Back to Home

Programmable hardware TOTP keys with the ability to synchronize time

We are pleased to announce a new line of programmable hardware TOTP keys from TOKEN2. The main innovation is the ability to synchronize the system clock hardware keys through the NFC API with ...

Programmable hardware TOTP keys with the ability to synchronize time

    We are pleased to announce a new line of programmable hardware TOTP keys from TOKEN2. The main innovation is the ability to synchronize the system clock hardware keys via the NFC API using special applications - at the moment is preparing a release for Android and Windows 10.

    There are no applications for iOS yet: despite the fact that NFC chips are physically present on the latest iPhone models, Apple does not yet provide a public API for their use.


    What is it for?


    Unlike mobile TOTP applications, hardware keys do not have the ability to synchronize time over NTP, over a cellular network or radio signal: the device hardware keys are completely isolated and autonomous, and use a clock on their board as a source of accurate time. In 1933-1934 physicists Scheibe and Adelsberger of the Imperial Physics and Technology Institute in Berlin took up the possibilities of using the piezoelectric effect to measure time. It is this effect that underlies the system clock of the hardware keys. The accuracy of such hours varies from Β± 0.3 to Β± 1.1 s / day, depending on the quality. If this accuracy is sufficient for ordinary wristwatches, in hardware keys, the time difference more than a certain limit may lead to a failure in activation and / or authentication. This limit depends on the specific system (for example, Microsoft Azure MFA allows up to 600 seconds bias to both sides) when it comes to first registering a hardware key. Further, the process of synchronizing the bias during the use of the key for entry is already clearly described inRFC 6238

    RFC 6238 / 6. Resynchronization
    Because of possible clock drifts between a client and a validation
    server, we RECOMMEND that the validator be set with a specific limit
    to the number of time steps a prover can be Β«out of synchΒ» before
    being rejected.

    This limit can be set both forward and backward from the calculated
    time step on receipt of the OTP value. If the time step is
    30 seconds as recommended, and the validator is set to only accept
    two time steps backward, then the maximum elapsed time drift would be
    around 89 seconds, i.e., 29 seconds in the calculated time step and
    60 seconds for two backward time steps.

    This would mean the validator could perform a validation against the
    current time and then two further validations for each backward step
    (for a total of 3 validations). Upon successful validation, the
    validation server can record the detected clock drift for the token
    in terms of the number of time steps. When a new OTP is received
    after this step, the validator can validate the OTP with the current
    timestamp adjusted with the recorded number of time-step clock drifts
    for the token.

    Also, it is important to note that the longer a prover has not sent
    an OTP to a validation system, the longer (potentially) the
    accumulated clock drift between the prover and the verifier. In such
    cases, the automatic resynchronization described above may not work
    if the drift exceeds the allowed threshold. Additional
    authentication measures should be used to safely authenticate the
    prover and explicitly resynchronize the clock drift between the
    prover and the validator.

    That is, if the authentication server complies with all RFC prescriptions, and if the key is used for authentication is not too rare, for example, at least a couple of times a year (the exact number can be calculated using the accuracy of the oscillator and the time offset allowed by the server), then time offsets will be taken into account on the server side and problems should arise. When using keys in such conditions, the time synchronization function is basically not needed.

    However, the time synchronization function can be useful in the following cases:

    • If the server implementation of TOTP does not follow RFC6238 recommendation # 6. One example of such an implementation is DUO :
      TOTP token drift and resynchronization are not supported. It is not necessary to work with the author, but may not have to

    • If a batch of hardware keys was purchased a long time ago, but they had to be activated only after some time - in this case there is simply no synchronization mechanism in many systems.
    • If the hardware key is used to log in less frequently than is needed for synchronization. For example, if a user wants to β€œcopy” the same TOTP profile (more precisely, the secret secret key) to two devices: a) to a mobile application on the phone for everyday use and b) to a programmable hardware key as a backup for a rainy day . Thus, if this rainy day comes in 3-4 years, the hardware token will no longer be used precisely because of the time difference. And the battery on the token, which has not been turned on for a long time, almost does not lose capacity. Consequently, in this case, it is enough just to β€œset” the clock on them in order to return them to the system.

