1 files changed, 181 insertions, 0 deletions

diff --git a/html/genkeys.htm b/html/genkeys.htm
new file mode 100644
index 000000000000..33e99ef54e48
--- /dev/null
+++ b/html/genkeys.htm
@@ -0,0 +1,181 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<html>
+<head>
+<meta name="generator" content="HTML Tidy, see www.w3.org">
+<title>ntp-genkeys - generate public and private keys</title>
+</head>
+<body>
+<h3><tt>ntp-genkeys</tt> - generate public and private keys</h3>
+
+<img align="left" src="pic/alice23.gif" alt="gif"><a href=
+"http://www.eecis.udel.edu/~mills/pictures.htm">from <i>Alice's
+Adventures in Wonderland</i>, Lewis Carroll</a> 
+
+<p>Alice holds the key.<br clear="left">
+</p>
+
+<hr>
+<h4>Synopsis</h4>
+
+<tt>ntp-genkeys</tt> 
+
+<h4>Description</h4>
+
+<p>This program generates random keys used by either or both the
+NTPv3/NTPv4 symmetric key or the NTPv4 public key (Autokey)
+cryptographic authentication schemes. By default the program
+generates the <tt>ntp.keys</tt> file containing 16 random symmetric
+keys. In addition, if the <tt>rsaref20</tt> package is configured
+for the software build, the program generates cryptographic values
+used by the Autokey scheme. These values are incorporated as a set
+of three files, <tt>ntpkey</tt> containing the RSA private key,
+<tt>ntpkey_<i>host</i></tt> containing the RSA public key, where
+<tt><i>host</i></tt> is the DNS name of the generating machine, and
+<tt>ntpkey_dh</tt> containing the parameters for the Diffie-Hellman
+key-agreement algorithm. All files and are in printable ASCII
+format. A timestamp in NTP seconds is appended to each. Since the
+algorithms are seeded by the system clock, each run of this program
+produces a different file and file name.</p>
+
+<p>The <tt>ntp.keys</tt> file contains 16 MD5 keys. Each key
+consists of 16 characters randomized over the ASCII 95-character
+printing subset. The file is read by the daemon at the location
+specified by the <tt>keys</tt> configuration file command and made
+visible only to root. An additional key consisting of a easily
+remembered password should be added by hand for use with the <tt>
+ntpq</tt> and <tt>ntpdc</tt> programs. The file must be distributed
+by secure means to other servers and clients sharing the same
+security compartment. While the key identifiers for MD5 and DES
+keys must be in the range 1-65534, inclusive, the <tt>
+ntp-genkeys</tt> program uses only the identifiers from 1 to 16.
+The key identifier for each association is specified as the key
+argument in the <tt>server</tt> or peer configuration file
+command.</p>
+
+<p>The <tt>ntpkey</tt> file contains the RSA private key. It is
+read by the daemon at the location specified by the <tt>
+privatekey</tt> argument of the <tt>crypto</tt> configuration file
+command and made visible only to root. This file is useful only to
+the machine that generated it and never shared with any other
+daemon or application program.</p>
+
+<p>The <tt>ntpkey_<i>host</i></tt> file contains the RSA public
+key, where <tt><i>host</i></tt> is the DNS name of the host that
+generated it. The file is read by the daemon at the location
+specified by the <tt>publickey</tt> argument to the <tt>server</tt>
+or <tt>peer</tt> configuration file command. This file can be
+widely distributed and stored without using secure means, since the
+data are public values.</p>
+
+<p>The <tt>ntp_dh</tt> file contains two Diffie-Hellman parameters:
+the prime modulus and the generator. The file is read by the daemon
+at the location specified by the <tt>dhparams</tt> argument of the
+<tt>crypto</tt> configuration file command. The file can be
+distributed by insecure means to other servers and clients sharing
+the same key agreement compartment, since the data are public
+values.</p>
+
+<p>The file formats begin with two lines, the first containing the
+generating system DNS name and the second the datestamp. Lines
+beginning with <tt>#</tt> are considered comments and ignored by
+the daemon. In the <tt>ntp.keys</tt> file, the next 16 lines
+contain the MD5 keys in order. If necessary, this file can be
+further customized by an ordinary text editor. The format is
+described in the following section. In the <tt>ntpkey</tt> and <tt>
+ntpkey_<i>host</i></tt> files, the next line contains the modulus
+length in bits followed by the key as a PEM encoded string. In the
+<tt>ntpkey_dh</tt> file, the next line contains the prime length in
+bytes followed by the prime as a PEM encoded string, and the next
+and final line contains the generator length in bytes followed by
+the generator as a PEM encoded string.</p>
+
+<p>Note: See the file <tt>./source/rsaref.h</tt> in the <tt>
+rsaref20</tt> package for explanation of return values, if
+necessary.</p>
+
+<h4>Symmetric Key File Format</h4>
+
+In the case of DES, the keys are 56 bits long with, depending on
+type, a parity check on each byte. In the case of MD5, the keys are
+64 bits (8 bytes). <tt>ntpd</tt> reads its keys from a file
+specified using the <tt>-k</tt> command line option or the <tt>
+keys</tt> statement in the configuration file. While key number 0
+is fixed by the NTP standard (as 56 zero bits) and may not be
+changed, one or more of the keys numbered 1 through 15 may be
+arbitrarily set in the keys file. 
