Requirements for Secure Clock Synchronization

arXiv:1710.05798v3 [cs.CR] 12 May 2018 ea tAsi,Asi,T 81 USA. 78712 Th TX Austin, Engineering, Austin, of at School Texas Cockrell Mechanics, Engineering okelSho fEgneig h nvriyo ea tA at Texas [email protected]). of (email: University USA The 78712 Engineering, TX of School Cockrell h otdvc scnetdt network. whenever a to free connected for is to comes device accurate essentially host only a but the usually within is milliseconds, to NTP few [7]. Earth a nanoseconds on satellite of stations GNSS tens of few available, number any standards synchronize to time can synchronized accurate clocks most accuracy the atomic stringent the most with is the Equipped GNSS with systems requirements. by in Synchronization choice [5], of synchroniza extensively. LORAN method clock used wireless signals, are and cellular wired tion both [2], etc.); [6], (GNSS DCF77 signals over-th radio by or air etc.), PTP, (NTP, communication packet-based inapiain aesbmlieodacrc n strin and requirements. accuracy security synchroni sub-millisecond dat clock have These the applications [4]. tion between consistency maintain synchronization to time-stamping Spanner centers precise Cloud transaction Google’s require as and such similarly services pricing database for Cloud [3]. time en to common globe the across a time han transfer call networks enable Financial to [2]. communicatio stations Wireless base their [1]. power synchronize measurements area networks in geographical synchronize wide to control a information and across timing monitoring measurement need enable phasor grids that The (PMUs) today. units infrastructure and nologies ra the illustrate to offered systems. is protocol compliant is propose example of are the second It PTP is a 1588 and sufficient. IEEE and conditions, secure and for these Requirements with synchronizatio necessary insecure. compliant two-way synchronizatio not a be clock is although PTP, to protocol, two-way 1588 proved IEEE informatio secure that and shown for timing proposed conditions compromise is of potentially r set to can vulnerable A are that protocols show transfer paper attacks and time This clock. two-wa one-way slave. (NTP), involve all slave and (PTP), that Protocol master Protocol a the Transport Time between to Precision Network communication 1588 master base the IEEE are a as the (GNSS), from such s Systems communication Others, systems, Satellite one-way Navigation transfer) on Global (time the synchronization se as clock database Some financ operations, distribution, etc. power telecommunication managing systems transactions, synchroniza of clock backbone Accurate the synchronization. clock secure .E upry swt h eateto eopc Engineer Aerospace of Department the with is Humphreys E. T. .Nrl swt h eateto lcrcladCmue E Computer and Electrical of Department the with is Narula L. lc ycrnzto spromdete yover-the-wir by either performed is synchronization Clock tech- of host a to critical is synchronization clock Secure Terms Index Abstract eurmnsfrScr lc Synchronization Clock Secure for Requirements Ti ae salse udmna hoyof theory fundamental a establishes paper —This tm rnfr lc ycrnzto;security. synchronization; clock transfer; —time asa Narula, Lakshay .I I. NTRODUCTION tdn ebr IEEE, Member, Student nvriyof University e si,Austin, ustin, ngineering, n and ing rvices, inis tion refore eplay gent sure doff uch nge za- ial e- n. d, d n n n y a e s s - n odE Humphreys, E. Todd and tefsfcetfrpoal euiyaantsc attack by such against not detecting security is provable for however, for necessary measurement, sufficient the be This itself of to attacks. time shown delay trip is MITM round which the signal, of timing measurement enable protocols ietoa omncto ewe stations between communication directional secured be can They to adversaries. vulnerable time. powerful remain but trip attacks, round unsophisticated against measure th to of because inability sho insecure be fundamentally will remain signa as protocols but, other such [8]–[10], and attacks delay spoofing data-level against and protocols th improve one-way stati can of one measures security from other and transmission Cryptographic valid another. a to repeats or nefa delays adversary iously (MITM) man-in-the-middle to a vulnerability which wireles in their attacks one-way continuously is of protocols either drawback synchronization signals clock principal timing The out periodically. send or may and station otesaestation, slave the to ndrcinlcmuiainfo h iemse station master time the from communication unidirectional hswr r sfollows: contributions as major are The work this proofs. definiti and with assumptions, formalized t is explicit on problem literature the current [11]–[17], the security to contrast In synchronization. )Agnrccntuto fascr w-a lc syn- clock two-way secure a of construction generic A 5) PTP 1588 IEEE of scheme synchronization two-way The 4) upper stricter with conditions, necessary proposed The 3) two-way secure for conditions necessary of set A 2) in- be to shown are protocols synchronization One-way 1) w-a lc ycrnzto rtcl nov bi- involve protocols synchronization clock Two-way n-a lc ycrnzto rtcl r ae on based are protocols synchronization clock One-way hsppretbihsafnaetlter fscr clock secure of theory fundamental a establishes paper This hoiainpooo speetdt lutaetegener the illustrate to presented is protocol chronization secure for is sufficient PTP and necessary for synchronization. both requirement is that security modification. presented parsimonious necessary minimal more is the fix fix A proposed not the a is that for but show which theory to sufficient able for a is established PTP paper Having this security. security, of [11]. for proposed vulnerability condition been known has necessary a a is violate This to shown is literature. the in explored been previously ha not (PPT) synchronization time clock polynomial for security probabilistic Provable adversary. a of synchroniza- presence secure in for tion sufficient be to shown are bounds, to model. generalized synchronization been clock universal not have a to but pro- apply [18], previously [13], been [11], Similar posed proved. have and conditions presented protocol-specific is synchronization clock assumptions. hence further and without bias, unobservable clock is is from delay indistinguishable Adversarial be to attack. shown delay MITM a against secure B nsc protocols, such In . ebr IEEE Member, A csa broadcast a as acts A and B Such . iming s. delay more ons, wn, , eir on A of al r- l- e s s , applicability of the proposed necessary and sufficient protocols are able to foil data-level attacks against realistic conditions to a range of underlying protocols. adversaries, some signal-level attacks, such as the delay attack, This paper is a significant extension of [19], by the same remain open vulnerabilities. Unfortunately, their execution is authors: (1) the necessary conditions for security have been relatively simple. Signal-level attacks, such as the man-in-the- revamped to incorporate both continuous and packet-based middle attack, have been studied in the recent past. However, clock synchronization systems, (2) a sufficiency proof for the these studies only include a brief discussion on countermea- security conditions has been formulated, and (3) protocol- sure techniques, and no proof or theoretical guarantee of the specific countermeasures presented in the literature have been efficacy of the countermeasures has been provided. unified with the proposed conditions. Ullman et al. [11] propose measuring the propagation delays Wired clock synchronization is inherently more secure than during initialization of clock synchronization and monitoring its wireless counterpart because physical access to cables is the propagation delays during the normal operation of the time easier controlled than access to radio channels. This paper synchronization protocol. However, [11] does not prove that primarily focuses on the more challenging task of clock such a defense would be sufficient to prevent the delay attacks. synchronization over a wireless channel; nonetheless, the In [13], it is remarked that the clock offset computed attacks and security protocols discussed herein also apply to between multiple master clocks over a symmetric channel must wireline clock synchronization protocols in the case where be zero, and thus, if multiple master clocks are available, they the adversary gets access to the channel. For example, if an can detect any malicious delay introduced by an adversary. adversary is able to hijack a boundary clock in a wireline PTP However, this defense does not consider the possibility that network, then the resulting vulnerabilities are equivalent to the adversary may only delay the packets sent to the slave that of wireless synchronization where the adversary has open nodes. access to the radio channel. In fact, an adversarial boundary The work presented in [18] is perhaps in closest relation clock is even more potent than a wireless adversary since it to the current paper. Annessi et al. upper bound the clock can completely block the authentic signal from reaching B. drift between subsequent synchronization signals using a drift The rest of this paper is organized as follows. Previous model, and perform two-way exchange of timestamps such works on secure clock synchronization, and their relation to that the master clock is able to verify the time at the slave. this paper, are summarized in Section II. Section III presents Furthermore, given the maximum clock drift rate and the a generic model for clock synchronization and shows that maximum and minimum propagation delay of the timing all possible one-way synchronization protocols are insecure. signal, they derive an upper bound on the adversarial delay Section IV presents the set of security conditions for a wireless that can go unnoticed. However, with conservative bounds on clock synchronization protocol, proving these to be necessary the maximum clock drift rate and the variation in path delays, by contradiction. Section V presents a proof of sufficiency the accuracy guarantees derived in [18] may be insufficient for for the same set of conditions with stricter upper bounds. A certain applications. Moreover, as will be shown in this paper, construction of an example secure protocol is presented in they fail to take account of one the necessary conditions for Section VI, along with the security requirements for IEEE secure synchronization. 1588 PTP. Section VII presents a simulation study of a This paper abstracts the clock synchronization model and secure clock synchronization model operating over a simplistic assesses its security in a generic setting. It is shown that channel model. Concluding remarks are made in Section VIII. specialization of the generic security conditions to the particular protocols assessed in the aforementioned efforts leads II. RELATED WORK to solutions similar or identical to those previously advanced. GNSS, NTP, and PTP are the most widely used protocols Thus, establishing the fundamental theory of secure clock for clock synchronization. A number of research efforts have synchronization also serves to unify the prior work in the been made to assess and improve the security of these proto- literature. cols. This section reviews some of the notable efforts in the literature. III. SYSTEM MODEL The GNSS jamming and spoofing threat has been recog- nized in the literature for more than a decade. A survey A general system model for clock synchronization is shown of the current state-of-the-art in spoofing and anti-spoofing in Fig. 1. The time seeker station, B, wishes to synchronize techniques is presented in [8]. Recent works on GNSS anti- its clock to that of the time master station, A. For wireless spoofing techniques have specifically focused on the case of synchronization applications, stations A and B are assumed to timing security. Collaborative multi-receiver [16] and direct have known locations, xA and xB, respectively. Due to clock time estimation [17] techniques have been proposed for robust imperfections, the time at station B, tB, continuously drifts with GNSS clock synchronization. respect to tA, the time at station A. Station B seeks to track the The growing popularity of IEEE 1588 PTP for synchro- relative drift of its clock by an exchange of signals between nization in critical infrastructure has brought about concerns A and B. Without loss of generality, this paper assumes tA is regarding its security [11]–[15]. The threats to IEEE 1588 equivalent to true time (relative to some reference epoch), a PTP can broadly be categorized into data-level attacks (such close proxy for which is GPS system time. as modification of time messages) and physical layer at- It is assumed that A and B are able to exchange crypto- tacks (such as replay and delay attacks). While cryptographic graphic keys securely, if required. This exchange may occur TABLE I such a signal feature. Furthermore, the system at A is designed Ak NOTATION USED IN THIS PAPER such that the kth feature is transmitted at time tA . B either Ak A knows tA by prior arrangement, or a digital representation of Time master station Ak tA is encoded in sA (e.g., a timestamp). In any case, B knows B Time seeker station when the kth feature was sent, according to A’s clock. This mi tm Transmit time, according to m, of its ith signal feature sets up a bijection A mi k k tn Receipt time, according to n, of the ith signal feature trans- SA ⇋ k ⇋ tA (1) mitted by m k i where SA represents a window of sA containing the kth feature. τmn Delay, in true time, experienced by the ith feature in propa- B gating from m to n Station ’s received sync signal, denoted rB, is a delayed k and noisy replica of sA. Let τAB denote the delay (in true τ i Component of τ i introduced by the man-in-the-middle ad- mnM mn A versary time) experienced by the kth feature of sA as it travels from B k i i to . For line-of-sight (LOS) wireless communication, τAB is τmnN Component of τmn due to natural factors, including processing, transmission, and propagation delay the sum of the free-space propagation delay over the distance x x i i k B − Ak and additional delays due to interaction of the τ¯mn Modeled or a priori estimate of τmn N timing signal with the intervening channel. ˜i i − ¯i τmnN τmnN τmn τBB Delay, in true time, between the receipt of sync and transmission of response at B A. One-Way Clock Synchronization Model