    Security analysis
    Как всСгда, Ρ‚Π°ΠΊΠΎΠ³ΠΎ Ρ€ΠΎΠ΄Π° Π½ΠΎΠ²ΡˆΠ΅ΡΡ‚Π²Π° всСгда основаны Π½Π° балансС ΠΊΠΎΠΌΡ„ΠΎΡ€Ρ‚Π°/удобства ΠΈ уровня бСзопасности. НС ΡΠ²Π»ΡΡŽΡ‚ΡΡ ΠΈΡΠΊΠ»ΡŽΡ‡Π΅Π½ΠΈΠ΅ΠΌ ΠΈ ΠΏΡ€ΠΎΠ³Ρ€Π°ΠΌΠΌΠΈΡ€ΡƒΠ΅ΠΌΡ‹Π΅ ΠΊΠ»ΡŽΡ‡ΠΈ с Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡ‚ΡŒΡŽ синхронизации Π²Ρ€Π΅ΠΌΠ΅Π½ΠΈ, ΠΎΡ‚ Π°Ρ‚Π°ΠΊ ΠΏΠΎ сСти (Ρ„ΠΈΡˆΠΈΠ½Π³, Ρ‡Π΅Π»ΠΎΠ²Π΅ΠΊ посСрСдинС ΠΈ Ρ‚.Π΄. β€” Π² Π±ΠΎΠ»ΡŒΡˆΠΈΠ½ΡΡ‚Π²Π΅ случаСв наши ΠΊΠ»ΠΈΠ΅Π½Ρ‚Ρ‹ ΠΈΡΠΏΠΎΠ»ΡŒΠ·ΡƒΡŽΡ‚ TOTP Ρ‚ΠΎΠΊΠ΅Π½Ρ‹ ΠΈΠΌΠ΅Π½Π½ΠΎ для Π·Π°Ρ‰ΠΈΡ‚Ρ‹ ΠΎΡ‚ Ρ‚Π°ΠΊΠΎΠ³ΠΎ Ρ€ΠΎΠ΄Π° Π°Ρ‚Π°ΠΊ) ΠΎΠ½ΠΈ ΠΊΠΎΠ½Π΅Ρ‡Π½ΠΎ защитят Π² ΠΏΠΎΠ»Π½ΠΎΠΉ ΠΌΠ΅Ρ€Π΅, Π½ΠΎ данная Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡ‚ΡŒ ΠΏΡ€Π΅Π΄ΠΏΠΎΠ»Π°Π³Π°Π΅Ρ‚ ΠΌΠ°Π»ΠΎΠ·Π½Π°Ρ‡ΠΈΡ‚Π΅Π»ΡŒΠ½ΡƒΡŽ ΠΈ чисто Ρ‚Π΅ΠΎΡ€Π΅Ρ‚ΠΈΡ‡Π΅ΡΠΊΡƒΡŽ Π²Π΅Ρ€ΠΎΡΡ‚Π½ΠΎΡΡ‚ΡŒ Π°Ρ‚Π°ΠΊΠΈ ΠΏΡƒΡ‚Ρ‘ΠΌ ΠΏΠΎΠ²Ρ‚ΠΎΡ€Π° (replay attack) с условиСм Ρ‡Ρ‚ΠΎ Π·Π»ΠΎΡƒΠΌΡ‹ΡˆΠ»Π΅Π½Π½ΠΈΠΊΠΈ ΠΌΠΎΠ³ΡƒΡ‚:

