[time-nuts] Time security musing - attacking the clock itself
Jim Lux
jimlux at earthlink.net
Tue Dec 4 04:12:47 UTC 2012
On 12/3/12 6:34 PM, Hal Murray wrote:
>
> lists at lazygranch.com said:
>> I have one of those key fobs. Does the code somehow inform the power the be
>> about the drift in the built in clock? Or is the time element of the code so
>> sloppy that the drift is acceptable?
>
> The magic number changes every second or so.
Every 30 seconds or every minute.. I've seen both. My fob is once a
minute, the iPhone "soft fob" is 30 seconds.
You only have to scan a few
> seconds either side of the correct time to find a valid match. Every time
> the server gets a match it can update its memory of the fob time to reduce
> its searching in the future.
Exactly, the maximum time difference is a settable parameter.
>
> You could measure/compute the drift too. I don't know if that's worth the
> effort. It would probably change with temperature so seasonal or lifestyle
> changes could throw the prediction way off.
I don't think they do that.. I think it's a "reset when validated"...
>
> [I have no inside knowledge. I could be totally wrong, but that seems
> reasonable to me. They may have a better approach.]
It's all described on the RSA website..
Hmm.. I suspect I could time my fob once a day, and see how many
seconds a day it drifts.. without a timed camera it would be hard to get
tighter than 1 second resolution..
the iPhone one almost certainly uses the internal clock in the phone.
More information about the time-nuts
mailing list