τ¯BB Delay, according to B, between the receipt of sync and In one-way clock synchronization, the exchange of signals transmission of response at B between A and B terminates with reception of the sync signal B Ak B τ˜BB τBB − τ¯BB at . Let tB denote the time according to at which the B ∆ i A B kth feature of sA is received at . The window captured by tAB Clock offset between and at the time of receipt of the k ith feature at B B containing the kth feature of sA, denoted RB, enables B to Ak ∆ˆi B ∆ i measure tB to within a small error caused by measurement tAB ’s best estimate of tAB k noise. This error, wAB, is modeled as zero-mean with variance i wmn Measurement noise associated with the measured time-of- σ2. The measurement itself, denoted zk, is modeled as arrival of the ith signal feature from m at n ǫ B A ij k k k τRTT Round trip time, in true time, involving the ith and jth signal zB = tB + wAB features of A and B, respectively Ak k k k = tA + τAB − ∆tAB + wAB (2) ij ij τ¯RTT Modeled or a priori estimate of τRTT ij ij where zRTT A noisy measurement of τRTT k Ak k Ak ∆tAB ≡ tA + τAB − tB (3) is the unknown time offset B wishes to estimate. As the Ak over a public channel via a protocol such as the Difﬁe-Hellman bijection in (1) is known to B, B can obtain tA for the kth k k key exchange [20] or via quantum key exchange techniques detected feature. If a prior estimate τ¯AB of the delay τAB is [21], [22]. Alternatively, symmetric keys for neighboring sta- available to B, then the desired time offset can be estimated tions may be loaded at the time of installation. as

k Ak k k ∆tˆAB = tA +¯τAB − zB (4) As a concrete example, consider the case of clock synchronization via GNSS in which B is a GNSS receiver in a known ﬁxed location xB, and A is a GNSS satellite whose location is known to vary with time as xA(tA). On detection of the kth Ak feature in a window of captured data, B determines tA using (1) and also makes the measurement

k Ak k k k zB = tA + τAB − ∆tAB + wAB Ak k xB xA tA D Ak k − ( )k + ρ k k = tA + − ∆tAB + wAB " c # k Fig. 1. Abstract model of a clock synchronization system with a time master where Dρ is the sum of excess ionospheric and neutral- station A and a time seeker station B. The antenna outputs are driven by the atmospheric delays (in distance units) and c is the speed of clock through the receiver and transmitter blocks. light. The known receiver and satellite positions can be invoked A Station sends out a sync signal, sA, having distinct features to model the signal’s propagation delay as which can be disambiguated from one another by observing a Ak k xB xA ¯ window of the signal containing the feature. The transition in k k − (tA )k + Dρ τ¯AB = sA marking the beginning of a data packet is an example of c ¯ k k 2 where Dρ is a model of the excess delay Dρ at the time of mean with variance σǫ . The full measurement model is given receipt of the kth feature at B. The modeled excess delay by is based on atmospheric models possibly reﬁned by dual- l Bl l z tA w frequency measurements [23]. An estimate of the time offset, A = + BA A k Ak k k k k l l ∆tˆAB, can then be made using tA , zB , and τ¯AB in (4). = tA + τAB + τBB + τBA + wBA

It must be noted that, for one-way clock synchronization, Ak Since tA is exactly known at A, a direct noisy measurement any errors in the estimate of the distance between A and B, k l of the round trip time τAB + τBB + τBA can be made as and in the estimate of the excess channel delay, will appear kl l Ak as an error in the estimate of the time offset. zRTT ≡ zA − tA (6) l k kl Note that the noise wBA and wAB in zRTT is embedded within l zA and τBB, respectively. Under the assumption of symmetric B. Two-Way Clock Synchronization Model k l delays, i.e., τAB = τBA, and with knowledge of τ¯BB, the k As discussed above, if an estimate of τ¯AB is available, then measured RTT in (6) can be exploited to improve the modeled clock synchronization is complete after B receives the sync propagation delay for future exchanges between A and B: signal rB. The response signal from B in a two-way protocol is kl m n zRTT − τ¯BB typically used to either determine, or refine, the estimate of τ k τ¯AB =τ ¯BA = ¯AB 2 with a measurement of the round trip time (RTT). The ability where m > k and n>l. to measure RTT obviates the requirement that kxB − xAk The two-way exchange of sync and response messages is be known a priori. In IEEE 1588 PTP, for example, RTT is summarized visually in Fig. 2. measured to initially obtain, and periodically refine, the value k k of τ¯AB used in deriving ∆tÂB from (4). In the system model considered in this paper, station B transmits a response sB that is designed such that (1) there is a one-to-one mapping l(k) between the lth feature in sB and the kth feature in sA, and (2) the lth feature’s index can be inferred l by observation of a window containing it. Symbolically, if SB is a window of sB containing the lth feature of the response signal, then

l SB ⇋ l(k) ⇋ k (5)

