Skip to content

Network Time Security

Network Time Security (NTS) provides cryptographic security for the client-server mode of the Network Time Protocol (NTP). This allows users to obtain time in an authenticated manner.

Background

The NTS protocol is divided into two phases:

  1. NTS Key Exchange: Establishes the necessary key material between the NTP client and the server, using a Transport Layer Security (TLS) handshake (the same public key infrastructure as the web). Once the keys are exchanged, the TLS channel is closed and the protocol enters the second phase.
  2. NTS Extension Fields for NTPv4: Authenticates NTP time synchronization packets using previously established key material. For more information, refer to RFC 8915.

Next steps

NTS is gaining support in many NTP implementations, including Chrony, NTPsec, and ntpd-rs. Read the relevant documentation for guidance on setting them up to point to our time service, time.cloudflare.com. Also see Netnod's documentation for configuring NTS clients.