+
+<p>The key file uses the same comment conventions as the
+configuration file. Key entries use a fixed format of the form</p>
+
+<p><i><tt>keyno type key</tt></i></p>
+
+<p>where <i><tt>keyno</tt></i> is a positive integer, <i><tt>
+type</tt></i> is a single character which defines the key format,
+and <i><tt>key</tt></i> is the key itself.</p>
+
+<p>The key may be given in one of three different formats,
+controlled by the <i><tt>type</tt></i> character. The three key
+types, and corresponding formats, are listed following.</p>
+
+<dl>
+<dt><tt>S</tt></dt>
+
+<dd>The key is a 64-bit hexadecimal number in the format specified
+in the DES specification; that is, the high order seven bits of
+each octet are used to form the 56-bit key while the low order bit
+of each octet is given a value such that odd parity is maintained
+for the octet. Leading zeroes must be specified (i.e., the key must
+be exactly 16 hex digits long) and odd parity must be maintained.
+Hence a zero key, in standard format, would be given as <tt>
+0101010101010101</tt>.</dd>
+
+<dt><tt>N</tt></dt>
+
+<dd>The key is a 64-bit hexadecimal number in the format specified
+in the NTP standard. This is the same as the DES format, except the
+bits in each octet have been rotated one bit right so that the
+parity bit is now the high order bit of the octet. Leading zeroes
+must be specified and odd parity must be maintained. A zero key in
+NTP format would be specified as <tt>8080808080808080</tt>.</dd>
+
+<dt><tt>A</tt></dt>
+
+<dd>The key is a 1-to-8 character ASCII string. A key is formed
+from this by using the low order 7 bits of each ASCII character in
+the string, with zeroes added on the right when necessary to form a
+full width 56-bit key, in the same way that encryption keys are
+formed from Unix passwords.</dd>
+
+<dt><tt>M</tt></dt>
+
+<dd>The key is a 1-to-8 character ASCII string, using the MD5
+authentication scheme. Note that both the keys and the
+authentication schemes (DES or MD5) must be identical between a set
+of peers sharing the same key number.</dd>
+</dl>
+
+<p>Note that the keys used by the <tt>ntpq</tt> and <tt>ntpdc</tt>
+programs are checked against passwords requested by the programs
+and entered by hand, so it is generally appropriate to specify
+these keys in ASCII format.</p>
+
+<h4>Files</h4>
+
+The RSA Laboratories package <tt>rsaref20</tt> of cryptographic
+routines is necessary in order to build and use this program. 
+
+<h4>Bugs</h4>
+
+It can take quite a while to generate the RSA public/private key
+pair and Diffie-Hellman parameters, from a few seconds on a modern
+workstation to several minutes on older machines. 
+
+<hr>
+<a href="index.htm"><img align="left" src="pic/home.gif" alt=
+"gif"></a> 
+
+<address><a href="mailto:mills@udel.edu">David L. Mills
+&lt;mills@udel.edu&gt;</a></address>
+</body>
+</html>
+