Ak On receipt of the kth feature in sA, at time tB by B’s clock, k Fig. 2. Two-way exchange of sync and response messages between A and B B B B but at zB as measured by , transmits the lth feature in s in the absence of a man-in-the-middle adversary. after a short delay, τBB (in true time), hereon referred to as the layover time. Since RTT will play a central role in the discussion on The layover time is introduced as a practical consideration. secure synchronization later on, various definitions and as- On receipt of A’s kth feature, B is physically unable to transmit sumptions concerning RTT are stated here for clarity: B its own lth feature with zero delay. Thus, is allowed to • RTT for the kth feature in sA and the corresponding lth specify a short layover time, τ¯BB, after which it intends to feature in sB is defined as launch its lth feature. It is important to note that the actual kl k l layover time, τBB, will not be the same as the intended layover τRTT ≡ τAB + τBB + τBA time due to (1) non-zero measurement noise wk and (2) non- AB • Measured RTT includes, in addition to RTT, measurement B zero frequency offset of the clock at with respect to true noise at A; it is modeled as time. However, if the layover time is sufficiently short and kl k l l the measurement noise is benign, the difference τ¯BB − τBB zRTT = τAB + τBB + τBA + wBA can be made negligible compared to the time synchronization • Modeled RTT, also called the prior estimate of RTT, is requirement, with the actual value depending on the quality of B defined as ’s clock. kl k l τ¯ ≡ τ¯AB +¯τBB +¯τBA (7) Station A receives the response signal as a delayed and noisy RTT replica of sB, denoted rA. The delay experienced by the lth For example, in the case of wireless clock synchroniza- l feature as it travels from B to A, in true time, is denoted τBA. tion with LOS electromagnetic signals, a prior estimate l Station A captures a window RA of rA that enables A to identify of RTT is based on the distance between A and B and the lth feature in sB according to (5), and to infer that the on models of channel delays in excess of free-space received feature is in response to the kth feature transmitted propagation between these. kl by A. Furthermore, A makes a noise-corrupted measurement • The modeled RTT, τ¯RTT, can be refined with measure- l zA of the time-of-arrival of the lth feature in sB, according to ments of RTT in a two-way protocol. Alternatively, as l A’s clock. The noise, denoted wBA, is again modeled as zero- will be discussed later, if an accurate modeled RTT is available, it and the measured RTT can be used to detect delayed or repeated signal has the same cryptographic charac- delay attacks. teristics as that of the genuine signal, the only difference being • Unambiguous measurement of RTT requires that there that it is received with a (possibly small) additional delay. exist a one-to-one mapping between the signal features The delay introduced by M is added to the natural delay, k A B in sA and sB, as mathematically represented in (5). On τABN , of the signal between and . As a result, an error of A k B detection of the lth feature in sB, must be able to deduce ≈ τABM is introduced in the estimated time offset at . From that this feature was transmitted approximately τ¯BB after (4), it follows that B received the kth feature in sA. This requirement is k Ak k k tˆ tA τ z appropriately a part of the RTT definition since it enables ∆ AB = +¯AB − B Ak k Ak k k k A to unambiguously measure RTT. = tA +¯τAB − (tA + τAB − ∆tAB + wAB) k k k k k = (¯τAB − τABN ) − τABM + ∆tAB − wAB C. Attack Model k k ≈ ∆tAB − τABM (10) The attack model in this paper considers a MITM adver- where it is assumed that the error due to inaccurately modeled sary M. The available computational resources allow M to k delay is negligible and that σǫ ≪ τABM . In the absence of an execute probabilistic polynomial time (PPT) algorithms. M RTT measurement, and without further assumptions on the A B can receive, detect, and replay signals from and with nature of the protocol or the clock drift model considered, the arbitrarily precise directional antennas. Additionally, has M adversarial delay τAB is indistinguishable from a clock offset x x M precise knowledge of A and B, and can take up any position of the same magnitude. around or between the two stations. It has unrestricted access To be sure, measures can be taken to make a MITM delay A B to the signals that and exchange over the air, and has attack harder to execute without detection. But, importantly, complete knowledge of their synchronization protocol save for these measures cannot guarantee that the synchronization will the cryptographic keys. remain uncompromised. Various measures proposed in the Let L denote the alert limit, defined as the error in time literature, and their shortcomings, are discussed below. synchronization not to be exceeded without issuing an alert. a) Received Signal Strength Monitoring: The adversary Definition III.1. Clock synchronization is defined to be com- M might attempt to overpower the authentic signal in order promised if |∆tAB − ∆tÂB|≥ L. to spoof the sync message, leading to an increase in the total signal power received at B. Station B could monitor the Note that, in the absence of an adversary, clock synchro- received signal strength (RSS) to detect such an attack [25]. nization is not compromised so long as However, a potent adversary could transmit, in addition to its k k k delayed signal, an amplitude-matched, phase-inverted nulling |τAB − τ¯AB + wAB| 0 is the natural or physical delay (equal to τAB k b) Selective Rejection of False Signal: If B receives both in the absence of an adversary) and τABM ≥ 0 is the adversarial delay. In this case, if the authentic and false (delayed) sync signals, it may be able to apply angle-of-arrival or signal processing techniques τ k τ k wk τ k τ k τ k wk L (9) | AB − ¯AB + AB| = | ABN − ¯AB + ABM + AB|≥ to selectively reject the delayed signal [8], [9], [27], [28]. then clock synchronization is compromised. However, discrimination based on angle-of-arrival fails if M is positioned along the line from A to B, and, as conceded in [9], signal-processing-based techniques for selective rejection D. Vulnerability of One-Way Clock Synchronization of false signals can be thwarted by an adversary transmitting One-way clock synchronization is fundamentally vulnerable an additional nulling signal, as described above. to a delay attack because it provides no mechanism to mea- c) Collaborative Verification: Multiple time seekers may sure RTT. The adversary M can compromise any one-way attempt to synchronize to the same time master. In this wireless clock synchronization protocol by retransmitting the scenario, the time seekers can potentially detect malicious authentic sync signal from A such that the retransmitted signal, activity by cross-checking the received signals [16]. In the sM, overpowers or otherwise supersedes the authentic signal simplest implementation, all time seekers can collaborate to sA. In the absence of additional assumptions beyond those verify that they are synchronized amongst each other. In case underpinning the one-way protocol described earlier, M can of an uncoordinated attack against a subset of time seekers, k introduce an arbitrary delay τABM in its retransmission, thereby this verification would expose the attack since the time offset compromising the synchronization process. computed at the attacked subset would be different from that Note that whereas counterfeit signal attacks can be pre- computed at the other stations. In principle, however, it is vented by authentication and cryptographic methods [24], possible for an adversary to execute a coordinated attack these techniques do not prevent delay attacks because the against all the time seekers, thus concealing its presence. IV. NECESSARY CONDITIONS FOR SECURE a) sA is predictable: M can compromise synchroniza- SYNCHRONIZATION tion without detection as follows: i) M takes up a position between A and B along the line This section presents a set of conditions for secure two- joining the antennas at the two stations. way clock synchronization and proves these to be necessary ii) M initially transmits a replica of sA such that B receives by contradiction. In other words, it is shown that if a two- identical signals from both A and M. Subsequently, M way clock synchronization protocol does not satisfy any one increases its signal power or otherwise