terena networking conference 2010

Applications of Time-Stamp Service

Vladimír Smotlacha, Milan Sova (CESNET)

This poster presents usage of the time-stamp authority (TSA) in CESNET. We have designed and built the TSA with focus on providing of accurate and trustful time information and on immunity from service compromising. The time-stamp protocol (TSP), specified in the RFC 3161, is based on a request message sent by a client and a signed response message sent back by the server. The request contains arbitrary information (e. g. one-way hash of a file), which is returned back in the signed response. This way, the information is bound with the time stamp. The TSA clock must be synchronized using a trustworthy method to any time system that ensures traceability to UTC. We implemented two hacks to keep the system clock accuracy: a hardware adapter for processing of incoming 1 pps signal from a GPS receiver or an atomic clock, and an ovenized oscillator replacing crystal on the computer main board. Long term measurement proved that we synchronize the clock of our TSA with an uncertainty less than 2 microseconds. We set up resolution of issued timestamps to 1 microsecond. Calibration of TSA service showed, that the mean delay between time-stamp request and provided time information is 0.8 milliseconds with standard deviation 0.16 milliseconds. Our TSA uses hardware security module (HSM). The time-stamp response signing key is generated inside an HSM as a non-exportable object. The key is activated by an operator on every system start and only one process is able to use the key. We also developed a tamper-evident utility that assures integrity and time accuracy of syslog messages. It reads syslog records delivered by a syslog daemon and writes them in an output file. Our TSA servers provide time stamps for all members of CESNET – i. e. Czech public universities and Academy of Sciences. Upon request, the service can be used for free of charge by other organizations, too. Every user can built its own application based on time stamps. The TSA service is part of CESNET PKI infrastructure and uses keys issued by CESNET Certification Authority. The parameters of provided service (e. g., accuracy of time information, service availability, security) are comparable or distinctly better than those of many commercially provided TSA services.

Download poster (PDF)

Posters