049138A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04JMULTIPLEX COMMUNICATION
    • H04J3/00Time-division multiplex systems
    • H04J3/02Details
    • H04J3/06Synchronising arrangements
    • H04J3/0635Clock or time synchronisation in a network
    • H04J3/0638Clock or time synchronisation among nodes; Internode synchronisation
    • H04J3/0658Clock or time synchronisation among packet nodes
    • H04J3/0661Clock or time synchronisation among packet nodes using timestamps
    • H04J3/0667Bidirectional timestamps, e.g. NTP or PTP for compensation of clock drift and for compensation of propagation delays
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Definitions

  • the present subject matter generally relates to time synchronization in a computing environment and, particularly but not exclusively, to secure transmission of time synchronization packets.
  • Time synchronization protocols are typically implemented to ensure time synchronization between various nodes in a network.
  • time synchronization protocols involve one system component, say, a time server node or a master node providing timing information to all other components, say, slave nodes in the network so that all the components in the network are synchronized and run in accordance with a common timing information.
  • the master node typically sends the timing information in form of time synchronization packets, which have transmittal timestamps indicating the time at which the time synchronization packets were transmitted by the master node.
  • the slave nodes on receiving the time synchronization packets, timestamp it to mark the receiving timestamp indicating the time at which the time synchronization packets were received.
  • the slave nodes then decode the time synchronization packets to obtain the transmittal timestamp.
  • the slave nodes may then use the transmittal timestamp and the receiving timestamp to synchronize with the master node and the other components of the network.
  • manipulation of the transmittal timestamp or distribution of false timestamp by any intermediate malicious node may affect one or more slave nodes leading to various issues, such as denial of service and accuracy degradation of the affected slave node.
  • a method for secure transmission of time synchronization packets by a master node includes generating a time packet marking of a predetermined bit size.
  • the method further comprises encrypting the time packet marking using a lightweight encryption technique to generate a master signature.
  • the method comprises appending the master signature to an encrypted time synchronization packet generated by the master node to obtain an extended encrypted packet, where the encrypted time synchronization packet includes a transmittal timestamp for time synchronization.
  • the method further comprises transmitting the extended encrypted packet to a slave node for time synchronization.
  • master node for secure transmission of time synchronization packets.
  • the master node comprises a processor and a time packet marking module coupled to the processor.
  • the time packet marking module generates a time packet marking of a predetermined bit size.
  • the time packet marking module further encrypts the time packet marking using a lightweight encryption technique to obtain a master signature.
  • the time packet marking module further appends the master signature to an encrypted time synchronization packet generated by the master node to obtain an extended encrypted packet, where the encrypted time synchronization packet includes a transmittal timestamp for time synchronization.
  • the master node includes a communication module coupled to the processor to transmit the extended encrypted packet to a slave node for time synchronization.
  • a method for secure reception of time synchronization packets by a slave node includes receiving an encrypted packet from a master node.
  • the method further comprises obtaining a predetermined number of bits from the encrypted packet as a string based on a predetermined bit size shared between the salve node and the master mode.
  • the method comprises determining the encrypted packet to be an extended encrypted packet based on a comparison of the string with a predetermined master signature of the predetermined bit size.
  • the method further comprises timestamping the encrypted packet by marking a receiver timestamp for time synchronization with the master node.
  • a slave node for secure reception of time synchronization packets.
  • the slave node comprises a processor and a communication module coupled to the processor to receive an encrypted packet from a master node.
  • the slave node further comprises a time packet marking module coupled to the processor to obtain a predetermined number of bits, as a string, from an end of the encrypted packet based on a predetermined bit size shared between the salve node and the master mode.
  • the time packet marking module further determines the encrypted packet to be an extended encrypted packet based on a comparison of the master signature with a predetermined master signature of the predetermined bit size, based on the comparison result.
  • the time packet marking module further timestamps the encrypted packet by marking a receiver timestamp for time synchronization with the master node.
  • a computer-readable medium having embodied thereon a computer program for executing a method for secure communication of time synchronization packets.
  • the method comprises generating a time packet marking of a predetermined bit size.
  • the method further comprises encrypting the time packet marking using a lightweight encryption technique to generate a master signature.
  • the method comprises appending the master signature to an encrypted time synchronization packet generated by the master node to obtain an extended encrypted packet, where the encrypted time synchronization packet includes a transmittal timestamp for time synchronization.
  • the method further comprises transmitting the extended encrypted packet to a slave node for time synchronization.
  • Figure 1 illustrates a network environment for secure transmission of time synchronization packets, according to an embodiment of the present subject matter.
  • Figure 2 illustrates a method of secure transmission of time synchronization packets for time synchronization, according to an embodiment of the present subject matter.
  • Figure 3 illustrates a method of secure reception of time synchronization packets for time synchronization, according to an embodiment of the present subject matter.
  • any block diagrams herein represent conceptual views of illustrative systems embodying the principles of the present subject matter.
  • any flow charts, flow diagrams, state transition diagrams, pseudo code, and the like represent various processes which may be substantially represented in computer readable medium and so executed by a computer or processor, whether or not such computer or processor is explicitly shown.
  • Time synchronization between various nodes of a network is vital for successful implementation and working of the network components, implemented in various systems, for instance process control systems; batch control systems; and heating, ventilation, and air conditioning (HVAC) control systems.
  • the time synchronization may be useful for various reasons, such as for smooth and synchronized functioning of a system implementing the network as an error in time synchronization may affect applications running on the various nodes, thus causing malfunctioning of the system.
  • time synchronization protocols such as precision time protocol
  • PTP Network Time Protocol
  • NTP Network Time Protocol