supersedes sA of these proposed conditions, there exists an attack that can (e.g., via signal nulling, as discussed earlier) such that compromise clock synchronization without detection. B tracks sM, the signal transmitted by M. (Hereafter, It is important to note that the ability to measure RTT in a whenever signals from M compete with those from A or two-way protocol is necessary, but not sufficient, for provably B, it will be assumed that those from M exert control.) secure synchronization. As an example, IEEE 1588 PTP is a iii) Exploiting the predictability of sA, M advances its replica two-way protocol that has been proposed as an alternative to k k B sM with respect to sA by |τABM |, where τABM < 0. GNSS for sub-microsecond clock synchronization in critical k tracks the advanced signal, resulting in an error of τABM infrastructure such as the PMU network. But, despite the bi- k in the computed ∆tÂB as shown in (10). directional exchange between stations, and hence the ability to iv) B transmits the unpredictable response sB compliant with measure RTT, recent work has shown that PTP is vulnerable to the prearranged layover time τ¯BB. M intercepts this signal delay attacks in which a MITM introduces asymmetric delay l from B, and replays it to A with a delay of τBA = A B M between and . Asymmetric delay breaks the assumption τ k > , causing A to track the delayed signal. As k k − ABM 0 that τAB = τBA and leads to an erroneous prior for τ¯AB and k l a result, the RTT is τAB + τBB + τBA as A expects. In τ¯BA for future exchanges. This vulnerability is documented summary: in both the literature [11], [13], [18] and the IEEE 1588- k k k 2008 standard. Thus, a secure two-way clock synchronization τAB = τABN + τABM protocol must satisfy additional security requirements beyond l l l l k τBA = τBA + τBA = τBA − τAB the ability to measure RTT. N M N M ⇒ τ k + τ l = τ k + τ l The conditions introduced below are not tied to any spe- AB BA ABN BAN cific protocol, unlike some measures proposed in the current Thus, M undoes the effect of its sync advance, preventing literature [11]–[17]. They are generally applicable to any two- A from detecting the attack. way protocol (e.g., PTP) for which the foregoing two-way b) sB is predictable: M can compromise synchroniza- synchronization model applies. tion without detection by replicating B’s behavior: Assuming the time master A initiates the two-way commu- i) M takes up a position between A and B along the line nication, the necessary conditions for secure clock synchro- joining the antennas at the two stations. nization are as follows: ii) M receives the sync signal and generates a valid response 1) Both A and B must transmit unpredictable waveforms with a delay to prevent the adversary M from generating counterfeit kxM − xBk signals that pass authentication. In practice, this implies k l τ¯BB + x x τ¯AB +¯τBA (11) the use of a cryptographic construct such as a message k A − Bk k l authentication code (MAC) or a digital signature. such that the RTT is τ¯AB +¯τBB +¯τBA, as A expects. 2) The propagation time of the signal must be irreducible iii) M records the unpredictable signal from A and replays to within the alert limit L along both signal paths. For B k it to with an arbitrary delay τABM > 0. This results in wireless clock synchronization, this condition implies k ˆk an error of approximately τABM in the computed ∆tAB at synchronization via LOS electromagnetic signals as L → B, as shown in (10). 0. 2) Propagation time must be irreducible to within L: If 3) The RTT between A and B must be known to A and A there exists a channel that reduces the propagation time from measurable by to within the alert limit L. The RTT must A to B or from B to A by more than L as compared to the include the delays internal to both A and B, in addition channel used by A and B, then M can compromise synchro- to the propagation delay. Station A must know of any B nization without detection. The following attack assumes the intentional delay introduced by , such as the layover propagation time from A to B is reducible by more than L; a time τBB introduced earlier. similar attack exploits the situation in which the propagation time from B to A is reducible by more than L. i) records the sync signal sA going from A to B. A. Proof of Necessity of Conditions M B k ii) M makes the recorded signal reach advanced by |τABM | A B k k 1) Stations and must transmit unpredictable signals: compared to sA, where τABM < −L. An error of τABM To prove this condition is necessary, two scenarios are con- is introduced in the time offset value computed at B as sidered: a) station A transmits a signal waveform sA that is shown in (10). predictable, and, b) station B transmits a signal waveform sB iii) M records the response signal sB, which has the expected that is predictable. prearranged layover time τBB ≈ τ¯BB. M replays this signal A l k A B to with a delay of τBAM = −τABM such that the RTT Furthermore, and agree upon a fixed layover time is consistent with what A expects. τ¯BB, and the difference between this and the true layover 3) RTT known to and measurable by A to within L: time is negligible: |τBB − τ¯BB| ≪ L. Synchronization can be compromised without detection if 4) The standard deviation of the noise corrupting the mea- A B kl kl k l |zRTT − τ¯RTT| > L with non-negligible probability even in surements tB and tA is negligible compared to the alert the absence of an adversary. This condition can be met if a) limit: k l BB the prior estimates τ¯AB, τ¯BA, or τ¯ are not accurate to the σǫ ≪ L (14) corresponding true values to within L, or b) the magnitude of k l the measurement error sum |wAB +wBA| is larger than L. Note Notice that the above assumptions are the same as the neces- k that the condition |wAB| > L compromises synchronization sary conditions in Section IV, but with stricter upper bounds even absent an adversary. An adversary M can exploit the on the conditions. kl kl condition |zRTT − τ¯RTT| >L as follows: If symmetric keys are exchanged prior to synchronization, i) M initially transmits a replica of sA such that B receives then private-key cryptographic schemes such as Encrypt-then- identical signals from both A and M. Subsequently, M MAC [29] can be used for authenticated encryption. Alterna- k introduces a delay τABM > 0 in the replayed signal sM. tively, if the keys must be exchanged over a public channel, As assumed earlier, sM exerts control and introduces an then digital signatures [30] can be used to authenticate the k ˆk B error of approximately τABM in the computed ∆tAB at , encrypted messages. Cryptographic authentication schemes as shown in (10). like MAC and digital signatures generate a tag associated ii) Station B transmits the response signal with the prear- with a message. Qualitatively, a MAC or digital signature ranged layover time τBB ≈ τ¯BB with respect to the delayed scheme is secure if a PPT adversary, even when given access signal. to multiple valid message-tag pairs of its own choice (as many iii) In the received signal rA, A identifies the expected feature as possible in polynomial time), cannot generate a valid tag k l(k). The RTT, if measurable, includes the delay τABM for a new message with non-negligible probability. Irrespective introduced by M. of the cryptographic scheme used, this proof assumes that the iv) However, A is unable to definitively declare an attack, probability of M generating a new valid sync or response since the errors in the modeled RTT and/or the measure- signal is a negligible function of the key length n: ment of RTT are possibly larger than L. In other words, kl kl P it is not possible to claim that |zRTT − τ¯RTT| > L only [Valid] < negl(n) (15) in the presence of adversarial delay. To detect an attack before the synchronization error exceeds L, V. PROOF OF SUFFICIENCY A must select a threshold lower than L beyond which an attack kl is declared. Consider the modeled RTT, τ¯RTT, as defined in This section presents a sufficiency proof for the set of secu- kl rity conditions proposed in the previous section. A sufficiency (7), and the measurement zRTT as defined in (6). A threshold less than L, say L − δ with 0 <δL−δ, then an attack is declared. the literature on modern cryptography and formalizes the problem of secure clock synchronization with explicit definitions, B. Definitions assumptions, and proofs. Definition V.1. A PPT adversary M succeeds if clock syn- A. Assumptions chronization is compromised (Definition III.1) and

