How does a RSA key fob keep in synchronization with the RSA server if they are two independent clocks?

[steppinthrax]

So no matter how precise you try to syncronize clocks. They will eventually get out of sync. For example if the clock is off by a million of a second. After one million RSA keys show up on the key fob it will be off by a whole second.

Where is the syncronization.

 

[Mark R]

The server will accept codes from the fob within a small range of times (e.g. 1 minute on either side of teh time the server expects). When a log-on is successful, the server will perform a type of synchronisation.

When the server gets a code from the fob that isn't exactly right, it keeps a record of how fast or slow the fob is. So, if your fob gives a code that is '1 minute in the future', the server will record that the fob is 1 minute fast, and use that for future comparisons. So, if in 1 months time, the fob has gained another minute, the server will still accept the code (because it is within 1 minute of expected), and the server will then update it's record to show that the fob's clock is 2 minutes ahead.

In fact the RSA servers are more subtle than that. If you log in on day 1 and your fob's clock is bang on, then on day 30 you log in and the fob is 1 minute fast, the server not only records that the fob is 1 minute ahead, but that the fob is gaining at the rate of 1 minute/month. So, if you then go 2 months without logging in, the server will expect the fob to be 3 minutes ahead.

 

[bsobel]

Originally posted by: Mark R
The server will accept codes from the fob within a small range of times (e.g. 1 minute on either side of teh time the server expects). When a log-on is successful, the server will perform a type of synchronisation.

When the server gets a code from the fob that isn't exactly right, it keeps a record of how fast or slow the fob is. So, if your fob gives a code that is '1 minute in the future', the server will record that the fob is 1 minute fast, and use that for future comparisons. So, if in 1 months time, the fob has gained another minute, the server will still accept the code (because it is within 1 minute of expected), and the server will then update it's record to show that the fob's clock is 2 minutes ahead.

In fact the RSA servers are more subtle than that. If you log in on day 1 and your fob's clock is bang on, then on day 30 you log in and the fob is 1 minute fast, the server not only records that the fob is 1 minute ahead, but that the fob is gaining at the rate of 1 minute/month. So, if you then go 2 months without logging in, the server will expect the fob to be 3 minutes ahead.

Yep, and further there are versions of the keys that can sync their clocks (by a physical connection). For those that don't the fobs have a set lifetime after which they arent supposed to be used.

 

[gsellis]

Adding... and based on the time, it expects a range of codes. You can unsync it also by pressing a 'on demand' type FOBs button multiple times without trying to sync. I think both RSA and Verisign use a range of 5. IOW, don't let a 5 year old play with your FOB unless you know where your resync site is

 

[BriGy86]

I thought they just used a similar algorithms to hash number values.