Cybertrust in e-Learning Environment based on Network Time
Dmitriy Melnikov, Vladislav Petrov, Natalia Miloslavskaya, Anatoliy Durakovskiy
and Tatiana Kondratyeva
National Research Nuclear University MEPhI (Moscow Engineering Physics Institute),
31 Kashirskoye shosse, Moscow, Russia
Keywords: e-Learning, Information Security, Trusted Cyberspace, Trusted e-Learning Environment.
Abstract: The concept of cybertrust as a crucial aspect of cyber security for public electronic interactions and, in
particular, distance learning systems (DLSs), is introduced. This concept is the opposite of such well-known
terms as cyberattacks and/or cyberespionage and it supports cyber security issues by providing legal signifi-
cance of a public electronic document interchange. The possibility of cybertrust assurance in an e-Learning
environment (ELE) is shown using two proposed methods of network time synchronization.
Any computer information system (as an integral
part or a degenerate case of cyberspace), even with
hardware and software protection of its information
resources, remains vulnerable not only to the tradi-
tional cybersecurity threats such as loss of connec-
tions (unavailability – A), interception (breach of
confidentiality – C) and modification (falsification,
integrity violation – I) of information circulating in
the system, but also to its legal value. The complex
nature of the cybersecurity assurance is reflected in
the acronym CIA and suggests that a compromise
provided by users' trust to the system as a whole is
needed for real interrelation between the purpose of
the integrated cybersecurity CIA and critical re-
sources (hardware, software and data). The issue of
universal trust problem resolution becomes one of
the priorities for integrated cybersecurity for all
common systems of public computer information
infrastructures, and, in particular, for distance learn-
ing systems (DLSs) (Pfleeger and Pfleeger, 2003).
Therefore, in our opinion, to highlight this issue as a
separate study subject it is necessary to introduce the
term "cybertrust" as one of the aspects of cybersecu-
rity in e-Learning Environments (ELE).
Thus the paper is organized as follows. Section 2
is devoted to the analysis of the current state of the
trust problem in respect of developing of a general-
ized cybertrust model. Section 3 discusses the main
characteristics of cybertrust assurance in ELE. Sec-
tion 4 shows the practical implementation of the
cybertrust through the usage of network time syn-
chronization that allows to increase the reliability
and quality of the various kinds of legally significant
electronic document interchange. In conclusion main
results of the work are outlined and future research
is specified.
Let us define that any public cyberspace based on
the Internet technologies could be perceived as safe
and its results are recognized as legally significant
iff all its components (such as participants of the
information exchange process, communication
channels and software and hardware) meet the ob-
jectives and requirements of information security
(IS) properties (CIA properties).
The basic analysis of principles and public trust-
ed cyberspace organization assumptions, for exam-
ple, in DLSs based on the evaluation of protection
against IS threats (CIA violation threats), suggests
that IT does not guarantee the required security level
in many cases even by using the traditional infor-
mation protection tools (IPTs) (Petrov at all, 2015).
Thus, the task of cybertrust assurance in ELE con-
tinues to be relevant and requires special phrasing
(Benzel et al, 2005), (Gritzalis and Lopez, 2009),
Melnikov, D., Petrov, V., Miloslavskaya, N., Durakovskiy, A. and Kondratyeva, T.
Cybertrust in e-Learning Environment based on Network Time Synchronization.
In Proceedings of the 8th International Conference on Computer Supported Education (CSEDU 2016) - Volume 2, pages 402-407
ISBN: 978-989-758-179-3
2016 by SCITEPRESS Science and Technology Publications, Lda. All rights reserved
(Gasiorowski-Denis, 2015).
In our opinion the expansion of the so-called
“Three trusts” criterion (Petrov at all, 2015), intro-
duced to confirm the required level of ELE’s securi-
ty (proxy) for any public cyberspace, is quite pro-
ductive. A generalized cybertrust model (Figure 1)
should contain three sub-models: 1) for presentation
of the trust interrelations among the objects of cy-
berspace integrally (considered as a whole), 2) for
the hardware and software components to ensure
trust associated with the reference medium, 3) for
the remote user's (participant of the distance interac-
tion process) trusted perception. The first sub-model
for presentation of the trust interrelations among the
objects of cyberspace integrally describes the rela-
tionship between hardware and software objects of
each of the systems participating in the cyberspace.