  • a particular type of node which are utilized for time synchronization provide timing information to all other components or nodes by the way of time synchronization packets.
  • nodes include, but are not limited to, a time server node, a master node or a grandmaster node slave node in the network.
  • the master node is locally attached to a clock device to ensure accurate timestamping of the time synchronization packets having transmittal timestamps indicating the time at which the time synchronization packets, hereinafter interchangeably referred to as the packets, are transmitted by the master node.
  • the slave node may decode the time synchronization packets to obtain the transmittal timestamp. The slave node may then use the transmittal timestamps and a receiving timestamp, generated by the slave node upon receipt of the packet, to synchronize with the master node and other nodes of the network.
  • the time synchronization packets are, however, subject to various security threats, such as malicious nodes that may want to disturb the synchronization between the various nodes for various reasons. For instance, the packets may be subjected to spoofing, interception and manipulation, replay attack, rogue master attack, interception and removal, packet delay manipulation, cryptographic performance attacks, and denial of service (DoS) attacks.
  • DoS denial of service
  • IPSec Internet protocol security
  • IP internet protocol
  • IPSec is a protocol typically used for securing internet protocol (IP) communications by authenticating and encrypting each IP packet of a communication session.
  • IP internet protocol
  • IPSec is used for securing time synchronization packets used in PTP.
  • IPSec typically uses heavyweight encryption techniques that, although protect the packets from security attacks, affect the clock accuracy.
  • the slave node may first need to decrypt the encrypted packet to identify whether the packet is a time synchronization packet.
  • the slave node On determining that the encrypted packet is a time synchronization packet, the slave node timestamps the encrypted packet by marking a receiving timestamp and processes the transmittal timestamps and the receiving timestamp for synchronization.
  • a delay in timestamping caused due to decryption of the encrypted time packet by the slave node may result in an inaccurate synchronization.
  • implementation of such protocols involves dedicated algorithms and hardware capable of fast processing, thus increasing the implementation and working cost of the time synchronization protocols.
  • One of the techniques for secure transmission of time synchronization packets involves IEEE 1588 experimental security extension.
  • the IEEE 1588 experimental security extension is a PTP security extension and protocol that involves adding a security authentication Type- length- value (TLV) message extension to the packet.
  • the security authentication TLV message includes a message authentication code called as integrity check value (ICV) to indicate whether the packet was transmitted by an authenticated source or not.
  • ICV integrity check value
  • the ICV further indicates whether the packet has been modified by an intermediate node or not.
  • an inspection of the ICV at the slave node may alert the slave node about whether the time information provided in the packet is reliable or not based on which the slave node may or may not use the packet for time synchronization with the other nodes.
  • the slave node may thus drop the packet and wait for another packet having correct timing information for time synchronization. The above technique may thus save the slave node from incorrect synchronization by indicating malicious timing information.
  • Another technique for secure transmission of time synchronization packets involves using extended Wrapped Encapsulating Security Payload (WESP) header.
  • WESP extended Wrapped Encapsulating Security Payload
  • Such technique involves adding a time packet identifier in the WESP header of the packet to indicate whether the packet is a time synchronization packet or not.
  • an inspection of the time packet identifier at the slave node may help the slave node distinguish the time synchronization packets from the other packets, thus saving the time required by the slave node for decrypting the packet before timestamping.
  • providing the time packet identifier in an unencrypted form makes the packets vulnerable to security attacks as any malicious node too may identify the time synchronization packet and modify the time synchronization packet.
  • an extended time synchronization packet is transmitted by a master node to a slave node for time synchronization to ensure secure transmission of time synchronization packet.
  • the extended encrypted packet may include a time packet marking in an encrypted form to indicate that the extended encrypted packet includes a time synchronization packet.
  • the master node such as a grandmaster linked to a master clock may send the extended encrypted packet to the slave node, which on receiving the extended encrypted packet may identify the time packet marking and timestamp the extended encrypted packet without any delay, thus improvising the accuracy of time synchronization.
  • the master node may initially generate the time packet marking using a dynamic string and a pre-shared key, such that the time packet marking indicates start of flow of time synchronization packets.
  • the pre-shared key may be any alphanumeric key shared between the master node and the slave node.
  • the dynamic string may be a string, such as 'master-slave' and may be different for each time synchronization packet.
  • the master node may subsequently encrypt the time packet marking using a lightweight encryption technique to generate an encrypted time packet marking, hereinafter referred to as a master signature of a predetermined bit size, for example, 64 bit.
  • the master node may then generate a time synchronization packet having a transmittal timestamp indicating the time at which the time synchronization packet is transmitted by the master node.
  • the time synchronization packet may be encrypted using an encryption technique, such as ESP to obtain an encrypted time synchronization packet.
  • the master signature is then appended to the encrypted time synchronization packet to obtain the extended encrypted packet. Further IP header parameters may be updated accordingly to ensure successful transmission of the extended encrypted packet.
  • the extended encrypted packet may then be transmitted, as an encrypted packet, to the slave node for time synchronization.
  • the time synchronization packet and the time packet marking are encrypted, any intermediate node which may obtain the packet during transmission may not be able to differentiate the extended encrypted from any other encrypted packet.
  • the slave node Upon receiving the encrypted packet, the slave node obtains a string of predetermined number of bits from the end of the encrypted packet based on the predetermined bit size. Since the slave node knows that the master signature is of the predetermined bit size, it obtains the predetermined number of bits, equal to the predetermined bit size, from the end of the encrypted packet as the string. The string is then compared with a predetermined master signature of the predetermined bit size. In one implementation, the predetermined master signature is same as the master signature and is generated by the slave node using the dynamic string and the pre-shared key. Based on the comparison, it is determined whether the encrypted packet is an extended encrypted packet or not. In case the string is same as the predetermined master signature, the encrypted packet may be identified as the extended encryption packet. The encrypted packet may then be timestamped by the receiver node by marking a receiver timestamp, thus avoiding the delay typically caused due to heavy decryption procedure used for decryption of the encrypted packet before timestamping.
