Heh heh heh. You said "Dongle".

[andrewducker]

I have one of those security keys that display a series of numbers that changes every n seconds. I use it whenever I log into work. The work server knows what numbers are on the key at any point, and can thus verify that the key is in my possession, adding to the security.

My question is this - how long will the key and the server stay in synch for? Without anything to resynch them, surely there'll be at least a second in slippage each month?

Comments

[andrewducker]

Although I could imagine that it would allow you to use the number before or after, and if you kept using one that was slightly out of synch the server would just assume you'd slipped in that direction...

[poisonduk.livejournal.com]

I use mine several times a day and it does indeed let you use the previous number - it's synced across so many different systems it couldn't be time sensitive to that degree!

[major-clanger.livejournal.com]

I once had a similar system for a remote login and so did some investigating. It turns out that there is a window of acceptable logins; in other words, if the keyfob is currently generating key k(n), then the authorisation server will accept keys from say k(n-2) to k(n+2). With the key changing maybe every 30s or so, this can allow a couple of minutes' worth of slippage, which is well beyond what even a fairly simple internal clock should experience over a year or so.

[the-magician.livejournal.com]

Also that once the keyfob knows you're at k(n+2) it can adjust an offset kept on the server so that (n+2) is now your central value and your window has moved along a couple of entries so next time it will be from k(n) to k(n+4) or whatever.

And if you're a fair way out and haven't been on for months, then either it will ask for a couple of numbers in succession to find where in the pattern you've got to, or you will have to phone the help desk who will do the same thing manually (ok, it turns out that 112911 and 407997 are k(n+20) and k(n+21) so we'll just shift the internal offset on the server to +20 so you're back in sync.

[sbisson.livejournal.com]

As the_magician noted, the system is self-synchronising over time. However the actual limit is the seed used, and in practice there's only enough randomness in the system for around three years.

[poisonduk.livejournal.com]

Which is why the key fobs have an expiry date and a new one is issued when it reaches it! I assume our company reissue them every 2 or 3 years as mine currently expires in less than 6 months and I'm sure I've only had this one about a year to a year and a half.

[dalglir.livejournal.com]

bump

[princealbert.livejournal.com]

of course this is presuming that the keyfobs primary use is providing secure handshaking.

Its def large enough for:
GPS
camera and 3G transmitter
explosives
etc etc

[poisonduk.livejournal.com]

Mine has a mini cam inside so they can watch that I am really working from home!

[princealbert.livejournal.com]

a) You're never working in your PJs again.
b) Nah, cant be a camera, you'd been sacked a lonnnng time ago.
c) timelapse!

[dpolicar]

I used one of these for about three years without the need for explicit resynchronization (though as others have mentioned, it could be self-synchronizing). It didn't actually fail after that, we changed systems. The new one I've used for about a year and a half now.

[drdoug.livejournal.com]

I used to have one of these, but stupidly failed to do even the most basic experimentation. For all I know I could've typed anything in to the box and it'd have worked. Or it just generated numbers with a secret check digit, or the server would accept any of the numbers generated by the key, or whatever.

Our new improved VPN architecture uses a 5x8 key grid thingummy, which doesn't verify much at all except that the entity attempting login has some data connection to the card originally issued. Which is probably close enough to two-factor authentication for the purposes, mind.