The second sub-model for the hardware and soft-
ware components shows the trusted characteristics
of the interaction between objects and trusted ELE.
The third sub-model for the remote users’ perception
is a set of conditions directly depending not only on
the characteristics of software and hardware but also
on the user that affect the trusted cyberspace.
Figure 1: A generalized cybertrust model.
Additionally, a legal user’s model should be con-
structed. It is assumed that each response directly
affects the overall level of trust in the system. How-
ever, such a model can be regarded as sufficient for
ensuring information exchange’s security only when
it is initially supposed that its participant is not a
potential insider. To ensure cybertrust in ELE identi-
fication and authentication data (i.e. the attributes
that differentiate the participants from the others,
including the usage of removable media of key in-
formation) are supplemented with data related to the
continuous user’s presence verification being in a
certain place. Only the legal users are obliged to be
present at the legally valued electronic document
interchange (LVEDI). This can be guaranteed by the
continuity of the authentication procedures.
Thus, the cybertrust problem solution lies in the
development of generalized integrated requirements
establishing the procedures of legal users’ electronic
interaction and regulated requirements to their au-
tomated working stations (AWSs) as well as to all
members of the LVEDI.
From all the variety of procedures in ELE it is pos-
sible to highlight the most critical for ensuring
cybertrust. So, it is obvious that identification and
authentication, access control and connection protec-
tion are such controls for the LVEDI (Miloslavskaya
et all, 2014). Most of the existing definitions of trust
are applicable to cybertrust. They can be used to
formulate the criterion of the trust building. The
characteristics of trust, which are important for the
formulation of the trust criterion in information
systems, are the following: 1) targeted trust: trust of
oriented relations between the process participants;
2) subjective trust: trust is in fact a personal opinion.
It is a personal and subjective phenomenon based on
various factors or evidence, some of which may
have more value than the others; 3) measurable
trust: the target trust values can be used to assess
different levels of trust that an object can have in
contact with another object. Therefore, such kind of
trust (measurable) provides a framework for trust
modeling and for its evaluation; 4) trust in the dy-
namics: trust usually varies nonmonotonically with
time. It can be updated periodically or canceled. It
should be able to adapt to the changing environmen-
tal conditions in which the first trust decision has
been made; 5) conditionally passed trust: infor-
mation on trust can be transmitted/received via the
interaction network; 6) trust as a composite proper-
ty: trust is a set of different attributes, which should
be considered depending on the environment in
which the trust is determined (Grandison and Slo-
man, 2000).
Therefore, we can say that compositionality (as a
value of a complex expression is a function of its
parts values and the relations between them) it is an
important feature for the trusted electronic interac-
tion creation.
Taking into consideration the outlined above, we
can assume that the creation of a trusted cyberspace
should be based on a combination of factors that
directly affect the level of trust, as it is shown in
Figure 2. It should be noted that all these factors
may be involved in the implementation of the above
mentioned criterion of “Three trusts” only in case of
network time synchronization. Then, in our opinion,
it is reasonable to ensure modular cybersecurity, for
example, in the devices of the LVEDI’s participants
Cybertrust in e-Learning Environment based on Network Time Synchronization
in order to carry out dynamic prevention, detection,
diagnosis, isolation and countermeasures against IS
properties violations.
Figure 2: The combination of cybertrust factors for the
A time synchronization system in a cyber environ-
ment is an obligatory and extremely important sub-
system that affects the functioning of almost every
network component and resource. The accuracy of
the network time (of synchronization) is not only of
great technological importance, but it also becomes
a factor affecting the reliability and quality of cryp-
tographic functions and calculations as well as man-
aging the LVEDI based on the timestamps usage.
However, maintaining high quality network time
synchronization depends on reliability (correctness)
of the operation of the following: 1) software and
hardware time modules available in the operating
system (OS) of each computer, server and network
device. The last one depends on the reliability (cor-
rectness) of OS functioning; and 2) synchronization
subnet (network time infrastructure), which is im-
plemented on the basis of the Network Time Proto-
col (NTP version 4 – NTPv4) (Mills, 2010).