  • the encrypted packet is further processed, by removing the master signature from the extended encrypted packet, updating IP header parameters, and decrypting the encrypted time synchronization packet to obtain the transmittal timestamp.
  • the transmittal timestamp and the received timestamp may then be used for time synchronization between the slave node and the master node.
  • the receiver node and the master node may initiate the time synchronization process and exchange other messages, such as a follow-up message and a delay request message using a similar encryption technique as described above.
  • the present subject matter thus facilitates secure transmission of time synchronization packets by the master node to slave node.
  • Appending the encrypted time packet marking to the encrypted time synchronization packet helps the slave node in easy and quick identification of the encrypted time synchronization packet from among the various encrypted packets sent by the master node.
  • Such a fast and easy identification of the encrypted time synchronization packet helps in avoiding a delay in timestamping of the extended encrypted packet at the slave node.
  • encrypting the time packet marking helps in securing a safe transmission of the time synchronization packet as the intermediate nodes may not be able to distinguish the extended encrypted packet from other encrypted packets, as described.
  • using lightweight encryption technique for encrypting the time packet marking facilitates in avoiding any delay in encryption of the time packet marking and in turn the transmission of the extended encryption packet.
  • FIG. 1 illustrates a network environment 100 for secure transmission of time synchronization packets according to an embodiment of the present subject matter.
  • the network environment 100 includes a master node 102 communicating with one or more slave nodes 104-1, 104-2, 104-n, hereinafter collectively referred to as slave nodes 104 and individually referred to as slave node 104, over a network 106.
  • Communication links between the slave nodes 104 and master node 102 are enabled through a desired form of communication, for example, via dial-up modem connections, cable links, digital subscriber lines (DSL), wireless or satellite links, or any other suitable form of communication.
  • DSL digital subscriber lines
  • the master node 102 may be implemented as one or more systems or computing devices, such as a desktop computer, a hand-held device, a cloud server, a mainframe computer, a workstation, a multiprocessor system, a personal digital assistant (PDA), a smart phone, a laptop computer, a network computer, a minicomputer, and a gateway server.
  • the slave nodes 104 may be implemented as one or more computing systems, such as personal computers, multiprocessor systems, laptops, wireless devices, wireless sensors, M2M devices, and cellular communicating devices, such as a personal digital assistant, a smart phone, and a mobile phone, and the like.
  • the network 106 may be a wireless network, a wired network, or a combination thereof.
  • the network 106 can also be an individual network or a collection of many such individual networks, interconnected with each other and functioning as a single large network, e.g., the Internet or an intranet.
  • the network 106 can be implemented as one of the different types of networks, such as intranet, local area network (LAN), wide area network (WAN), the internet, and such. Further, the network 106 may include network devices that may interact with the master node 102 and the computing devices 104 through communication links.
  • the master node 102 may communicate with the slave node 104 over the network 106 by sending data packets for various purposes, such as time synchronization.
  • the master node 102 transmits time synchronization packets to the slave node 104 to enable the slave node 104 to synchronize their local clocks (not shown in the figure) with a master clock (not shown in the figure) associated with the master node 102.
  • the master node 102 sends the time synchronization packets in an encrypted form to ensure secure transmission of the time synchronization packets.
  • the master node 102 may append an encrypted time packet marking to the time synchronization packet to generate an extended encrypted packet.
  • the encrypted time packet marking may be understood as a signature added to indicate that the extended encrypted packet includes a time synchronization packet.
  • the master node 102 may then send the extended encrypted packet to the slave node 104, which on receiving the extended encrypted packet may identify the time packet marking and timestamp the extended encrypted packet without any delay, thus improvising the accuracy of time synchronization.
  • the master node 102 and the slave node 104 include processors 108-1, 108-2, respectively.
  • the processors 108-1, 108-2 collectively referred to as processor(s) 108 hereinafter, may be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, logic circuitries, and/or any devices that manipulate signals based on operational instructions.
  • the processor(s) 108 fetches and executes computer-readable instructions stored in the memory.
  • the functions of the various elements shown in the figure, including any functional blocks labeled as "processor(s)" may be provided through the use of dedicated hardware as well as hardware capable of executing software in association with appropriate software.
  • processor When provided by a processor, the functions may be provided by a single dedicated processor, by a single shared processor, or by a plurality of individual processors, some of which may be shared.
  • explicit use of the term "processor” should not be construed to refer exclusively to hardware capable of executing software, and may implicitly include, without limitation, digital signal processor (DSP) hardware, network processor, application specific integrated circuit (ASIC), field programmable gate array (FPGA), read only memory (ROM) for storing software, random access memory (RAM), non-volatile storage. Other hardware, conventional and/or custom, may also be included.
  • DSP digital signal processor
  • ASIC application specific integrated circuit
  • FPGA field programmable gate array
  • ROM read only memory
  • RAM random access memory
  • non-volatile storage Other hardware, conventional and/or custom, may also be included.
  • the master node 102 and the slave node 104 include I/O interface(s) 110-1 and 110-2, respectively.
  • the I/O interface(s) 110-1 and 110-2 collectively referred to as I/O interfaces 110, may include a variety of software and hardware interfaces that allow the master node 102 and the slave node 104 to interact with the network 106 and with each other. Further, the I/O interfaces 110 may enable the master node 102 and the slave node 104 to communicate with other communication and computing devices, such as web servers and external repositories .
  • the master node 102 and the slave node 104 may include memory 112-1 and
  • the memory 112-1 and 112-2 may be coupled to the processor 108-1, and the processor 108-2, respectively.
  • the memory 112 may include any computer-readable medium known in the art including, for example, volatile memory (e.g., RAM), and/or nonvolatile memory (e.g., EPROM, flash memory, etc.).
  • the master node 102 and the slave node 104 further include modules 114-1,