This proof assumes that the system under consideration kl kl strictly complies with the set of necessary security conditions. |zRTT − τ¯RTT|≤ L − δ Specifically, 1) Both A and B use an authenticated encryption scheme to generate unpredictable and verifiably authentic signals Definition V.2. Faster-than-light (superluminal) propagation in the presence of a probabilistic polynomial time (PPT) is defined to be hard if M cannot propagate a signal at a speed adversary. higher than the speed of light with non-negligible probability. 2) The difference between the RTT along the communica- Under hardness of superluminal propagation tion channel between A and B and the shortest possible RTT is negligible as compared to L. P[Superluminal] ≈ 0 k l 3) The difference between the modeled delays τ¯AB and τ¯BA k l and the true delays τAB and τBA, respectively, is negligible Definition V.3. A clock synchronization protocol is defined to as compared to L. be secure if, under the hardness of superluminal propagation assumption, k k |τ¯AB − τAB | ≪ L (12) N P[Success] < negl(n) and l l |τ¯BA − τBAN | ≪ L (13) where Success for M is defined in Definition V.1. C. Proof In the case where τABM ≥ 0, (24) simplifies to In the presence of an adversary M, the measurement zkl k k k RTT τAB ≥ L − |τÃB + wAB| is modeled as M N k kl k k l l l Substituting the least possible value of τABM into (23), it z τ τ τ τ τBB w (16) RTT = ABN + ABM + BAN + BAM + + BA follows that k l Let τÃBN and τ˜BAN denote the error in the modeled signal k k k l l l |τÃBN +L−|τÃBN +wAB|+˜τBAN +τBAM +˜τBB +wBA|≤ L−δ delay due to natural/physical phenomenon. Also, let τ˜B be the difference between the intended layover time τ¯BB and the Notice that from the assumptions made in (14), (20), (21), and l actual layover time τBB. Note that these might be positive or (22), all terms except L and τBAM on the left-hand side of the negative. inequality are negligible compared to L; thus, k k k l τÃBN = τABN − τ¯AB (17) |L + τBAM |≤ L − δ l l l τ˜BAN = τBAN − τ¯BA (18) Since both L and L − δ are defined to be positive, the above τ˜BB = τBB − τ¯BB (19) inequality simplifies to l From (7), (16), (17), (18), and (19) it follows that τBAM ≤−δ kl kl k k l l l zRTT =τ ¯RTT +˜τABN + τABM +˜τBAN + τBAM +˜τBB + wBA where δ > 0. Thus, for M to succeed in the case where τ k ≥ 0, we must have that τ l < 0. As a result Following the assumptions in (12) and (13), the residual delays ABM BAM are negligible in comparison to L: P k [(Success) ∩ (τABM ≥ 0)] < negl(n) k |τÃBN | ≪ L (20) Thus, from (25) |τ˜l | ≪ L (21) BAN P[Success] < negl(n) This assumption is reasonable since otherwise the system Qualitatively, the proof presented here argues that for the could not confidently meet the accuracy requirements even in adversary to succeed, it needs to either advance the sync signal the absence of an adversary. Also, if τ¯BB is a short time interval (τAB < 0), or advance the response signal (τBA < 0). With and the measurement noise σ is benign, it is reasonable to M M ǫ the use of a secure MAC (or digital signature) and the hardness assume that of superluminal propagation, the adversary can only succeed |τ˜BB| ≪ L (22) with a negligible probability. Note that M can advance the signal by (a) forging a valid mes- VI. SECURE CONSTRUCTIONS sage/tag pair, or (b) propagating the signal faster-than-light. The assumptions of secure MAC and hardness of superluminal This section specializes the necessary and sufficient con- propagation enforce that ditions for secure clock synchronization to IEEE 1588 PTP. In addition, it presents an alternative to PTP for wireless P k P P [τABM < 0] < [Valid]+ [Superluminal] synchronization—a compliant synchronization system with ≈ negl(n) GNSS-like signals. In order to stay undetected, the adversary must ensure A. Secure IEEE 1588 PTP L − δ ≥ |zkl − τ¯kl | RTT RTT The necessary and sufficient conditions for secure synchro- k k l l l = |τÃBN + τABM +˜τBAN + τBAM +˜τBB + wBA| (23) nization, as adapted to IEEE 1588 PTP, are as follows: At the same time, in order to compromise time transfer, from 1) Stations A and B must use an authenticated encryption (9), M must ensure scheme to prevent M from generating valid message/tag pairs. k k k L ≤ |τÃBN + τABM + wAB| 2) The difference between the path delays between A and B k k k ≤ |τÃBN + wAB| + |τABM | and the shortest possible path delays must be negligible k k k as compared to L. For wireless PTP [31], [32], this ⇒ |τAB |≥ L − |τÃB + wAB| (24) M N implies communicating over the LOS channel as L → 0. The probability of success for M is evaluated as For traditional wireline PTP, A and B must attempt to k communicate over the (nearly) shortest possible path. P[Success]= P[(Success) ∩ (τAB < 0)]+ M 3) The path delay, which is usually estimated from the RTT P Success τ k [( ) ∩ ( ABM ≥ 0)] measurements, must be accurately known a priori for P k P k = [(Success)|(τABM < 0)] [τABM < 0]+ secure synchronization. The RTT measurements must be k verified against the expected RTT. This implies that the P[(Success) ∩ (τAB ≥ 0)] M A k k layover time τ¯BB must also be known to . ≤ P[τAB < 0]+ P[(Success) ∩ (τAB ≥ 0)] M M Note that in the usual PTP formulation, the path delay is < negl n P Success τ k (25) ( )+ [( ) ∩ ( ABM ≥ 0)] measured and used by the time seeker B. To this end, in the usual formulation A sends the transmit time of the sync message and the receipt time of the delay req message (in PTP parlance). Similar conventions may be accommodated in the system model presented in this paper, wherein A sends the Ak l kl values of tA , zA, and τ¯RTT to B, and the following calculations may be performed and used at B. However, this would only be a cosmetic change and does not affect the arguments in this paper. The first security condition has already been proposed in the IEEE 1588-2008 standard. The second condition, however, has not been considered in any of the earlier works in the literature. Following the depiction of sync and response signal exchange in Fig. 2 and the attack strategy outlined in Fig. 4. Illustration of an example attack against a PTP implementation that violates the third necessary condition. Section IV-A2, Fig. 3 illustrates an example attack against a PTP implementation that does not satisfy the second necessary condition. Notice that the existence of a shorter time path Interestingly, at first sight, the third security condition in enables M to advance the sync signal relative to the authentic this paper does not resemble the proposed defense in [18] that message from A. Subsequently, M is able to undo the effect of enforces an upper bound on the synchronization error accu- the advance on the RTT by delaying the response signal from mulated between sync messages and recommends that B send B to A. Station A does not measure any abnormality in the RTT, its timestamps to A periodically for verification. As explained and thus cannot raise an alarm. Meanwhile, synchronization next, this condition is in fact equivalent to the condition of has been compromised at B. known and measurable RTT, when adapted according to the system model considered in [18]. Note that the requirement of a zero delay in [11], or a short layover time in this paper, enables A to measure the RTT since Bl the transmit time of the lth feature in sB, that is tB , can be approximately traced back to A’s clock to within the alert limit Ak k as tA +¯τAB+¯τBB. Enforcing the synchronization error to within L and transmitting B’s timestamp to A achieves the same objective for the defense in [18], since the transmit time from B can be traced back to A’s clock with the assumed approximate synchronization. Therefore, the proposed countermeasures in [11] and [18] are two different incarnations of the third security condition proposed in this paper. Of course, the failure of both [11] and [18] to address the second necessary condition makes their proposed defenses vulnerable to an adversary that can communicate along a shorter time path between A and B.