Compromise of at least one of these components
(time modules, OS and synchronization subnet or its
segments) may lead to the discrediting of entire
application systems and services, and as a result to
the loss of cybertrust.
4.1 Creating Timestamps in Software
and Hardware
There is a clock in any computing system (CS),
which is used for time and synchronization frequen-
cy generation. The flowchart of system time genera-
tion for timestamps is shown in Figure 3.
Figure 3: Cross-functioning flowchart of the system time
In the current CSs the system time is based on
the clock pulse generator and two seconds counters
(basic and back up). In other words, the date (day,
month and year) and time (hours, minutes and sec-
onds) are described by a certain number of seconds
(as a power of number 2). The accuracy of the cur-
rent time is determined by a fractional part, which
describes the fraction of a second (Mills, 2010). The
main time counter operates continuously, stopping
only at correcting the current time value, taking into
account the necessary amount of time spent on ad-
justments. The backup counter repeats the time val-
ue, shown by the main counter, and it is used to read
the current time for the system and application pro-
cesses as well as to generate a correction value by
NTPv4 (at regular intervals).
In some OSs the fractional seconds of the backup
counter is used as a random number generator. In
reality the reading of the current time value is a
random event, so the fractional part of a second can
be seen as a random binary number.
4.2 Cyberespionage Model for CS’s
Timestamps Modification
One of the requirements (conditions) to ensure a
high level of cybersecurity is reliability (warranty)
of CSs’ functioning, ensuring, in turn, the operation
of IPTs. As it was mentioned above, any procedure
directly providing the implementation of the security
mechanisms or access to security services should be
trustful. At present many OSs do not meet this re-
quirement and are untrusted (not reliable). It is very
difficult to verify the correct functioning of a certain
system and application processes.
We consider the following possible cyberattack
model for the current time generation system on the
CS (Figure 4).
CSEDU 2016 - 8th International Conference on Computer Supported Education
Figure 4: Model of cyberattacks using the IST insertion to
modify the current time value.
At the basis of this attack is the introduction of
an inset software tool (IST) in a non-trusted OS to
modify the current time value. IST functioning con-
tent is to change the pre-known algorithm for the
fractional part (of a second) of the system time. For
example, the algorithm of a fractional part forming
may be based on a specific procedure for the conver-
sion of the whole of the current time value. That is,
the fractional part of the current time (Ct) will di-
rectly depend on (is a function of) the integer part of
the Ct. The timestamp formed in this way will con-
sist of the real (true) integer part of Ct and of the
modified fractional part (not random and pseudo-
An intruder inserting an IST in an untrusted OS
knows the algorithm for converting the integer part
of Ct into its fractional part. Consequently, s/he does
not have to know the geographical location of a
compromised CS. It is enough to know the time
zone for it. From the viewpoint of the IST detection,
it will be extremely difficult to identify a modifica-
tion of the fractional part of the current time for the
following reasons.
1. It is very difficult to distinguish random frac-
tional part of the current time values from the pseu-
dorandom by any external signs, taking into account
that the fractional part is composed of milliseconds,
microseconds or even nanoseconds, for example,
while using the fractional part as the basis for the
random numbers generation.
2. Even if one collects a certain statistics of the
generated current timestamps, it is unlikely to reveal
the algorithm for converting the integer part of Ct
into its fractional part, providing that the perpetrator
used a cryptographically complex function in his/her
3. If more than one timestamp is demanded for
one second, then it is possible to add some relevant
complication coefficients in the IST that will make
the difference between the timestamp’s fractional
parts in the modification of the same integer of sec-
onds. The number of these coefficients depends on
the execution speed of the compromised CS.
4. In this cyberattack model, the IST operation
does not affect the other components of the CS as
well as the procedures implemented by NTPv4-
module software. In other words, properly integrated
IST will not allow to detect itself via any system or
application process.
In implementing the cyberattack model consid-
ered (based on IST insertion) the following activity
of the intruder may result in very "severe" conse-
quences. The main purpose of modifying the system
time is a compromise of the secret (private) key of
the cyberattack target based on the knowledge of
timestamp and the interception of his/her digital
signature (DS) in the Public Key Infrastructure
(PKI) (Cooper, 2008). In terms of IS compromising
the IST insertion provides almost unlimited unau-
thorized access to the protected information.
