Skip to content



Repository files navigation

This is a an implementation of NTS in Python 3.

This code is based on Daniel Franke's hackathon code which implemented parts of the NTS protocol: "Quick and dirty implementation of Network Time Security for the IETF 101 hackathon" which are in the Public domain.

Christer Weinigel made some fixes to the implementation and added a NTSKE server, a NTS/UDP server and a NTS/UDP client.


Debian 10 or Ubuntu 18.04. Debian 9 and Ubuntu 16.04 do not work due to the openssl libraries being too old.

Install the following packages:

apt-get install git gcc binutils cmake libssl-dev python3-cffi

Custom Python

The NTS server and client need a modified version of Python 3 to work. The reason for this is that the NTS protocol uses the key exporter functions of OpenSSL and those are not supported in the stock OpenSSL wrapper in Python 3.

Install some pacages needed to build Python 3:

apt-get install git build-essential cmake pkg-config libssl-dev libffi-dev libz-dev wget

Clone the modified Python 3 repository:

git clone -b export_keying_material-3.7.4

cd cpython LDFLAGS=-Wl,-rpath,$PREFIX/lib ./configure --prefix=/opt/python-nts make -jnproc make install mkdir -p /opt/python-nts/ssl ln -sf /etc/ssl/ca-certificates.crt /opt/python-nts/ssl/cert.pem ln -sf /etc/ssl/certs /opt/python-nts/ssl/certs /opt/python-nts/bin/python3 -m pip install cffi

Checking out

Clone the repository:

git clone --recursive

Testing the Python implementation

I've tested this implementation on Ubuntu 18.04. The scripts require Python 3.6, even though they are written to be compatible with Python 2.7. I haven't figured out why Python 2.7 doesn't work yet.

Warning: don't remove the assert sys.version_info[0] == 3 from the files. It might seem like it's working, but the SSL.Connection will return corrupt data with some NTS servers.

Change directory to the top of the nts-poc-python tree:

cd nts-poc-python ./

To start the NTSKE server, open a terminal and run:


The server uses server.ini for its configuration. The default is for the NTSKE server to listen on TCP port 4446. The master keys are stored in the directory "server_keys". If no master key exists, the NTSKE server will create a new master key.

To start the NTP/UDP server, open a terminal and run:


The server uses the file "server.ini" for its configuration. The default is for the NTSKE server to listen on TCP port 4123.

Run the NTSKE client to talk to the NTSKE server and save the results to the file "client.ini" and not perform certicate verification (-v).

/opt/python-nts/bin/python3 -v localhost 4446

Run the NTS client to talk to the NTS server and get a timestamped packet back.


If you want to talk to a different NTS server than the one specified in client.ini you can specify the NTS server on the command line:

python host port

If you want to rotate the master key, run


This will create a new key in the server_keys directory which will be read by or on the next request.


No releases published


No packages published


  • Python 99.4%
  • Shell 0.6%