NTS — Network Time Security

Authenticated NTP over TLS (RFC 8915). For servers, logging infrastructure, and compliance-level audit trails.


NTS replaces public NTP with a cryptographically signed time signal — every packet bound to a session key negotiated in a verified TLS handshake. A packet that has been tampered with, delayed, or substituted in transit is rejected by the client. The slow-slew attack that can silently drag a bank's clock by 30–60 seconds has no mechanism to operate.

How it works
Deployment

NTS integrates without infrastructure changes for most institutions. Adding the CNX root CA anchor and updating the chrony or ntpd configuration to point to the CNX NTS endpoint is the complete deployment. Existing internal NTP distribution hierarchies continue to operate — the authenticated upstream reference hardens the gateway without requiring updates to distributed end-user systems.

Service levels
Accuracy<10 ms to UTC (1-minute average)
Availability99.99% monthly
Temporal integrity99.999% monthly
Incident response30-minute acknowledgement, 24/7/365 NOC
Atomic holdover<1 µs/day drift during total GNSS or fibre outage

The atomic holdover is the key distinction from cloud-based NTS providers. Foreign NTS services depend on continuous internet connectivity. CNX Precision Time maintains autonomous microsecond-accurate stability from in-country Rubidium oscillators for over a year without any external signal.