The cyberattack essence after the IST insertion is
the following.
1. The compromised computer holder’s DS in-
2. The timestamp regeneration in DS. The
amount of timestamps options depends on the se-
lected analysis interval for time and the number of
complication coefficients. The total number of op-
tions will not exceed 3000.
3. Further the "plaintext selection" cryptanalytic
attack is implemented. The falsified timestamp ap-
pears as a "chosen plaintext" in this attack.
4. The secret (private) key of the cyberattack tar-
get can be compromised as a result of decryption (in
the event the IST was inserted in his computer).
5. If the cyberattack target exchanges infor-
mation with the owner of the compromised comput-
er, then it is possible to compromise the key of the
cyberattack target by using his/her uncovered secret
(private) key.
6. In the future, the secret keys of all users carry-
ing out a protected information exchange with the
owner of the compromised computer can be revealed
A more detailed analysis shows that the number
of compromised CSs could compromise the entire
PKI. Naturally, the compromise will not happen in a
moment. It will be a number of targeted and serial
successive events as the steps of one cyberattack.
But the final result is obvious.
A similar situation may arise with the Kerberos
protocol (Kohl and Neuman, 2005), (McNamara,
Cybertrust in e-Learning Environment based on Network Time Synchronization
2003), which is vulnerable to attacks on the systems
of network synchronization and time stamping. The
one-time password systems are also "powerless"
against cyberattacks based on modifying a CS’s
system time (Haller, 1998).
4.3 Principles of Network Time
Reliability Insuring
We worked out the following principles of network
time reliability insuring.
The first and fundamental principle of reliable
and correct functioning of the network time system
(NTS) for modern networks and systems is to
achieve the given guarantees of such operation
(Mills, 2010). This principle implies the presence of
a trusted operating environment that provides ser-
vices to ensure cybersecurity as well as other soft-
ware components (modules) supporting NTS opera-
tion and provision of the required services.
The second principle is the creation of an internal
and independent time source that must operate in
stand-alone mode. This principle implies that the
time source should receive the original signal gener-
ated by a system process of a trusted OS. The output
internal clock’s signal can be such a signal. Other-
wise, the signal coming via a USB-interface may be
such a signal.
The third principle means that the whole conver-
sion of the input signal must be carried out only by
the time source. Any interference in the work of the
time source is not acceptable, since any exposure
could affect its reliability.
The fourth principle can be formulated as fol-
lows. If necessary (in case of the abnormal events),
any adjustment of the time source should be carried
out at the user's (client) demand and only in manual
mode via the GUI displayed on the computer screen.
This principle implies the transfer of a specialized
request for certified and protected timestamp from a
trusted time source, determined by the appropriate
security policy. The implementation of this principle
depends on the conditions of the NTS’s usage and
the corporate (specialized) applied cyberspace. In
other words, if such a system is able to provide the
timestamp transmission in protected mode (provid-
ing its confidentiality and/or integrity), then the
client can give a command to automatically update
the time. The need to deliver the timestamp in the
protected mode can be caused by certain statements
of the security policy, aimed at protecting the
LVEDI and this entire system against the insiders.
The fifth principle says that the launch of the
time source should be carried out only at the com-
mand of the NTS’s client and only once at the be-
ginning of its work. This principle implies the auto-
matic transfer of a specialized request for certified
and protected timestamp from a trusted time source,
determined by the appropriate security policy. Oth-
erwise, the initial (current) time value should be
entered by the user. The implementation of this
principle depends on the conditions of NTS’s usage
and the corporate (specialized) applied cyberspace.
In other words, if such a system is able to provide
the timestamp transmission in protected mode (en-
suring its confidentiality and/or integrity), then the
NTS can give a command to get an initial timestamp
during initialization of its work. The need to deliver
the timestamp in protected mode can be caused by
certain statements of the security policy, aimed at
protecting the LVEDI and this entire system against
the insiders.
The sixth principle is the two-module construc-
tion of the time source, including a main time coun-
ter and a back-up counter, wherein the main counter
should operate from the start to the end of the ses-
sion without any interruptions or stops.
The strict implementation of the given principles
will prevent any intentional and accidental actions to
modify and/or falsify the timestamps.