  • the modules 114 include routines, programs, objects, components, data structures, and the like, which perform particular tasks or implement particular abstract data types.
  • the modules 114 further include modules that supplement applications on the master node 102 and the slave node 104, for example, modules of an operating system.
  • the modules 114 can be implemented in hardware, instructions executed by a processing unit, or by a combination thereof.
  • the processing unit can comprise a computer, a processor, such as the processor 108, a state machine, a logic array or any other suitable devices capable of processing instructions.
  • the processing unit can be a general- purpose processor which executes instructions to cause the general-purpose processor to perform the tasks or, the processing unit can be dedicated to perform the functions.
  • the modules 114 may be machine-readable instructions (software) which, when executed by a processor/processing unit, perform any of the described functionalities.
  • the machine-readable instructions may be stored on an electronic memory device, hard disk, optical disk or other machine-readable storage medium or non-transitory medium.
  • the machine-readable instructions can be also be downloaded to the storage medium via a network connection.
  • the data 116 serves, amongst other things, as a repository for storing data that may be fetched, processed, received, or generated by one or more of the modules 114.
  • the modules 114-1 of the master node 102 include a packet generation module 118, a time synchronization module 120, an encryption-decryption module 122, a time packet marking module 124, a communication module 126, and other module(s) 128.
  • the data 116-1 of the master node 102 includes packet data 130, time marking data 132, time stamping data 134, and other data 136.
  • the other module(s) 128 may include programs or coded instructions that supplement applications and functions, for example, programs in the operating system of the master node 102, and the other data 136 comprise data corresponding to one or more other module(s) 128.
  • the modules 114-2 of the slave node 104 include a packet generation module 138, a time synchronization module 140, an encryption- decryption module 142, a time packet marking module 144, a communication module 146, and other module(s) 148.
  • the data 116-2 of the slave node 104 includes time marking data 150, time stamping data 152, packet data 154, and other data 156.
  • the other module(s) 148 may include programs or coded instructions that supplement applications and functions, for example, programs in the operating system of the slave node 104, and the other data 156 comprise data corresponding to one or more other module(s) 148.
  • the time packet marking module 124 of the master node 102 may initially generate the time packet marking.
  • the time packet marking may be a dynamically generated signature and may thus be different for each cycle of time synchronization process.
  • the time packet marking module 124 may use a string "master-slave" indicating the time synchronization packet is being transmitted by the master node to the slave node, thus indicating the start of flow of time synchronization packets.
  • the time packet marking may be a combination of a dynamic string and a pre-shared key indicating that the encrypted packet to which the time packet marking is appended is sent by the master node 102 and is a time synchronization packet.
  • the pre-shared key may be an alphanumeric key of a predetermined length, shared between the master node and the slave node for generating time packet markings.
  • the dynamic string may be a string, such as 'master-slave' and may be different for each time synchronization packet.
  • the time packet marking thus generated may be further saved in the time marking data 132 by the time packet marking module 124.
  • the time packet marking module 124 may subsequently encrypt the time packet marking to obtain an encrypted time packet marking, hereinafter referred to as a master signature.
  • the time packet marking module 124 may encrypt the time packet marking using a lightweight encryption technique.
  • the lightweight encryption technique may be any conventionally known encryption technique, such as hash technique, that may be easy to compute, fast to process, and less resource intensive.
  • the master signature may be of a predetermined bit size, say, 64 bits or 128 bits shared between the slave node 104 and the master node 102.
  • the bit size of the master signature may be determined based on various parameters, such as encryption time, encryption complexity, channel bandwidth, and size of the time synchronization packet. Further, sharing the bit size with the slave node 104 facilitates easy identification of the master signature by the slave node 104.
  • the time packet marking module 144 may use the same dynamic string and the pre-shared key used by the time packet marking module 124 for generating the master signature.
  • the time packet marking module 124 and the time packet marking module 144 may thus generate the same signatures using the above described process of encrypting the time packet markings and save them as the master signature and the predetermined master signature, respectively.
  • the time packet marking module 124 may select a signature from a set of signatures shared between the slave node 104 and the master node 102. Selecting the master signature from among the shared set of signatures facilitates in easy and faster identification of the master signature by the slave node 104. Further, the time packet marking module 124 may select the master signature based on a predetermined sequence such that the slave node 104 would know the master signature being generated and appended to the time synchronization packet by the master node 102.
  • the master signature generated for a time synchronization packet may be used as the dynamic string for generating a master signature and a predetermined master signature for a subsequent time synchronization packet.
  • Using a previous master signature as the dynamic string for generating a subsequent master signature facilitates the slave node 104 to easily generate the predetermined master signature without requiring any synchronization with the master node 102.
  • the 124 may further generate a slave signature and a predetermined slave signature, respectively, using the above described process of encrypting the time packet marking.
  • the slave signature may be appended by the slave node 104 to data packets, such as a delay request message sent by the slave node 104 to the master node 102.
  • the predetermined slave signature may be used by the master node 102 to identify such data packets sent by the slave node 104 and thus is similar to the slave signature.
  • the time packet marking module 124 may subsequently save the master signature and the predetermined slave signature in the time marking data 132.
  • the time packet marking module 144 may save the slave signature and the predetermined master signature in the time marking data 150
  • the packet generation module 118 may generate the time synchronization packet for being transmitted to the slave node 104 for the time synchronization.
  • the time synchronization packet may be generated and transmitted using any of the known time synchronization protocols, such as PTP and NTP.
  • the time synchronization packet may thus include various fields, such as media access control (MAC) address, Internet protocol (IP) address, header, and data depending on the time synchronization protocol used by the master node 102.
  • the time synchronization module 120 may timestamp the time synchronization packet by marking a transmittal timestamp to the time synchronization packet.
