{"id":37979041,"url":"https://github.com/mchackorg/gonts","last_synced_at":"2026-01-16T18:32:54.446Z","repository":{"id":57639592,"uuid":"161299134","full_name":"mchackorg/gonts","owner":"mchackorg","description":"Network Time Security in Go","archived":false,"fork":false,"pushed_at":"2019-11-02T16:26:24.000Z","size":68,"stargazers_count":5,"open_issues_count":6,"forks_count":2,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-08-14T17:55:36.975Z","etag":null,"topics":["go","network","ntp","nts","protocol","security"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mchackorg.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-12-11T08:06:37.000Z","updated_at":"2025-03-30T00:45:14.000Z","dependencies_parsed_at":"2022-08-27T19:51:52.706Z","dependency_job_id":null,"html_url":"https://github.com/mchackorg/gonts","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/mchackorg/gonts","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mchackorg%2Fgonts","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mchackorg%2Fgonts/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mchackorg%2Fgonts/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mchackorg%2Fgonts/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mchackorg","download_url":"https://codeload.github.com/mchackorg/gonts/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mchackorg%2Fgonts/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28480931,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-16T11:59:17.896Z","status":"ssl_error","status_checked_at":"2026-01-16T11:55:55.838Z","response_time":107,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["go","network","ntp","nts","protocol","security"],"created_at":"2026-01-16T18:32:54.351Z","updated_at":"2026-01-16T18:32:54.426Z","avatar_url":"https://github.com/mchackorg.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Network Time Security in Go\n\n**NOTE WELL!** \n\nThis project has been broken into several other projects and\ndevelopment continues there:\n\n- [ntske](https://gitlab.com/hacklunch/ntske) NTS-KE Go package.\n- [ntskeserver](https://gitlab.com/hacklunch/ntskeserver) NTS-KE server.\n- [ntsclient](https://gitlab.com/hacklunch/ntsclient): A simple NTS client.\n- [ntp](https://gitlab.com/hacklunch/ntp): An NTP and NTS client\n  package.\n\n**NOTE WELL!**\n\n## Introduction\n\nNetwork Time Security (NTS) is a development of the venerable Network\nTime Protocol (NTP). NTS defines a separate Network Time Security Key\nEstablishment (NTS-KE) protocol and [uses extension\nfields](https://tools.ietf.org/html/rfc7822) in NTPv4.\n\nThis is an attempt to implement NTS-KE and SNTP with NTS extension\nfields according to the [Dansarie\nspecification](https://datatracker.ietf.org/doc/draft-dansarie-nts/?include_text=1)\nin Go.\n\nThe NTS-KE is implemented as its own package for use in both NTS-KE\nclients and servers. An example client and server is provided. The\nclient is also an SNTP client.\n\nWe also provide the beginning of an NTP server but it doesn't yet\nsupport any NTS extensions and is mostly cobbled together from\ninternal structures in [Brett Vickers NTP\nlibrary](https://github.com/beevik/ntp/), but it's a start.\n\n## Commands\n\nThese commands are under `cmd/`:\n\n- ntsclient - An NTP client with NTS support.\n- ntskeserver - A key exchange server for NTS.\n- ntpserver - A silly excuse for an NTP server.\n\nIf you just want to run them you can do a \n\n```\n% go get github.com/mchackorg/gonts/cmd/...\n```\n\nand they should end up in your `$GOPATH/bin/` directory.\n\n## Building\n\nFor development purposes there is a simple `Makefile`. `make` should\nbuild everything.\n\n## Background\n\nThe current project was started in two days during the [102 IETF\nHackathon](https://trac.ietf.org/trac/ietf/meeting/wiki/102hackathon).\nMichael \"MC\" Cardell Widerkrantz, Daniel \"quite\" Lublin, omni and\nraccoon gathered as remote participants in the hackathon in central\nMalmö with lots of Club-Mate. Lots of specification reading, some\nfalse starts and kludgy code were the results.\n\nMC wrote [a blog post](https://hack.org/mc/blog/nts.html) about the\nhackathon that you might want to read.\n\n## NTS Architecture\n\n1. The NTS-KE client initiates traffic. It initiates an application\n   layer TLS session to the NTS-KE server and sends a selection of\n   AEAD algorithms.\n\n2. The NTS-KE server lists its selection of AEAD algorithms. If the\n   client and server have overlapping algorithms they continue to\n   export keying materials from the TLS session. Now they both have a\n   pair of keys for use in each direction in NTP.\n\n   The server also creates, encrypts, and sends initial cookies for\n   later use. These cookies are opaque to the client.\n\n3. The NTS-KE client might also be an NTP client. It can now ask for\n   the time with the cookie it got from NTS-KE and using the C2S key\n   for encrypted fields.\n   \n4. The NTP server gets the NTP request, unpacks the cookie and can now\n   reply to the NTP client with the current time, encrypted with the\n   S2C key that was in the cookie (see below).\n   \n   Since all information it needs is contained in the cookie it\n   doesn't need to keep any state about the client.\n\nThere are several keys involved here:\n\n1. A private key for the server's X.509 certificate.\n\n2. A session key used in the TLS session.\n\n3. A negotiated pair of keys for later NTP C2S and S2C communication.\n\n2. A server-side key used to encrypt cookies.\n\n## About cookies\n\nCookies are generated by the server, then encrypted by a server-only\nmaster secret. The NTS-KE and NTP servers should somehow share the\nsecret used for cookie encryption.\n   \nThe cookies contain:\n   \nin encrypted form:\n - the negotiated AEAD algorithm, \n - the S2C key\n - the C2S key.\n\nin plaintext:\n\n - identifier of the server-side secret used to encrypt this cookie.\n\nNote for this to work the cookies *should not* be encrypted by the C2S\nkey when sent over NTP!\n\nThe NTP client sends both a cookie and asks for a new cookie with\nevery request. It will use the new cookie on the next request.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmchackorg%2Fgonts","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmchackorg%2Fgonts","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmchackorg%2Fgonts/lists"}