I got a rental car recently and was given an android auto security error when I plugged in my phone. The error message suggested adjusting the date and time on the car, and when I did so (it was exactly 2 years, 1 day, and 12 hours ahead) it worked fine. Why did this matter? What does a system clock being off have to do with security? Wouldnt my phone know that it was innacurate since it picked up that it was wrong in the first place?
In: 1
> What does a system clock being off have to do with security?
Two important uses of time in security, there are others:
1. Encryption certificates (like those that are used on the web that trigger the padlock in your browser) are not valid forever, they have a start and end date. If the date is wrong, expired certificates may be seen as valid (and vice-versa).
2. One-time token generators (like OATH, often known as Google Authenticator) rely on clocks to generate a new token every minute or so. If one clock is off by even just five minutes, the generated tokens will be invalid.
> Wouldnt my phone know that it was innacurate since it picked up that it was wrong in the first place?
*Both* your phone and the car think the other is wrong. They have to agree somehow.
SSL certificates are used to encrypt web traffic and a lot of misc data transfers. They are only valid within a certain time frame and therefore the clock time and date is used as part of the validation process.
Changing the system clock is an easy way to fool such a security mechanism so they look for that as part of the validation process
Imagine it’s WW2 and you’re a spy. The people who designed your cipher decided it’s not safe to keep using the same decoder key again and again since it could eventually be broken by the enemy.
So they decide the decode key needs to be only used for a few days then a new one issued. But how to do that without sending you the new key in plain text so it could be intercepted?
One way might be to send you out with a written list of keys with dates next to them (On May 5th, use this key, then on May 7th switch to this one, then on May 9th switch to this one then…. etc). But now you have a written list with all the keys – a list that might be discovered. That’s no good.
So then they create a formula you can memorize, A formula where you plug in the current date and get out a number, then plug that number into your decoder key. Thus your decoder key changes every day, but doesn’t have to be written down. Perhaps it’s something like “Take out a bit of scratch paper and write out the current date as a 6-digit number in DDMMYY format. Now add your special agent number, which is 51 in your case. Now divide all that by 97 and take the remainder. That number is your code for today. After you have it, burn the scratch paper you used to calculate it.”
Well apps like your phone Authenticator app are doing something kinda like that, except more mathematically complicated and chaotic (since a computer will be calculating it it doesn’t have to be easy to write out.) And instead of a coarse “date” they use a more precise down-to-the-second timestamp as the input into the formula. When you ask it do display an authenticator code, it just shows you the code that’s good for the current 30 seconds or so. Soon that code will be obsolete and the app will show a new code. The remote owner of the app, like Google, also knows what code a person with your ID should be displaying right this very second and can compare what you type in to what it should be outputting right now given your ID number and everything.
Thus why your phone needs to have the right time. If your phone keeps calculating the code that would have been correct 1 minute ago, the server over at Google or wherever will never accept that code because it’s expecting the code you’d get from plugging the current time into the formula, not the one you’d get for plugging in “a minute ago” into the formula.
Just look at the number code on your athenticator, and keep refreshing the screen. You will see it doesn’t take long for the number to change, and then change again, etc.
And to complete the explanation, since the server checking that you typed the right code isn’t in the same timezone as you are, the timestamp that’s actually used for the check is one based on UTC (universal time code, basically Greenwich Mean Time, kinda) rather than your local time. That’s also why your phone needs to know what time zone it’s in so that it gets that shift into UTC correct too.
Latest Answers