  • the transmittal timestamp may indicate the time at which the time synchronization packet is transmitted to the slave node 104 by the master node 102.
  • the time synchronization module 120 may obtain the time of transmittal from the master clock associated with the master node 102.
  • the encryption-decryption module 122 may then encrypt the time synchronization packet to obtain an encrypted time synchronization packet using a conventionally known encryption technique.
  • the encryption- decryption module 122 may use an encapsulating security payload (ESP) technique to encrypt the time synchronization packet.
  • ESP encapsulating security payload
  • the encrypted encapsulating security payload may then be saved by the encryption-decryption module 122 in the packet data 130.
  • the time packet marking module 124 may append the master signature to the encrypted time synchronization packet to obtain an extended encrypted time synchronization packet, hereinafter referred to as extended encrypted packet.
  • extended encrypted packet an extended encrypted time synchronization packet
  • appending the master signature to the encrypted time synchronization packet to obtain the extended encrypted packet facilitates in securing a safe transmission of the transmittal timestamp since a malicious intermediate node may never be able to differentiate between a conventional encrypted packet and the extended encrypted packet as both the packets would appear to be certain bits in an encrypted form.
  • the time packet marking module 124 may further update IP header parameters of the extended encrypted packet and in turn the time synchronization packet to ensure safe transmission of the extended encrypted packet to the slave node 104.
  • the communication module 126 may then transmit the extended encrypted packet to the slave node 104 for time synchronization.
  • the communication module 126 may transmit the extended encrypted packet as any other encrypted packet using a conventional technique.
  • the extended encrypted packet may then be received by the communication module 146 of the slave node 104 as a conventional encrypted packet and processed.
  • the time packet marking module 144 of the slave node 104 may obtain a string of a predetermined number of bits from the end of the encrypted packet in order to determine whether the encrypted packet is a time synchronization packet or a general data packet.
  • the time packet marking module 144 may obtain the string such that the string is of the predetermined bit size, i.e., the string is of the same size as the master signature. For instance, in case the master signature is of 64 bits, then the time packet marking module 144 may obtain the last 64 bits of the encrypted packet as the string.
  • the time packet marking module 144 may subsequently compare the string with the predetermined master signature.
  • the predetermined master signature is same as the master signature and is generated by encrypting a time packet marking based on the pre-shared key and the dynamic string corresponding to the master node 102. Based on the comparison, the time packet marking module 144 may determine whether the encrypted packet is a time synchronization packet or not. For instance, in case, the string is different from the predetermined master signature, the time packet marking module 144 may determine the encrypted packet to be a general data packet, i.e., a non-time synchronization packet. The time packet marking module 144 may save the encrypted packet in the other data 156 for being processed by the slave node 104.
  • the time packet marking module 144 may determine the encrypted packet to be the extended encrypted packet having the master signature appended to the time synchronization packet. On determining the encrypted packet to be the extended encrypted packet, the time packet marking module 144 timestamps the encrypted packet. The time packet marking module 144 may mark a receiving timestamp indicating the time at which the encrypted packet is received by the slave node 104. The above described time stamping takes place within a very short time, ensuring there is no delay in the time stamping, thus maintaining high accuracy in the time synchronization process. The time packet marking module 144 may further remove the master signature from the extended encrypted packet to obtain the encrypted time synchronization packet.
  • the time packet marking module 144 may further update the IP header parameters of the encrypted time synchronization packet and save the receiver timestamp in the time stamping data 152.
  • the encryption-decryption module 142 may then decrypt the encrypted time synchronization packet to obtain the time synchronization packet for being processed by the time synchronization module 140.
  • the time synchronization module 140 may process the time synchronization packet to obtain the transmittal timestamp and the receiver timestamp for time synchronization.
  • the transmittal timestamp and the receiver timestamp may be subsequently saved in the time stamping data 152 and used by the time synchronization module 140 for time synchronization using the conventional time synchronization process.
  • the master node 102 and the slave node 104 may exchange few other messages, such as a follow-up message and a delay request message for obtaining few additional timestamps for time synchronization.
  • the communication module 126 of the master node 102 may transmit a follow up packet having a corrected transmittal timestamp using the above described process.
  • the time packet marking module 124 may initially generate a new time packet marking using a new dynamic string and the pre-shared key. As previously described, the master signature may be used as the new dynamic string for generating the new time packet marking. The time packet marking module 124 may encrypt the new time packet marking to generate a new master signature and append the new master signature to an encrypted follow-up packet to obtain a new extended encrypted packet, interchangeably referred to as extended follow-up message. The extended follow-up message may then be transmitted by the communication module 126 to the slave node 104.
  • the slave node 104 may process the new extended encrypted packet using the above described process to obtain the transmittal timestamp. For instance, the time packet marking module 144 may obtain a new string and compare it with a new predetermined master signature to determine if the encrypted packet is the follow-up message. The time packet marking module 144 may then timestamp the encrypted packet and the encryption-decryption module 142 may decrypt the encrypted packet to obtain the corrected transmittal timestamp. Further, in a way similar to the new master signature, the new predetermined master signature may be generated using the previous predetermined master signature. Using the previous predetermined master signature facilitates in fast and easy generation of the subsequent predetermined master signature without utilizing any synchronization between the slave node 104 and the master node 102.
  • the slave node 104 may generate a time synchronization packet, such as a delay request message for being sent to the master node 102 to determine any possible delay in message exchange between the master node 102 and the slave node 104.
  • the time packet marking module 144 may generate the delay request message in a way similar to the generation and transmission of the time synchronization packet by the master node 102.
  • the packet generation module 138 may generate the delay request message and save it in the packet data 154.
  • the time synchronization module 140 may then mark a transmittal timestamp on the delay request message.
