Network Time Security

Network Time Security Open external link (NTS) provides cryptographic security for the client-server mode of the Network Time Protocol (NTP). This allows users to obtain time in an authenticated manner.

​​ Background

The NTS protocol is divided into two phases:

1. NTS Key Exchange: Establishes the necessary key material between the NTP client and the server, using a Transport Layer Security (TLS) handshake Open external link (the same public key infrastructure as the web). Once the keys are exchanged, the TLS channel is closed and the protocol enters the second phase.
2. NTS Extension Fields for NTPv4: Authenticates NTP time synchronization packets using previously established key material. For more information, refer to RFC 8915 Open external link .

​​ Next steps

NTS is gaining support in many NTP implementations, including Chrony Open external link , NTPsec Open external link , and ntpd-rs Open external link . Read the relevant documentation for guidance on setting them up to point to our time service, time.cloudflare.com. Also see Netnod’s documentation Open external link for configuring NTS clients.