[time-nuts] Time security musing - attacking the clock itself

Jim Lux jimlux at earthlink.net
Tue Dec 4 04:12:47 UTC 2012

On 12/3/12 6:34 PM, Hal Murray wrote:
> lists at lazygranch.com said:
>> I have one of those key fobs. Does the code somehow inform the power the be
>> about the drift in the built in clock? Or is the time element of the code so
>> sloppy that the drift is acceptable?
> The magic number changes every second or so.

Every 30 seconds or every minute.. I've seen both.  My fob is once a 
minute, the iPhone "soft fob" is 30 seconds.

  You only have to scan a few
> seconds either side of the correct time to find a valid match.  Every time
> the server gets a match it can update its memory of the fob time to reduce
> its searching in the future.

Exactly, the maximum time difference is a settable parameter.

> You could measure/compute the drift too.  I don't know if that's worth the
> effort.  It would probably change with temperature so seasonal or lifestyle
> changes could throw the prediction way off.

I don't think they do that.. I think it's a "reset when validated"...

> [I have no inside knowledge.  I could be totally wrong, but that seems
> reasonable to me.  They may have a better approach.]

It's all described on the RSA website..

Hmm..  I suspect I could time my fob once a day, and see how many 
seconds a day it drifts.. without a timed camera it would be hard to get 
tighter than 1 second resolution..

the iPhone one almost certainly uses the internal clock in the phone.

More information about the time-nuts mailing list