  • the encryption-decryption module 142 of the slave node 104 may then encrypt the delay request message.
  • the time packet marking module 144 may subsequently append the slave signature to the encrypted delay request message to obtain extended delay request message, interchangeably referred to as another extended encrypted packet.
  • the communication module 146 of the slave node 104 may then transmit the other extended encrypted packet to the master node 102 as a conventional encrypted packet.
  • the master node 102 may process the encrypted packet using the above described process to obtain the delay request timestamp.
  • the time packet marking module 124 may obtain a string of the predetermined bit size, equal to the bit size of the slave signature, from the end of the encrypted packet.
  • the time packet marking module 124 may then compare the string with the predetermined slave signature to determine if the encrypted packet is the delay request message.
  • the time packet marking module 124 and the encryption-decryption module 122 of the master node 102 may then timestamp and decrypt the extended delay request message, respectively, to obtain the delay request message.
  • the delay request message may then be processed by the time synchronization module 120 to obtain the delay request timestamp.
  • the master node 102 may generate and encrypt a delay response message, append a new master signature and transmit an extended delay response message to the slave node 104 using the above described method.
  • the slave node 104 may obtain a new string, compare the string with a new predetermined master signature, timestamp the extended delay response message based on the comparison result, and obtain the timestamps shared in the delay response message for time synchronization.
  • the present subject matter thus facilitates secure transmission of time synchronization packets without affecting time stamping accuracy of the slave nodes 104 and the master node 102.
  • Figure 2 and 3 illustrate a method 200 and a method 300, respectively, for secure transmission and reception of time synchronization packets, according to an embodiment of the present subject matter.
  • the order in which the method is described is not intended to be construed as a limitation, and any number of the described method blocks can be combined in any order to implement the methods 200 and 300 or any alternative methods. Additionally, individual blocks may be deleted from the methods without departing from the spirit and scope of the subject matter described herein.
  • the method(s) can be implemented in any suitable hardware, software, firmware, or combination thereof.
  • the method(s) may be described in the general context of computer executable instructions.
  • computer executable instructions can include routines, programs, objects, components, data structures, procedures, modules, functions, etc., that perform particular functions or implement particular abstract data types.
  • the methods may also be practiced in a distributed computing environment where functions are performed by remote processing devices that are linked through a communications network.
  • computer executable instructions may be located in both local and remote computer storage media, including memory storage devices.
  • Figure 2 illustrates the method 200 of secure transmission of time synchronization packets for time synchronization, according to an embodiment of the present subject matter.
  • a time packet marking of a predetermined bit size is generated.
  • a master node such as the master node 102 may generate the time packet marking for identification of time synchronization packets by a slave node, such as the slave node 104 thus ensuring a secure transmission of the time synchronization packets.
  • the time packet marking may be generated using a dynamic string, such as 'master-slave' and a pre-shared key shared between the master node and the slave node.
  • the time packet marking is encrypted to obtain a master signature.
  • the time packet marking may be encrypted using a lightweight encryption technique to ensure that encryption and decryption of the time packet marking doesn't consume heavy resources and time.
  • the master signature may be saved in time packet marking data of the master node 102.
  • the master signature is appended to an encrypted time synchronization packet to obtain an extended time packet.
  • the master signature may be appended to the encrypted time synchronization packet to ensure safe transmission of the extended encrypted packet, as an intermediate node not having the knowledge of the master signature may assume it to be a part of a general encryption packet and thus may not be able to distinguish an extended encrypted packet from other encrypted packets.
  • IP header parameters of the extended encrypted packet are updated.
  • the IP header parameters may be updated to ensure successful transmission of the extended encrypted packet.
  • the extended encrypted packet may be transmitted by the master node to a slave node.
  • the extended encrypted packet may be transmitted as a conventional encrypted packet using conventional techniques of transmitting data packets. Transmitting the extended encrypted packet as the encrypted packet facilitates in ensuring that an intermediate node is not able to identify the extended encrypted packet.
  • Figure 3 illustrates a method of secure reception of time synchronization packets for time synchronization, according to an embodiment of the present subject matter.
  • an encrypted packet is received from a master node.
  • a slave node may receive the encrypted packet from the master node over a transmission channel.
  • a string of a predetermined bit size is obtained from the end of the encrypted packet.
  • the string may be of a predetermined bit size shared between the slave node and the master node. For instance, in case the predetermined bit size is 128 bits, the last 128 bits of the encrypted packet may be obtained as the string.
  • the string is compared with a predetermined master signature.
  • the predetermined master signature may be of the predetermined bit size, i.e., same as the size of the master signature. Further, the predetermined master signature may be similar to a master signature appended by the master node to a time synchronization packet for secure transmission. If the string is different from the predetermined master signature, the slave node may determine the encrypted packet to be a normal data packet, which is the 'No' path from the block 306, the method moves to the block 308 where the encrypted packet is processed.
  • the encrypted packet is an extended encrypted packet, which is the 'Yes' path from the block 306
  • the extended encrypted packet is timestamped at block 310, without any delay, thus ensuring high accuracy in time synchronization.
  • the encrypted packet is decrypted to obtain a transmittal timestamp for time synchronization.
  • the encrypted packet may be initially processed to remove the master signature to obtain the encrypted time synchronization packet.
  • the encrypted time synchronization packet is then decrypted to obtain the time synchronization packet having the transmittal timestamp.
  • the transmittal timestamp and the receiver timestamp are then used for time synchronization with the master node.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Synchronisation In Digital Transmission Systems (AREA)
PCT/EP2014/070347 2013-10-03 2014-09-24 Secure transmission of time synchronization packets Ceased WO2015049138A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IN2939/DEL/2013 2013-10-03
IN2939DE2013 IN2013DE02939A (https=) 2013-10-03 2014-09-24