    1. ΠŸΠΎΠ»ΡƒΡ‡ΠΈΡ‚ΡŒ ΠΏΠ΅Ρ€Π²Ρ‹ΠΉ Ρ„Π°ΠΊΡ‚ΠΎΡ€ (ΠΏΠ°Ρ€ΠΎΠ»ΡŒ).
    2. Π˜ΠΌΠ΅Ρ‚ΡŒ физичСский доступ ΠΊ Π°ΠΏΠΏΠ°Ρ€Π°Ρ‚Π½ΠΎΠΌΡƒ ΠΊΠ»ΡŽΡ‡Ρƒ Π±Π΅Π· Π²Π΅Π΄ΠΎΠΌΠ° Π²Π»Π°Π΄Π΅Π»ΡŒΡ†Π° Π½Π° протяТСнии достаточно Π΄ΠΎΠ»Π³ΠΎΠ³ΠΎ Π²Ρ€Π΅ΠΌΠ΅Π½ΠΈ (см этап 3.).
    3. Π‘ ΠΏΠΎΠΌΠΎΡ‰ΡŒΡŽ прилоТСния, Ρ‡Π΅Ρ€Π΅Π· NFC пСрСвСсти врСмя Π½Π° ΠΊΠ»ΡŽΡ‡Π΅ Π²ΠΏΠ΅Ρ€Π΅Π΄ Π½Π° ΠΎΠΏΡ€Π΅Π΄Π΅Π»Π΅Π½Π½ΡƒΡŽ Π΄Π°Ρ‚Ρƒ, ΠΈ Π·Π°ΠΏΠΈΡΠ°Ρ‚ΡŒ достаточноС количСство сгСнСрированных ΠΊΠΎΠ΄ΠΎΠ². Π‘ΠΊΡ€ΠΈΠΏΡ‚ΠΎΠΌ это Ρ€Π΅Π°Π»ΠΈΠ·ΠΎΠ²Π°Ρ‚ΡŒ Π½Π΅ получится, Ρ‚Π°ΠΊ ΠΊΠ°ΠΊ для Π³Π΅Π½Π΅Ρ€Π°Ρ†ΠΈΠΈ ΠΊΠΎΠ΄ΠΎΠ² Π½ΡƒΠΆΠ½ΠΎ Π½Π°ΠΆΠ°Ρ‚ΡŒ Π½Π° Ρ„ΠΈΠ·ΠΈΡ‡Π΅ΡΠΊΡƒΡŽ ΠΊΠ½ΠΎΠΏΠΊΡƒ, Π° Ρ‚Π΅ΠΊΡƒΡ‰ΠΈΠΉ ΠΊΠΎΠ΄ Ρ‚ΠΎΠ»ΡŒΠΊΠΎ ΠΏΠΎΠ΄ΡΠΌΠΎΡ‚Ρ€Π΅Ρ‚ΡŒ Π½Π° экранС (ΠΏΠΎ NFC ΠΎΠ½ Π½Π΅ пСрСдаСтся).
    4. Π’Π΅Ρ€Π½ΡƒΡ‚ΡŒ врСмя ΠΎΠ±Ρ€Π°Ρ‚Π½ΠΎ (Ρ‡Ρ‚ΠΎΠ±Ρ‹ Π²Π»Π°Π΄Π΅Π»Π΅Ρ† Π½ΠΈ ΠΎ Ρ‡Π΅ΠΌ Π½Π΅ догадался).
    5. И, Π½Π°ΠΊΠΎΠ½Π΅Ρ†, Π²Ρ‹ΠΏΠΎΠ»Π½ΠΈΡ‚ΡŒ Π²Ρ…ΠΎΠ΄ Π² систСму ΠΈΡΠΏΠΎΠ»ΡŒΠ·ΡƒΡ ΠΏΠ°Ρ€ΠΎΠ»ΡŒ (этап 1) ΠΈ ΠΎΠ΄ΠΈΠ½ ΠΈΠ· ΠΊΠΎΠ΄ΠΎΠ² ΠΏΠΎΠ»ΡƒΡ‡Π΅Π½Π½Ρ‹Ρ… Π½Π° этапС 3.

