One-time authentication tokens produce a series of unpredictable one-time passcodes as second authentication factors for the authentication of users to remote servers. Passcodes are typically generated on a regular time basis, i.e., in specified time intervals often called epochs. For instance, the widely used RSA SecurID® user authentication token commercially available from RSA Security Inc. of Bedford, Mass., U.S.A., produces passcodes every one minute. Passcodes are unpredictable as they get produced in a pseudorandom manner using some secret state that is stored at the token and also shared with the server.
Tokens can be implemented through hardware or software. For software tokens, an application is responsible for securely storing the secret state and producing “on demand” the specific series of passcodes that starts from the point in time corresponding to the time the application is launched. Therefore, software tokens always receive as input the current time of the device on which the application runs. For instance, a token application on a mobile phone takes as input the current time of the device.
The dependence on the current device time, however, may create problems with respect to the usability and/or security of the application due to, in general, time synchronization issues between the token device and the authentication server. In addition, normal token operation requires some loose synchronization (or slack) between the token and the server, to account for, e.g., time zone differences and minor deviations between the token and server clocks.
If the user is able to manipulate the device time, however, the key update application will compute the wrong key for the current actual time. When the altered device time is later in time than the current actual time (referred to as a forward clock attack), the user or attacker is able to obtain a key that will be valid for a later time. In addition, the internal state of a forward secure key-update tree is locked to the future device time. Accordingly, if the user or attacker later corrects the device time to the actual time, then the forward-secure key generation module becomes blocked/locked to a future time, and thus the system using the forward-secure keys may remain unusable for a certain amount of time (e.g., until the time corresponding to the forward clock attack point is reached). In general, the key generation module of the device will not be synchronized with the corresponding server (that makes use of the produced keys) as the server (which is expected to accurately keep track of the actual time) will receive a passcode keyed with a state that corresponds to a future/forwarded point in time, and not with the current device time.
U.S. patent application Ser. No. 13/728,271, filed Dec. 27, 2012, entitled “Forward Secure Pseudorandom Number Generation Resilient to Forward Clock Attacks,” now U.S. Pat. No. 9,083,515, incorporated by reference herein, discloses pseudorandom generators (FS-PRNGs) that are forward secure as well as resilient to such forward clock attacks. These FS-PRNGs translate a detected time-synchronization problem to a change of the range of the pseudorandom numbers produced by the generator, thus also an increase to the search space of the server. Nonetheless, a need remains for improved techniques for token-side detection of such forward clock attacks, as well as new techniques for server-side detection and prevention of such attacks that do not affect the search space of the server. A further need exists for techniques for communicating a detected forward clock attack to the server without affecting the underlying FS-PRNG being used, while ensuring that such forward clock attack prevention is enforced.