Publications (1)

Publication Number Publication Date
WO2015049138A1 true WO2015049138A1 (en) 2015-04-09

Family

ID=51627279

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2014/070347 Ceased WO2015049138A1 (en) 2013-10-03 2014-09-24 Secure transmission of time synchronization packets

Country Status (2)

Country Link
IN (1) IN2013DE02939A (https=)
WO (1) WO2015049138A1 (https=)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017113404A1 (zh) * 2015-12-31 2017-07-06 华为技术有限公司 一种网络节点、报文传输方法和网络
WO2020245262A1 (en) * 2019-06-06 2020-12-10 Nokia Technologies Oy Time synchronization in cellular communication networks
EP3820105A1 (de) * 2019-11-11 2021-05-12 Siemens Aktiengesellschaft Verfahren und system zur sicheren zeitsynchronisation
CN113169872A (zh) * 2018-09-27 2021-07-23 斯奇普泰姆 安全时间同步
EP3905731A1 (de) 2020-05-02 2021-11-03 Diehl Metering Systems GmbH Verfahren zur synchronisierung von frame-counter und anordnung
CN114598411A (zh) * 2020-12-07 2022-06-07 大众汽车股份公司 用于使至少两个设备的时钟同步的方法
CN115334635A (zh) * 2022-08-15 2022-11-11 北京恒源利通电力技术有限公司 一种实现无线射频网络节点同步发送的方法
CN115378743A (zh) * 2022-10-25 2022-11-22 北京国电通网络技术有限公司 信息加密传输方法、装置、设备和介质
EP4184814A1 (en) 2021-11-23 2023-05-24 ADVA Optical Networking SE Secured clock synchronization in a packet-compatible network
EP4254243A1 (en) * 2022-03-31 2023-10-04 Baker Hughes Oilfield Operations LLC Secure time synchronization
WO2023229613A1 (en) * 2022-05-27 2023-11-30 Altiostar Networks, Inc. Time synchronization over cloud radio access networks
US20240022402A1 (en) * 2022-07-14 2024-01-18 Xiid Corporation A Method for Tunneling an Internet Protocol Connection Between Two Endpoints
US12395487B2 (en) * 2023-09-26 2025-08-19 Intel Corporation Time recovery from attacks on delayed authentication
US12615144B2 (en) * 2022-07-14 2026-04-28 Xiid Corporation Method for tunneling an internet protocol connection between two endpoints

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102005025325A1 (de) * 2005-05-31 2006-12-07 Siemens Ag Verfahren zur Übertragung und zur Überprüfung von Synchronisierungs-Nachrichten
US20100153742A1 (en) * 2008-12-15 2010-06-17 Industrial Technology Research Institute Method and apparatus for encrypting/decrypting packet data of precise time synchronization protocol and time synchronization system
US20100223399A1 (en) * 2009-02-27 2010-09-02 Electronics And Telecommunications Research Institute Method and apparatus for processing timestamp using signature information on physical layer

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102005025325A1 (de) * 2005-05-31 2006-12-07 Siemens Ag Verfahren zur Übertragung und zur Überprüfung von Synchronisierungs-Nachrichten
US20100153742A1 (en) * 2008-12-15 2010-06-17 Industrial Technology Research Institute Method and apparatus for encrypting/decrypting packet data of precise time synchronization protocol and time synchronization system
US20100223399A1 (en) * 2009-02-27 2010-09-02 Electronics And Telecommunications Research Institute Method and apparatus for processing timestamp using signature information on physical layer

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"IEEE Standard for a Precision Clock Synchronization Protocol for Networked Measurement and Control Systems;IEEE Std 1588-2008 (Revision of IEEE Std 1588-2002) ED - Anonymous", IEEE STANDARD; [IEEE STANDARD], IEEE, PISCATAWAY, NJ, USA, 24 July 2008 (2008-07-24), pages c1 - 269, XP017604130, ISBN: 978-0-7381-5400-8 *
CAGRI ONAL ET AL: "Security improvements for IEEE 1588 Annex K: Implementation and comparison of authentication codes", PRECISION CLOCK SYNCHRONIZATION FOR MEASUREMENT CONTROL AND COMMUNICATION (ISPCS), 2012 INTERNATIONAL IEEE SYMPOSIUM ON, IEEE, 24 September 2012 (2012-09-24), pages 1 - 6, XP032257248, ISBN: 978-1-4577-1714-7, DOI: 10.1109/ISPCS.2012.6336632 *