    Π”Π°Π½Π½Ρ‹ΠΉ риск, ΠΊΠ°ΠΊ Π²ΠΈΠ΄ΠΈΠΌ, ΠΌΠΎΠΆΠ΅Ρ‚ Π²ΠΎΠ·Π½ΠΈΠΊΠ½ΡƒΡ‚ΡŒ лишь ΠΏΡ€ΠΈ условии физичСского доступа ΠΊ устройству, Π½Π°ΠΏΡ€ΠΈΠΌΠ΅Ρ€, Π°Ρ‚Π°ΠΊΡƒ смоТСт ΠΎΡΡƒΡ‰Π΅ΡΡ‚Π²ΠΈΡ‚ΡŒ ΠΊΠΎΠ»Π»Π΅Π³Π° сидящий рядом ΠΈ ΠΏΠΎ ΠΊΠ°ΠΊΠΎΠΉ-Ρ‚ΠΎ ΠΏΡ€ΠΈΡ‡ΠΈΠ½Π΅ Π΅Ρ‰Π΅ ΠΈ Π·Π½Π°ΡŽΡ‰ΠΈΠΉ ΠΏΠ°Ρ€ΠΎΠ»ΡŒ. Но ΠΏΡ€ΠΈ Ρ‚Π°ΠΊΠΈΡ… условиях использованиС классичСских TOTP Ρ‚ΠΎΠΊΠ΅Π½ΠΎΠ² ΠΏΡ€ΠΈΠ²Π΅Π΄Π΅Ρ‚ ΠΊ Ρ‚Π°ΠΊΠΎΠΌΡƒ ΠΆΠ΅ риску. К слову ΡΠΊΠ°Π·Π°Ρ‚ΡŒ, риск ΠΊΠΎΠΌΠΏΡ€ΠΎΠΌΠ΅Ρ‚Π°Ρ†ΠΈΠΈ Ρ‚ΠΎΠΊΠ΅Π½ΠΎΠ² с Ρ„ΡƒΠ½ΠΊΡ†ΠΈΠ΅ΠΉ синхронизации Π²Ρ€Π΅ΠΌΠ΅Π½ΠΈ сравним с риском fido u2f дСвайсов β€” Ссли Π·Π»ΠΎΡƒΠΌΡ‹ΡˆΠ»Π΅Π½Π½ΠΈΠΊ Π²Ρ€Π΅ΠΌΠ΅Π½Π½ΠΎ ΠΈ Π½Π΅Π·Π°ΠΌΠ΅Ρ‚Π½ΠΎ ΠΏΠΎΠ»ΡƒΡ‡ΠΈΠ» доступ ΠΊ u2f ΠΊΠ»ΡŽΡ‡Ρƒ обладая ΠΏΡ€ΠΈ этом ΠΏΠ°Ρ€ΠΎΠ»Π΅ΠΌ, ΠΎΠ½ ΠΌΠΎΠΆΠ΅Ρ‚ Π²ΠΎΠΉΡ‚ΠΈ Π² систСму с этим ΠΊΠ»ΡŽΡ‡ΠΎΠΌ, ΠΈ Π΄ΠΎΠ±Π°Π²ΠΈΡ‚ΡŒ Π΄Ρ€ΡƒΠ³ΠΎΠΉ (свой) ΠΊΠ»ΡŽΡ‡ ΠΈ Π·Π°Ρ‚Π΅ΠΌ Ρ‚Π°ΠΊ ΠΆΠ΅ Π½Π΅Π·Π°ΠΌΠ΅Ρ‚Π½ΠΎ Π²Π΅Ρ€Π½ΡƒΡ‚ΡŒ ΠΈΡ…ΠΎΠ΄Π½Ρ‹ΠΉ ΠΊΠ»ΡŽΡ‡ Π²Π»Π°Π΄Π΅Π»ΡŒΡ†Ρƒ- ΠΏΠΎ спСцификации Ρƒ ΠΎΠ΄Π½ΠΎΠ³ΠΎ Π°ΠΊΠ°ΡƒΠ½Ρ‚Π° ΠΌΠΎΠΆΠ΅Ρ‚ Π±Ρ‹Ρ‚ΡŒ Π±ΠΎΠ»Π΅Π΅ ΠΎΠ΄Π½ΠΎΠ³ΠΎ u2f ΠΊΠ»ΡŽΡ‡Π°, ΠΈ любой ΠΌΠΎΠΆΠ½ΠΎ ΠΈΡΠΏΠΎΠ»ΡŒΠ·ΠΎΠ²Π°Ρ‚ΡŒ для ΠΏΠ°Ρ€Π°Π»Π»Π΅Π»ΡŒΠ½ΠΎΠ³ΠΎ Π²Ρ…ΠΎΠ΄Π°. Π’Π°ΠΊΠΎΠΌΡƒ ΠΆΠ΅ риску ΠΏΠΎΠ΄Π²Π΅Ρ€ΠΆΠ΅Π½Ρ‹ ΠΈ Ρ„Π°ΠΊΡ‚ΠΎΡ€Ρ‹ ΠΏΠΎΠ΄ΠΎΠ±Π½Ρ‹Π΅ Perfect paper passwords.
    Как Π²ΠΈΠ΄ΠΈΡ‚Π΅, Π°Ρ‚Π°ΠΊΠ° довольно слоТная ΠΈ маловСроятна, ΠΈ Π² Ρ†Π΅Π»ΠΎΠΌ ΡƒΡ€ΠΎΠ²Π΅Π½ΡŒ риска использования Ρ‚Π°ΠΊΠΈΡ… Ρ‚ΠΎΠΊΠ΅Π½ΠΎΠ² ΠΌΠΎΠΆΠ½ΠΎ ΡΡ€Π°Π²Π½ΠΈΡ‚ΡŒ с использованиСм прилоТСния Ρ‚ΠΈΠΏΠ° Google Authenticator Π½Π° смартфонС Π±Π΅Π· ΠΏΠΈΠ½-ΠΊΠΎΠ΄Π°, Π½Π΅ ΠΈΠΌΠ΅ΡŽΡ‰ΠΈΠΌ доступа Π² ΡΠ΅Ρ‚ΡŒ ΠΈ ΠΊΠΎΡ‚ΠΎΡ€Ρ‹ΠΉ ΠΏΠΎΠ»ΡŒΠ·ΠΎΠ²Π°Ρ‚Π΅Π»ΡŒ всСгда носит с собой.
    Для ΠΊΠ»ΠΈΠ΅Π½Ρ‚ΠΎΠ², всС ΠΆΠ΅ ΡΡ‡ΠΈΡ‚Π°ΡŽΡ‰ΠΈΡ… Π΄Π°ΠΆΠ΅ этот риск достаточно большим наши Ρ€Π΅ΠΊΠΎΠΌΠ΅Π½Π΄Π°Ρ†ΠΈΠΈ ΠΏΠΎ этому ΠΏΠΎΠ²ΠΎΠ΄Ρƒ Ρ‚Π°ΠΊΠΈΠ΅:
    1. ΠžΠ³Ρ€Π°Π½ΠΈΡ‡ΠΈΠ²Π°Ρ‚ΡŒ физичСский доступ ΠΊ Ρ‚Π°ΠΊΠΎΠ³ΠΎ Ρ‚ΠΈΠΏΠ° ΠΊΠ»ΡŽΡ‡Π°ΠΌ ΠΏΡ€ΠΈΠ±Π»ΠΈΠ·ΠΈΡ‚Π΅Π»ΡŒΠ½ΠΎ Ρ‚Π°ΠΊ ΠΆΠ΅ ΠΊΠ°ΠΊ ΠΈ ΠΊ банковским ΠΊΠ°Ρ€Ρ‚Π°ΠΌ (ΠΊ слову ΡΠΊΠ°Π·Π°Ρ‚ΡŒ, наши ΠΊΠ»ΡŽΡ‡ΠΈ ΠΈΠΌΠ΅Π½Π½ΠΎ Π² Ρ„ΠΎΡ€ΠΌΠ°Ρ‚Π΅ банковских ΠΊΠ°Ρ€Ρ‚).
