12

enter image description here

My workplace uses these things to generate one-time passwords which only work within a short time period. I have always been curious about how the clock synchronisation between the authentication server and the token might work. I'm not sure whether there is any communication between the token and the outside world at all, but I would doubt it because they are small, light, and they must make these things to be as cheap as possible for lowest unit cost. So, maybe there isn't any synchronization at all? But then, wouldn't the clocks gradually drift apart, especially if the battery was running down, eventually resulting in a bricked token?

wim
  • 981

2 Answers2

12

There generally isn't any synchronisation at all.

The specific RSA unit changes once per minute but allows the next 2 or 3 pass codes to be accepted by the server as well - so as long as the token is within a few minutes of correct time it will work.

A quartz clock should lose less than a minute/year and the battery (or system upgrades) normally limit the life of these things to 3 years anyway.

Martin Beckett
  • 30,766
  • Yes, there isn't any automatic synchronization. When mine lost sync with our server, I had to phone IT department to "manually" sync it again. – twistor59 Dec 08 '11 at 09:33
  • My quartz wristwatch is fast by about 0.65 s/month, so I guess achieving an accuracy of 5 s/month should be really easy. – Edgar Bonet Dec 08 '11 at 15:34
8

The authentication server keeps track of the clock drift in each token and adjusts its expected code calculations based on that. See http://www.rsa.com/products/securid/sb/AS51_SB_0607-lowres.pdf; search for "clock drift".

Scott Johnson
  • 96
  • 2
    Sounds like you could mess up the server's idea of your token's clock drift by waiting a while before entering your code, or entering one you generated a few minutes ago. I don't think that's exploitable, though. – Keith Thompson Dec 09 '12 at 00:02