Cited By (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108781162A (zh) * 2015-12-31 2018-11-09 华为技术有限公司 一种网络节点、报文传输方法和网络
WO2017113404A1 (zh) * 2015-12-31 2017-07-06 华为技术有限公司 一种网络节点、报文传输方法和网络
CN113169872A (zh) * 2018-09-27 2021-07-23 斯奇普泰姆 安全时间同步
WO2020245262A1 (en) * 2019-06-06 2020-12-10 Nokia Technologies Oy Time synchronization in cellular communication networks
US12170972B2 (en) 2019-06-06 2024-12-17 Nokia Technologies Oy Time synchronization in cellular communication networks
WO2021094311A1 (de) * 2019-11-11 2021-05-20 Siemens Aktiengesellschaft Verfahren und system zur sicheren zeitsynchronisation
CN114667694A (zh) * 2019-11-11 2022-06-24 西门子股份公司 用于安全的时间同步的方法和系统
EP3820105A1 (de) * 2019-11-11 2021-05-12 Siemens Aktiengesellschaft Verfahren und system zur sicheren zeitsynchronisation
CN114667694B (zh) * 2019-11-11 2023-01-31 西门子股份公司 用于在工业设施中进行安全时间同步的方法和系统
US11677741B2 (en) 2019-11-11 2023-06-13 Siemens Aktiengesellschaft Method and system for secure time synchronization
EP3905731A1 (de) 2020-05-02 2021-11-03 Diehl Metering Systems GmbH Verfahren zur synchronisierung von frame-counter und anordnung
DE102020002636A1 (de) 2020-05-02 2021-11-04 Diehl Metering Systems Gmbh Verfahren zur Synchronisierung von Frame-Counter und Anordnung
US11797693B2 (en) 2020-05-02 2023-10-24 Diehl Metering Systems Gmbh Method for synchronizing frame counters and arrangement
CN114598411A (zh) * 2020-12-07 2022-06-07 大众汽车股份公司 用于使至少两个设备的时钟同步的方法
US12184407B2 (en) 2021-11-23 2024-12-31 Adtran Networks Se Secured clock synchronization in a packet-compatible network
EP4184814A1 (en) 2021-11-23 2023-05-24 ADVA Optical Networking SE Secured clock synchronization in a packet-compatible network
EP4254243A1 (en) * 2022-03-31 2023-10-04 Baker Hughes Oilfield Operations LLC Secure time synchronization
WO2023229613A1 (en) * 2022-05-27 2023-11-30 Altiostar Networks, Inc. Time synchronization over cloud radio access networks
US20240224205A1 (en) * 2022-05-27 2024-07-04 Altiostar Networks, Inc. Time synchronization over cloud radio access networks
US20240022402A1 (en) * 2022-07-14 2024-01-18 Xiid Corporation A Method for Tunneling an Internet Protocol Connection Between Two Endpoints
US12615144B2 (en) * 2022-07-14 2026-04-28 Xiid Corporation Method for tunneling an internet protocol connection between two endpoints
CN115334635A (zh) * 2022-08-15 2022-11-11 北京恒源利通电力技术有限公司 一种实现无线射频网络节点同步发送的方法
CN115378743B (zh) * 2022-10-25 2023-01-17 北京国电通网络技术有限公司 信息加密传输方法、装置、设备和介质
CN115378743A (zh) * 2022-10-25 2022-11-22 北京国电通网络技术有限公司 信息加密传输方法、装置、设备和介质
US12395487B2 (en) * 2023-09-26 2025-08-19 Intel Corporation Time recovery from attacks on delayed authentication

Also Published As

Publication number Publication date
IN2013DE02939A (https=) 2015-04-10

Similar Documents

Publication Publication Date Title
WO2015049138A1 (en) Secure transmission of time synchronization packets
US11374751B2 (en) Password based key derivation function for NTP
US9900778B2 (en) Method and apparatus for securing timing packets over untrusted packet transport network
CN102150392B (zh) 网络节点间的数据传输方法
EP3182324B1 (en) System and method for secure communications between a computer test tool and a cloud-based server
Shereen et al. Next steps in security for time synchronization: Experiences from implementing IEEE 1588 v2. 1
CN102347831B (zh) 时间消息处理方法、装置及系统
CN104092697A (zh) 一种基于时间的防重放方法及装置
US20200213106A1 (en) Security service providing apparatus and method for supporting lightweight security scheme
CN106416118A (zh) 用于安全网络通信的基于混沌的同步
Alghamdi et al. Advanced methodologies to deter internal attacks in PTP time synchronization networks
CN117639997A (zh) 网络安全时间同步方法及装置
US9825920B1 (en) Systems and methods for multi-function and multi-purpose cryptography
US11785043B2 (en) Computational puzzles against dos attacks
US20210144175A1 (en) Communication control device
Richards et al. How does encryption influence timing in IoT?
US20220141199A1 (en) Method and system for transmitting data in a network
CN113438094A (zh) 一种自动更新手工配置IPSec SA的方法和设备
CN103973674A (zh) 主备同步信息的方法及装置
CN108777601B (zh) 一种时钟同步方法、装置及网络设备
US12542768B2 (en) Key exchange system, server, method, and non-transitory computer-readable recording medium storing program for deploying an intermediate server between the key generation device and the network device
CN107948243B (zh) 一种物联网通信方法、终端及系统
CN115484078A (zh) 时间同步方法、装置、电子设备及存储介质
HK1240422A (en) Method, apparatus and system for constructing virtual private network
HK1240422A1 (en) Method, apparatus and system for constructing virtual private network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14777040

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14777040

Country of ref document: EP

Kind code of ref document: A1