Fig. 3. Illustration of an example attack against a PTP implementation that violates the second necessary condition. B. Alternative Compliant System This section describes an alternative wireless clock synchro- The third condition is similar to the proposal in [11] of nization protocol that satisfies the set of necessary and suffi- measuring the path delays during initialization and monitoring cient conditions presented in Section IV. The proposed pro- the delays during normal operation. However, [11] requires tocol involves bi-directional exchange of GNSS-like pseudo- that B respond to A with zero delay during initialization to random codes for continuous clock synchronization, in con- enable measurement of the reference delays. This condition trast to discrete packet-based synchronization techniques such is sufficient, but not necessary for secure synchronization. as NTP and PTP. It is offered here to illustrate the general The system is in fact secure even if B is allowed a fixed applicability of the proposed necessary and sufficient con- layover time. Fig. 4 illustrates an example attack against a PTP ditions to a range of underlying protocols. Such a protocol implementation in violation of the third necessary condition. can potentially be applied in two-way satellite time transfer Note that the uncertainty of the a priori estimate of the and terrestrial wireless clock synchronization systems for RTT (σ¯RTT) is larger than the alert limit, violating the third continuous clock synchronization, in contrast to the packet- necessary condition which requires that the expected RTT be based discrete synchronization in NTP/PTP. known to within the alert limit (and with much higher accuracy The time master A and the time seeker B communicate for provable sufficiency). Even though the measured RTT in wirelessly over the LOS channel between the nodes. To this case is inconsistent with the expected RTT, it cannot be simplify the analysis, it is assumed that A and B securely share definitively flagged as an attack since benign variations in the long sequences of pseudo-random bits prior to synchroniza- RTT may also have led to the observed RTT. tion. These sequences of bits will later enable generation of unpredictable signals. The pseudo-random sequence for A has Moreover, the detection of the lth bit indicates that it was the form transmitted in response to the receipt of the start of the kth A Ak k N k bit of CA. Since knows the start time of the kth bit as tA , bA = bA , bA ∈{0, 1} k=0 it measures the RTT as described in (6). The pseudo-random code CA(tA) for A is then generated as Note that the exchange of one-time pad sequences enables the proposed system to satisfy the first security condition. k Ak Ak+1 CA(tA)=2bA − 1 for tA ∈ [tA ,tA ), k ∈{0, 1, 2,... } Wireless LOS communication satisfies the second security Ak where tA denotes the time according to A at which the start condition, and the knowledge of the code-phase layover offset of the kth bit in A’s signal is transmitted. The pseudo-random enables A to make an accurate prior estimate of the RTT within nature of bA ensures that CA(tA) has good cross-correlation the alert limit, thereby satisfying the third security condition. properties, which enables an accurate measurement of the Thus, the proposed system complies with all three necessary time-of-arrival of A’s signal at B, that is, σǫ ≪ L. Station and sufficient conditions for secure clock synchronization. A modulates a carrier with the code CA and transmits a signal sA(tA) whose complex baseband representation is given as VII. SYSTEM SIMULATION This section presents a simulation study of a secure clock sA(tA)= CA(tA)exp(jθA(tA)) synchronization model operating over a simplistic channel This signal is received at B as model. Unlike the abstract treatment of delays in the security derivations presented earlier, the simulation is carried out rB(tA, τAB)= sA(tA − τAB)+ wAB(tA) with models of delays experienced by the synchronization = CA(tA − τAB)exp(jθA(tA − τAB)) + wAB(tA) messages over a real channel. This study also expounds where all symbols have their usual meanings as detailed the interplay between slave clock stability, security require- k in Section III. Station B captures a window RB of rB and ments, attack models, and attack detection thresholds that correlates it with a local replica of CA. The result of the must be determined in a practical synchronization system. correlation enables B to detect the start of the kth bit of CA The channel and attack models developed in this simulation in the window, and provides a measurement are not comprehensive. Rather, relatively simple models are considered to clearly demonstrate the underlying principles. k Ak k zB = tB + wAB More sophisticated channel and attack models can similarly of the time-of-arrival of the kth bit at B. Furthermore, the be analyzed by following the outline of this simulation. Ak relationship between the start of the kth bit and tA enables B to infer the latter. A. Channel Model k k B If a prior estimate τ¯AB of τAB is available, then estimates The simulated system resembles a traditional local area k the clock offset ∆tAB as in (4). network, and is schematically depicted in Fig. 5. As before, A Similar to the pseudo-random sequence and code construc- and B are the time master and seeker stations, respectively. The A B A B tion for , generates its unpredictable code CB(tB). and messages between these stations pass through a series of N agree on a one-to-one mapping between CA and CB such that routers. Each router is under network traffic loading generated B responds with the lth bit of CB on reception of the start of by the nodes labeled T. The routers perform simple packet for- A B the kth bit of CA. Furthermore, and agree that the start warding, i.e., no cryptographic operations or complex payload of the lth bit of CB will have a code-phase offset of τ¯BB with modifications are performed. Each router transmits the queued B respect to the start of the kth bit of CA. Station transmits packets at a service rate of 1 Gbps. Each network packet is the response signal as assumed to have a size of 1542 bytes. The MITM adversary sB(tB)= CB(tB)exp(jθB(tB)) M maliciously inserts itself along the communication path between A and B. such that

