0

I'd like to check the time/date inside an obfuscated python script.

datetime is not reliable as it's easily possible to change the computer clock time.

Using ntplib with a ntp server like europe.pool.ntp.org is not secure either because the user could change the DNS or something like that.

Is there a reliable and secure way to get current date in python ? Using certificates or something like that ? I could gather and parse data from unixtimestamp and verify SSL certificates, but I'm pretty sure that's not the cleanest way of doing this.

RobinFrcd
  • 4,439
  • 4
  • 25
  • 49
  • Possible duplicate of [Validate SSL certificates with Python](https://stackoverflow.com/questions/1087227/validate-ssl-certificates-with-python) – Frieder Jul 29 '19 at 13:08

1 Answers1

1

It's possible to verify authenticity and integrity of the NTP packets via a shared (symmetric) key. You'd have to ship the key (or retrieve it on the fly from a service under your control) and then use it with one or more NTP servers that support the key. Multiple servers and multiple keys are possible. For example, NIST runs a service that supports this feature.

While packet auth might be enough to mitigate a simple attack vector, the NTP threat model is quite extensive. The hostile actor might not be the client (device) owner...but the date/time you will receive may still be incorrect. Even in the proposed auth solution, the key would have to reside somewhere on the client and a determined attacker could exfiltrate it, even from memory. The mitigation techniques and whether some of the issues cited in the threat model are relevant to you will depend on your definition of "reliable and secure" in your specific use case.

Longer-term solution is NTS, it's adding TLS-/AEAD-based security to NTP.

Community
  • 1
  • 1
identigral
  • 3,920
  • 16
  • 31