    2. Π˜ΡΠΏΠΎΠ»ΡŒΠ·ΠΎΠ²Π°Ρ‚ΡŒ ΠΏΡ€ΠΎΠ³Ρ€Π°ΠΌΠΌΠΈΡ€ΡƒΠ΅ΠΌΡ‹Π΅ ΠΊΠ»ΡŽΡ‡ΠΈ Π±Π΅Π· Ρ„ΡƒΠ½ΠΊΡ†ΠΈΠΈ синхронизации Π²Ρ€Π΅ΠΌΠ΅Π½ΠΈ (miniOTP-1)
    3. Π˜ΡΠΏΠΎΠ»ΡŒΠ·ΠΎΠ²Π°Ρ‚ΡŒ ΠΏΡ€ΠΎΠ³Ρ€Π°ΠΌΠΌΠΈΡ€ΡƒΠ΅ΠΌΡ‹Π΅ ΠΊΠ»ΡŽΡ‡ΠΈ c Ρ„ΡƒΠ½ΠΊΡ†ΠΈΠ΅ΠΉ синхронизации Π²Ρ€Π΅ΠΌΠ΅Π½ΠΈ, совмСщСнной с ΡƒΠ΄Π°Π»Π΅Π½ΠΈΠ΅ΠΌ сСкрСтного ΠΊΠ»ΡŽΡ‡Π°. Π’ΠΎ Π΅ΡΡ‚ΡŒ, ΠΏΡ€ΠΈ ΠΈΠ·ΠΌΠ΅Π½Π΅Π½ΠΈΠΈ Π²Ρ€Π΅ΠΌΠ΅Π½ΠΈ Ρ‚ΠΎΠΊΠ΅Π½Π°, seed Π±ΡƒΠ΄Π΅Ρ‚ ΠΎΠ±Π½ΡƒΠ»Π΅Π½ ΠΈ Π½Π°Π΄ΠΎ Π±ΡƒΠ΄Π΅Ρ‚ Π·Π°Π½ΠΎΡΠΈΡ‚ΡŒ Π΅Π³ΠΎ Π·Π°Π½ΠΎΠ²ΠΎ (miniOTP-3, ΠΎ Π΄Π°Ρ‚Π΅ Ρ€Π΅Π»ΠΈΠ·Π° ΠΌΠΎΠ΄Π΅Π»ΠΈ Π±ΡƒΠ΄Π΅Ρ‚ обьявлСно Π΄ΠΎΠΏΠΎΠ»Π½ΠΈΡ‚Π΅Π»ΡŒΠ½ΠΎ)


    Where can one buy?
    ΠŸΡ€Π΅Π΄Π·Π°ΠΊΠ°Π· ΠΎΡ‚ΠΊΡ€Ρ‹Ρ‚ Π½Π° нашСм сайтС. Π˜ΡΠΏΠΎΠ»ΡŒΠ·ΡƒΠΉΡ‚Π΅ ΠΏΡ€ΠΎΠΌΠΎΠΊΠΎΠ΄ HABR2019 для скидки 10% (количСство ΠΊΡƒΠΏΠΎΠ½ΠΎΠ² ΠΎΠ³Ρ€Π°Π½ΠΈΡ‡Π΅Π½ΠΎ). Доставка ΠΎΠ±Ρ‹Ρ‡Π½ΠΎΠΉ ΠΏΠΎΡ‡Ρ‚ΠΎΠΉ (SwissPost ΠΈΠ»ΠΈ La Poste France). Π‘ доставкой Π² страны БНГ ΠΏΡ€ΠΎΠ±Π»Π΅ΠΌ Π΄ΠΎ сих ΠΏΠΎΡ€ Π½Π΅ Π²ΠΎΠ·Π½ΠΈΠΊΠ°Π»ΠΎ.

    Read Next