4.4 Reflection of Cyberattacks against
the NTS
The methods proposed (Figures 5 a, b) are actually
based on the principles of cyberattacks against the
NTS (synchronization) reflection (Melnikov and
Jones, 2004). In the first method of reflection of
cyberattacks against the NTS the start time is set
automatically, while in the second method this time
is set manually. The essence of both methods is that
the usage of an internal independent time source
allows to exclude any possibility of timestamps
unauthorized modification and/or tampering. This in
turn will considerably (more than twice) complicate
the task of cryptanalysis based on plaintext selec-
tion, being resolved by a potential intruder (Cooper,
2008), (Kohl and Neuman, 2005).
Thus, from our point of view, the expansion of the
“Three trusts” criterion to any public cyberspace
together with the usage of an independent source of
network time synchronization will allow to imple-
ment the standardized cybertrust assurance require-
ments (being of legal significance) for ELE. It can
CSEDU 2016 - 8th International Conference on Computer Supported Education
also become the basis of appropriate legislation,
regulations or standards.
Figure 5a: The first method of reflection of cyberattacks
against the NTS with the automatic start time setting.
Figure 5b: The second method of reflection of cyberat-
tacks against the NTS with the manual start time setting.
This research has been performed with the financial
support of the Ministry of education and science of
the Russian Federation in the framework of the pro-
ject «Creation of the engineering and technical solu-
tions for high-tech production of innovative software
and hardware information protection tools on the
basis of perspective high-speed interfaces of infor-
mation interconnection», jointly with the LLC
«OKB SAPR» (the contract N 02.G25.31.0050).
Benzel, T.V., Irvine, C.E., Levin, T.E., Bhaskara, G.,
Nguyen, T.D., Clark, P.C., 2005. Design principles for
security. Technical Report NPS-CS-05-010.
0.pdf (access date 05.12.2015).
Cooper, D., 2008. Internet X.509 Public Key Infrastruc-
ture Certificate and Certificate Revocation List (CRL)
Profile. RFC-5280, May 2008.
Gasiorowski-Denis, E., 2015. Trust and confidence in
cloud privacy.
refid=Ref1921 (access date 27.11.2015).
Grandison, T., Sloman, M., 2000. A survey of trust in
internet applications. IEEE Communications Surveys
and Tutorials, 3(4), pp. 2–16.
Gritzalis, D., Lopez, J., 2009. In Law We Trust? Trusted
Computing and Legal Responsibility for Internet Secu-
rity. Emerging Challenges for Security, Privacy and
Trust. 24th IFIP TC 11 International Information Se-
curity Conference, SEC 2009, Pafos, Cyprus, May 18–
20, 2009. Proceedings. 2009. Pp. 399-409.
Haller, N., ed. 1998. A One-Time Password System. RFC-
2289, February 1998.
Kohl, J., Neuman, C., 2005. The Kerberos Network Au-
thentication Service (V5). RFC-4120 (RFC-4537), July
McNamara, J., 2003. Secrets of Computer Espionage:
Tactics and Countermeasures. New York: John Wiley
& Sons, Inc.
Melnikov, D., Jones, A., 2004. “Masquerade” Attacks and
a Process for Their Detection. In Proceedings of the
3rd European Conference on Information Warfare
and Security. Royal Holloway University of London,
UK. 28-29 June 2004. p. 269.
Mills, D., 2010. Network Time Protocol Version 4: Proto-
col and Algorithms Specification. RFC-5905, June
Miloslavskaya, N., Petrov, V., Tolstoy, A., 2014. Security
Aspects for E-Learning Portals. In Proceedings of the
6th International Conference on Computer Supported
Education (CSEDU 2014). Spain, Barcelona. pp. 427–
Petrov, V., Miloslavskaya, N., Gorbatov, V., Durakovskiy,
A., 2015. Problem of Trust in E-Learning Environ-
ment. In Proceedings of the 7th International Confer-
ence on Computer Supported Education (CSEDU
2015). Portugal, Lisbon. pp. 424-429.
Pfleeger, C.P., Pfleeger, S.L., 2003. Security in Compu-
ting. Upper Saddle River, Prentice Hall, NewJersey.
Cybertrust in e-Learning Environment based on Network Time Synchronization