Timestamp issue with Amazon EC2

I was playing yesterday with Eucalyptus Public Cloud, which is an Open Source project, that gives free access to some of the resources of their cloud where you can get a taste of Amazon’s EC2 tools. Having configured the environment of my system, I tried to retrieve the list of the available zones on which I could deploy some of Eucalyptus’ virtual machines. However, the first few tries returned a timestamp problem:

$ ec2-describe-availability-zones
Server: An error was discovered processing the  header.
(WSSecurityEngine: Invalid timestamp The security semantics of message have expired)

So it looked like there was an issue between the timing of my system against that of the server. I decided to synchronise my system with an NTP server. There was indeed something more than five minutes difference between my system’s manual time and that of the NTP sever:
Manual time:

$ date
Tue 12 May 2009 18:52:22 BST

NTP sync:

$ date
Tue 12 May 2009 18:57:37 BST

One more try to fetch the list:

$ ec2-describe-availability-zones
AVAILABILITYZONE	epc	mayhem9.cs.ucsb.edu

It worked this time. As mentioned hereeach message sent by the client contains a time-stamp. The server refuses messages sent more than five minutes ago. This is to prevent replay attacks (where an attacker gets hold of a valid message and then sends it again later)“.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s