[18685] in cryptography@c2.net mail archive
Re: SecurID and garage door openers
daemon@ATHENA.MIT.EDU (Greg Rose)
Tue Oct 18 13:18:42 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Tue, 18 Oct 2005 09:24:17 -0700
To: "Travis H." <solinym@gmail.com>
From: Greg Rose <ggr@qualcomm.com>
Cc: cryptography@metzdowd.com, ggr@qualcomm.com
In-Reply-To: <d4f1333a0510180125v2b2ad2d5h759e037979794c54@mail.gmail.co
m>
At 03:25 2005-10-18 -0500, Travis H. wrote:
>Speaking of two-factor authentication, can anyone explain how servers
>validate the code from a SecurID token in the presence of clockskew?
>Does it look backwards and forwards in time a few minutes?
Yes, at registration time the server checks that the clock skew is
reasonable (IIRC, within 100 minutes either way). From then on it
knows and remembers the approximate clock skew.
>Similarly, how do those garage door openers with "rolling codes" work,
>given that the user may have pressed the button many times
>accidentally while out of range of the receiver?
Ahh, one of the dirty little secrets. If the base receives two
sequential outputs from a registered token, even if they are a long
way away from the currently expected output, it will resynchronize to
that. The replay protection just means that the attacker needs to
record two sequential accesses, not a single one. When all is working
as expected, this means the attacker must target you and hang around
for a day, or do a lunchtime attack on your zapper.
Greg.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