Bl k tB = zB +¯τBB

Bl according to the time at B. In true time, the epoch tB corresponds to

Bl Ak k k tB ⇋ tA + τAB + wAB + τBB Station A receives the response as

rA = sB(tB − τBA)+ wBA(tA)

l l and captures a window of the signal RA. A correlates RA with Fig. 5. Schematic diagram of the network topology considered in this section. a local replica of CB to detect the start of the lth bit of CB. This enables A to measure the time-of-arrival The sync and response packets from A and B experience processing and queueing delay at each router, and prop- l Bl l zA = tA + wBA agation/link delay between routers. Queueing delay is the duration for which the packet is buffered in the router before B. System and Security Requirements it can be transmitted. Processing delay is the time taken The clock at the time seeker B drifts with respect to the true by the router to process the packet header, for example, to time clock at A unless corrected by a sync message from A. As determine the packet’s destination. Since the routers in this before, let L denote the alert limit for the system. Let T denote simulation perform simple packet forwarding, the processing a time duration over which a perfectly synchronized clock at delay is negligible as compared to the queueing delay [33]. The B at the beginning of the duration, absent an adversary, drifts propagation/link delay is also insignificant for local networks more than LN for some LN < L with a probability smaller because the propagation speed is a comparable fraction of the than an acceptably small bound Pǫ. speed of light. Thus, only the queueing delay significantly In the system under simulation, the clock offset for B is contributes to the overall channel delay variations. estimated and corrected for every T seconds. By definition Let the network idle probability for a particular router, of T , it holds that if the clocks at A and B are perfectly denoted by ρ, be defined as the probability of the router queue synchronized after every T seconds, then the natural drift being empty at a randomly chosen time instant. Since the envelope of B’s clock does not exceed L with an unacceptably synchronization packets are delay-sensitive, the routers in this high probability. Define simulation implement non-preemptive priority scheduling for synchronization packets when the queue is not empty. This LM , L − LN means that on arrival of a sync or response packet, the router Observe that if an adversary is able to introduce a synchro- is allowed to complete the transmission of the data packet nization error larger than LM, then the system is compromised currently being serviced, if any, but is required to service since the natural drift of the clock at B could potentially lead the delay-sensitive packet before the other network data in to a clock offset greater than L before the next synchronization the queue. Since the time period between consecutive sync- interval, with a probability greater than P . Thus, A must flag response pairs is quite large as compared to the RTT for a ǫ any adversarial delay greater than L − LN with probability given pair, it is assumed that a router never has more than one higher than a desired detection probability, denoted by PD. It is delay-sensitive packet in its queue. Under such scheduling, the worth noting that this practical complication of the magnitude delay experienced by the timing messages is best modeled as of LN was abstracted in the sufficiency proof, where the follows: with probability ρ, the total router delay is zero, and threshold was set to L − δ for δ > 0. with probability (1 − ρ) the total router delay is uniformly In general, A makes multiple measurements of the RTT distributed between zero and the maximum time to service A B −30 between and over the time period T . As shown in Fig. 6, a packet of length 1542 bytes (1542 × 8 × 2 ≈ 11.49 the mean of multiple observations over T has a distribution microseconds for a Gigabit router). with a smaller standard deviation as compared to that of Given the above channel specifications and values for N a single observation. In the simulated system, if no attack and ρ, it is possible to perform a Monte Carlo simulation to k is detected, A updates τ¯AB every T seconds based on the obtain the anticipated RTT τ¯RTT, which is taken to be the empirical mean of the RTT measurements made over that empirical mean of the RTT measurements in the simulation, k period. Note that even though τ¯AB is updated based on the and the associated standard deviation σ¯RTT. As shown in measurements, no updates are applied to τ¯RTT and σ¯RTT, Fig. 6, in case of a single sync-response pair measurement, which are predetermined by simulation or measurements under the RTT has an empirical mean of 80.34 microseconds and a secure calibration campaign. an empirical standard deviation of 17.09 microseconds with The empirical mean of the measured RTT is taken as the N = 10 and ρ =0.3. Observe that even for a relatively small test statistic to detect an attack. For the attack model detailed N, the empirical distribution approaches the Gaussian shape, next, it can be shown that this test statistic becomes optimal but has slightly heavier tail on the higher end of the delay. for large values of N [34]. The distribution for mean of batches of 10 observations has a smaller empirical standard deviation of 5.41 microseconds. C. Attack Model The synchronization system considered in this simulation Observations = 1 Observations = 10 complies with the necessary security conditions presented in this paper. Consequently, the adversary M is unable to advance the sync or response messages, and can only increase the RTT measured by A relative to the authentic RTT. This simulation considers a simple adversary model that introduces a fixed delay in the measured RTT. In order to conceal its 20 40 60 80 100 120 140 presence while compromising synchronization with apprecia- RTT ( s) ble probability, M introduces a delay of LM + ξ seconds for Fig. 6. Empirical distribution of the RTT of sync-response pairs through some small ξ > 0. a network of N = 10 routers with network idle probability of ρ = 0.3. Let H0 denote the null hypothesis (no attack), and H1 The light-shaded histogram shows the empirical distribution of the RTT of a denote the alternative hypothesis. Under H0, the measured single sync-response pair. The dark-shaded histogram shows the corresponding distribution for the mean of batches of 10 observations of the RTT. RTT at A is drawn from the distribution that was used to calibrate/simulate the channel delay distribution, while under H1, the measured RTT is drawn from a distribution that is shifted from the calibration distribution by LM + ξ. This is visually depicted in Fig. 7. Given a detection threshold λ, the dark-shaded region in Fig. 7 denotes the probability of false alarm, PF, while the light-shaded region denotes the probability of missed detection (1−PD). In observing Fig. 7, it might be argued, and holds true, that a reasonable attacker may 75 80 85 90 95 introduce noise in the introduced delay to inflate the width of ( s) RTT the distribution under H1 and thereby decrease the probability of detection of an attack. However, in that case, the empirical Fig. 8. Distribution of the test statistic under H0 and H1 for 80 RTT mean test statistic is no longer optimal. Instead, A would measurements per decision epoch. (N = 10, ρ = 0.3, LM + ξ = 10µs, P = 0 999 incorporate the observed variance of the RTT in its test statistic D . ) in addition to the empirical mean. In short, the attack model in 0 this simulation is not comprehensive, as explained previously. 10 For a more sophisticated treatment of sensor deception and protection techniques, the reader may refer to [35].

