[time-nuts] Time security musing - attacking the clock itself

Jim Lux jimlux at earthlink.net
Tue Dec 4 13:57:48 UTC 2012

On 12/3/12 9:59 PM, gary wrote:
> I was a bit concerned about clicking the fob for no good reason. I
> assume each click is a different number. I only use it for ebay and
> paypal. [Incidentally, they jacked the price from $5 to $30.]

The RSA fob doesn't have a button.  It just displays a 6 digit number 
that changes once a minute or so.  The number is generated by a pseudo 
random number generator which is seeded in a way that is tied to the 
serial number.  The compromise last year at RSA involved someone getting 
access to the serial number-seed list.  (This is obviously not a "public 
key" system).

> Now a phone has accurate network time, so they could get really tricky
> with the time as part of the code.
> I was meditating a bit on the power grid synchronization. If all the
> sites but one are in sync, then the generator whose sync is being hacked
> will have a hard time trying to feed the grid while being out of phase.
> This should be detectable electronically in the generator interface. If
> the timing is moved slowly, the the "conflict" would build slowly as well.

The problem is that how would you distinguish this from normal load 
dispatch for the generator.  That's how you set the power flow: you 
adjust the phase of your generator to slightly leading the grid, and 
power flows from generator to grid.

> In the dark ages, I TAs an electronics class set up for non electrical
> engineers. I considered it kind of brutal since they tried to cover just
> about everything in one class. Well it included what we used to call
> "motors and rotors". [I suspect this isn't even taught anymore.] One of
> the lab experiments was to sync a generator to the mains. Now the
> generator was driven by a motor from the mains, so this wasn't
> particularly difficult. You would put a meter between your generator and
> the mains and drag on the shaft a bit until the phase error was zero,
> then turn the switch to connect them.

> Things were going OK but then I heard a nasty sound and the lights
> flickered a bit. It turns out some curious students wanted to see what
> happened if the generator and mains were out of phase. Well, the mains
> wins.

Yes.. there are stories of *big* drive shafts shearing or enormous 
turbomachinery ripping off the floor bolts.

> It is apparently hard to move the grid.

The interconnection problem is complicated by the fact that there are 
long transmission lines in the system which have all the usual 
transmission line issues like reflections, etc.   Your simple lab 
exercise would be substantially more complicated if there were a 1000 km 
long transmission line between the "grid" and "generator".

What you have in the real system is dozens of coupled oscillators, all 
with their own "stiffness" coupled by a complex network of transmission 
lines with propagation delays and mismatch.

> On 12/3/2012 8:12 PM, Jim Lux wrote:
>> On 12/3/12 6:34 PM, Hal Murray wrote:
>>> lists at lazygranch.com said:
>>>> I have one of those key fobs. Does the code somehow inform the power
>>>> the be
>>>> about the drift in the built in clock? Or is the time element of the
>>>> code so
>>>> sloppy that the drift is acceptable?
>>> The magic number changes every second or so.
>> Every 30 seconds or every minute.. I've seen both.  My fob is once a
>> minute, the iPhone "soft fob" is 30 seconds.
>>   You only have to scan a few
>>> seconds either side of the correct time to find a valid match.  Every
>>> time
>>> the server gets a match it can update its memory of the fob time to
>>> reduce
>>> its searching in the future.
>> Exactly, the maximum time difference is a settable parameter.
>>> You could measure/compute the drift too.  I don't know if that's worth
>>> the
>>> effort.  It would probably change with temperature so seasonal or
>>> lifestyle
>>> changes could throw the prediction way off.
>> I don't think they do that.. I think it's a "reset when validated"...
>>> [I have no inside knowledge.  I could be totally wrong, but that seems
>>> reasonable to me.  They may have a better approach.]
>> It's all described on the RSA website..
>> Hmm..  I suspect I could time my fob once a day, and see how many
>> seconds a day it drifts.. without a timed camera it would be hard to get
>> tighter than 1 second resolution..
>> the iPhone one almost certainly uses the internal clock in the phone.
>> _______________________________________________
>> time-nuts mailing list -- time-nuts at febo.com
>> To unsubscribe, go to
>> https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts
>> and follow the instructions there.
> _______________________________________________
> time-nuts mailing list -- time-nuts at febo.com
> To unsubscribe, go to
> https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts
> and follow the instructions there.

More information about the time-nuts mailing list