10-5 Probability of False Alarm 100 101 102 103 Number of Observations over T

Fig. 9. Probability of false alarm as a function of number of observations per decision epoch. (N = 10, ρ = 0.3, LM + ξ = 10µs, PD = 0.999)

E. Practical Implications Fig. 7. Representation of the distributions under H0 and H1 along with the Section V-A makes fairly remarkable assumptions about P P detection threshold and the associated F and D. the synchronization system to show provably secure time transfer. For instance, it requires that errors in the a priori estimate of the RTT of the timing messages be negligible compared to the alert limit. Nonetheless, as shown in this D. Simulation section, for a given channel with bounded delay variations and The system and attack described above have been simulated a given slave clock, some level of security guarantee can be with N = 10 and ρ = 0.3 for all routers. The adversarial made for a synchronization system that satisfies the necessary delay LM + ξ is set to 10 microseconds, and the required and sufficient conditions presented herein. For concreteness, probability of detection PD is set to 0.999. The number of consider a system that requires an alert limit of L = 100 RTT observations made in time T are varied between 1 and microseconds and a slave clock that drifts no more than 200. Given the number of observations, and a required PD, the LN = 50 microseconds over a period of T = 1 second with 6 system is simulated under H1 for 10 detection epochs and acceptably high probability (1 − Pǫ). Then, for N = 10 and the maximum possible detection threshold λ that satisfies the ρ = 0.3, if A makes 10 RTT measurements over 1 second, detection probability is obtained. Subsequently, the system is the empirical mean test statistic is distributed as the dark- simulated under H0 and the number of test statistics exceeding shaded distribution in Fig. 6 with a standard deviation of ≈ 5.4 the threshold λ are recorded. The frequency of such epochs is microseconds. For LM = L − LN = 50 microseconds, a reported as the probability of false alarm PF. threshold of ≈ τ¯RTT + 30 microseconds will yield a missed Fig. 8 shows the above procedure for 80 RTT measurements detection rate of approximately 1 in 15000, and a false alarm made per test statistic. In this case, λ is obtained to be 84.53 rate of approximately 3.5 in 1 million. With a more stable slave microseconds and the corresponding PF is 1.59%. Fig. 9 clock or more measurements per second, these probabilities shows a log-log plot of PF as a function of the number can be made more favorable. of observations made per test statistic. When the number of Another important concern that has not been addressed in observations is greater than 160, no false alarms were observed the simulation is that of the incorporation of cryptographic with 106 trials. For the given channel delay variation statistics, constructs in the synchronization protocol. The encryption the probability of false alarm is very high for small number and decryption algorithms are often complex and take non- of observations per decision epoch since the threshold λ that negligible processing time to execute. However, note that at A, must be set to detect an attack with the required PD is large the sync message is timestamped after the encryption process, in comparison to the minimal delay that the adversary must and thus the time taken for encryption is inconsequential. At introduce to compromise synchronization (LM). For a more B, it is important to concede that the decryption of the sync stable channel, such as a wireless or PTP-aware channel, fewer message and the encryption of the response message cannot be measurements per decision epoch would suffice. assumed to happen instantaneously. This has been accounted for by allowing the layover time τ¯BB for the cryptographic [10] D. Chou, L. Heng, and G. Gao, “Robust GPS-based timing for phasor processes to execute. Once again, the receipt timestamp of measurement units: A position-information-aided approach,” in Proceed- A ings of the ION GNSS+ Meeting, 2014. the response message at is applied before the decryption [11] M. Ullmann and M. Vögeler, “Delay attacks — Implication on NTP process, and hence the decryption time at A is inconsequential. and PTP time synchronization,” in Precision Clock Synchronization Thus, compliance with the first security condition must not for Measurement, Control and Communication, 2009. ISPCS 2009. International Symposium on. IEEE, 2009, pp. 1–6. pose significant practical challenges. [12] T. Mizrahi, “A game theoretic analysis of delay attacks against time synchronization protocols,” in Precision Clock Synchronization for Mea- surement Control and Communication (ISPCS), 2012 International IEEE VIII. CONCLUSIONS Symposium on. IEEE, 2012, pp. 1–6. A fundamental theory of secure clock synchronization was [13] B. Moussa, M. Debbabi, and C. Assi, “A detection and mitigation model for PTP delay attack in an IEC 61850 substation,” IEEE Transactions developed for a generic system model. The problem of secure on Smart Grid, 2016. clock synchronization was formalized with explicit assump- [14] Q. Yang, D. An, and W. Yu, “On time desynchronization attack against tions, models, and definitions. It was shown that all possible IEEE 1588 protocol in power grid systems,” in Energytech, 2013 IEEE. IEEE, 2013, pp. 1–5. one-way clock synchronization protocols are vulnerable to re- [15] J.-C. Tournier and O. Goerlitz, “Strategies to secure the IEEE 1588 play attacks. A set of necessary conditions for secure two-way protocol in digital substation automation,” in Critical Infrastructures, clock synchronization was proposed and proved. Compliance 2009. CRIS 2009. Fourth International Conference on. IEEE, 2009, pp. 1–8. with these necessary conditions with strict upper bounds was [16] S. Bhamidipati, Y. Ng, and G. X. Gao, “Multi-receiver GPS-based direct shown to be sufficient for secure clock synchronization, which time estimation for PMUs,” in Proceedings of the 29th International is a significant result for provable security in critical infrastruc- Technical Meeting of The Satellite Division of the Institute of Navigation (ION GNSS+ 2016), Portland, OR, 2016. ture. The general applicability of the set of security conditions [17] Y. Ng and G. X. Gao, “Robust GPS-based direct time estimation for was demonstrated by specializing these conditions to designa PMUs,” in Position, Location and Navigation Symposium (PLANS), secure PTP protocol and an alternative secure two-way clock 2016 IEEE/ION. IEEE, 2016, pp. 472–476. [18] R. Annessi, J. Fabini, and T. Zseby, “SecureTime: Secure multicast time synchronization protocol with GNSS-like signals. Results from synchronization,” arXiv preprint arXiv:1705.10669, 2017. a simulation with models of channel delays were presented to [19] L. Narula and T. E. Humphreys, “Requirements for secure wireless time expound the interplay between slave clock stability, security transfer,” in Proceedings of the IEEE/ION PLANS Meeting, Savannah, GA, 2016. requirements, attack models, and attack detection thresholds. [20] R. C. Merkle, “Secure communications over insecure channels,” Com- munications of the ACM, vol. 21, no. 4, pp. 294–299, 1978. [21] C. H. Bennett and G. Brassard, “Quantum cryptography: Public key ACKNOWLEDGMENTS distribution and coin tossing,” 1984. [22] A. K. Ekert, “Quantum cryptography based on Bell’s theorem,” Physical This project has been supported by the National Science review letters, vol. 67, no. 6, p. 661, 1991. Foundation under Grant No. 1454474 (CAREER), by the [23] P. Misra and P. Enge, Global Positioning System: Signals, Measurements, Data-supported Transportation Operations and Planning Cen- and Performance, revised second ed. Lincoln, Massachusetts: Ganga- Jumana Press, 2012. ter (DSTOP), a Tier 1 USDOT University Transportation [24] K. D. Wesson, M. P. Rothlisberger, and T. E. Humphreys, “A proposed Center, and by the U.S. Department of Energy under the navigation message authentication implementation for civil GPS anti- TASQC program led by Oak Ridge National Laboratory. spoofing,” in Proceedings of the ION GNSS Meeting. Portland, Oregon: Institute of Navigation, 2011. [25] D. M. Akos, “Who’s afraid of the spoofer? GPS/GNSS spoofing REFERENCES detection via automatic gain control (AGC),” Navigation, Journal of the Institute of Navigation, vol. 59, no. 4, pp. 281–290, 2012. [1] A. Phadke, B. Pickett, M. Adamiak, M. Begovic, G. Benmouyal, [26] T. E. Humphreys, Springer Handbook of Global Navigation Satellite R. Burnett Jr, T. Cease, J. Goossens, D. Hansen, M. Kezunovic et al., Systems. Springer, 2017, ch. Interference, pp. 469–504. “Synchronized sampling and phasor measurements for relaying and [27] M. Meurer, A. Konovaltsev, M. Cuntz, and C. Hättich, “Robust joint control,” IEEE Transactions on Power Delivery, vol. 9, no. 1, pp. 442– multi-antenna spoofing detection and attitude estimation using direction 452, 1994. assisted multiple hypotheses RAIM,” in Proceedings of the 25th Meeting [2] J. G. McNeff, “The global positioning system,” IEEE Transactions on of the Satellite Division of the Institute of Navigation (ION GNSS+ Microwave Theory and Techniques, vol. 50, no. 3, pp. 645–652, 2002. 2012). ION, 2012. [3] J. J. Angel, “When finance meets physics: The impact of the speed of [28] D. Borio, “PANOVA tests and their application to GNSS spoofing light on financial markets and their regulation,” Financial Review, vol. 2, detection,” IEEE Transactions on Aerospace and Electronic Systems, no. 49, pp. 271–281, 2014. vol. 49, no. 1, pp. 381–394, Jan. 2013. [4] J. C. Corbett, J. Dean, M. Epstein, A. Fikes, C. Frost, J. J. Furman, [29] M. Bellare and C. Namprempre, “Authenticated encryption: Relations S. Ghemawat, A. Gubarev, C. Heiser, P. Hochschild et al., “Spanner: among notions and analysis of the generic composition paradigm,” Googles globally distributed database,” ACM Transactions on Computer Advances in Cryptology–ASIACRYPT 2000, pp. 531–545, 2000. Systems (TOCS), vol. 31, no. 3, p. 8, 2013. [30] S. Goldwasser, S. Micali, and R. L. Rivest, “A digital signature scheme [5] L. D. Shapiro, “Time synchronization from Loran-C,” IEEE Spectrum, secure against adaptive chosen-message attacks,” SIAM Journal on vol. 8, no. 5, pp. 46–55, 1968. Computing, vol. 17, no. 2, pp. 281–308, 1988. [6] A. Bauch, P. Hetzel, and D. Piester, “Time and frequency dissemination [31] A. Mahmood, G. Gaderer, H. Trsek, S. Schwalowsky, and N. Kerö, with DCF77: From 1959 to 2009 and beyond,” PTB-Mitteilungen, vol. “Towards high accuracy in IEEE 802.11 based clock synchronization 119, no. 3, pp. 3–26, 2009. using PTP,” in Precision Clock Synchronization for Measurement Con- [7] D. W. Allan and M. A. Weiss, Accurate time and frequency transfer dur- trol and Communication (ISPCS), 2011 International IEEE Symposium ing common-view of a GPS satellite. Electronic Industries Association, on. IEEE, 2011, pp. 13–18. 1980. [32] T. Cooklev, J. C. Eidson, and A. Pakdaman, “An implementation of IEEE [8] M. L. Psiaki and T. E. Humphreys, “GNSS spoofing and detection,” 1588 over IEEE 802.11b for synchronization of wireless local area net- Proceedings of the IEEE, vol. 104, no. 6, pp. 1258–1270, 2016. work nodes,” IEEE Transactions on Instrumentation and Measurement, [9] K. D. Wesson, J. N. Gross, T. E. Humphreys, and B. L. Evans, vol. 56, no. 5, pp. 1632–1639, Oct. 2007. “GNSS signal authentication via power and distortion monitoring,” [33] R. Ramaswamy, N. Weng, and T. Wolf, “Characterizing network IEEE Transactions on Aerospace and Electronic Systems, 2018, to be processing delay,” in Global Telecommunications Conference, 2004. published; preprint available at https://arxiv.org/abs/1702.06554. GLOBECOM’04. IEEE, vol. 3. IEEE, 2004, pp. 1629–1634. [34] H. L. Van Trees, Detection, estimation, and modulation theory, part I: detection, estimation, and linear modulation theory. John Wiley & Sons, 2004. [35] J. Bhatti and T. Humphreys, “Hostile control of ships via false GPS signals: Demonstration and detection,” Navigation, Journal of the Institute of Navigation, vol. 64, no. 1, 2017.

Lakshay Narula received the B.Tech. degree in electronics engineering from IIT-BHU, India, in 2014, and the M.S. degree in electrical and computer engineering from The University of Texas at Austin, Austin, TX, USA, in 2016. He is currently a Ph.D. student with the Depart- ment of Electrical and Computer Engineering at The University of Texas at Austin, and a Graduate Research Assistant at the UT Radionavigation Lab. His research interests include GNSS signal processing, secure perception in autonomous systems, and detection and estimation. Lakshay has previously been a visiting student at the PLAN Group at University of Calgary, Calgary, AB, Canada, and a systems engineer at Accord Software & Systems, Bangalore, India. He was a recipient of the 2017 Qualcomm Innovation Fellowship.

Todd E. Humphreys received the B.S. and M.S. degrees in electrical and computer engineering from Utah State University, Logan, UT, USA, in 2000 and 2003, respectively, and the Ph.D. degree in aerospace engineering from Cornell University, Ithaca, NY, USA, in 2008. He is an Associate Professor with the Department of Aerospace Engineering and Engineering Mechan- ics, The University of Texas (UT) at Austin, Austin, TX, USA, and Director of the UT Radionavigation Laboratory. He specializes in the application of optimal detection and estimation techniques to problems in satellite navigation, autonomous systems, and signal processing. His recent focus has been on secure perception for autonomous systems, including navigation, timing, and collision avoidance, and on centimeter-accurate location for the mass market. Dr. Humphreys received the University of Texas Regents’ Outstanding Teaching Award in 2012, the National Science Foundation CAREER Award in 2015, and the Institute of Navigation Thurlow Award in 2015.