IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [time]

For security issues relating to the system time of a host, or relating real-world clocks more generally. Please use the tags [timestamp] or [performance] for questions on those topics.

Examples of correct usage include protocols that are sensitive to the server and client having sycronized system clocks, or protocols that must be completed within a certain amount of time.

37 questions
61
votes
9 answers

How important is local time for security?

I recently wanted to see what happens when I change my local time to something obviously wrong. I tried the year 2218, so 200 years in the future. The result: I couldn't access any website anymore (I didn't try too many, though). I got this…
Martin Thoma
  • 3,902
  • 6
  • 30
  • 42
39
votes
3 answers

Why should memcmp not be used to compare security critical data?

From man 3 memcmp: Do not use memcmp() to compare security critical data, such as cryptographic secrets, because the required CPU time depends on the number of equal bytes. Instead, a function that performs comparisons in constant…
gaazkam
  • 5,607
  • 11
  • 24
  • 37
38
votes
8 answers

Why does my digital bank need my phone date and hour to be correct?

I'm not from Information Security or any IT related area. But I want to know if there is any security reason for my digital bank to demand my phone to be on "Automatic Date & Time"? For example, if I'm abroad, I cannot transfer some money to a…
RA828
  • 493
  • 4
  • 7
32
votes
12 answers

Could I recover the content of file from its checksum/hash?

Let's say I have a video file that is split into multiple parts. Each piece is 2 Megabytes. I also have a list of the *insert hash name here* for each piece and also for the full file. Now assume that I have misplaced/lost/fubar one of these…
beppe9000
  • 555
  • 1
  • 4
  • 10
12
votes
1 answer

What is the purpose of JSON Web Token (JWS)'s issued at "iat" field?

RFC 7519 specifies an optional "iat" field, indicating when a token was issued. The RFC provides a terse commentary: This claim can be used to determine the age of the JWT. What is the purpose of the "iat" field? For example, why would one want to…
jtpereyda
  • 1,430
  • 2
  • 16
  • 26
7
votes
2 answers

How many known time/result combinations does it take to guess a HOTP/TOTP secret?

I thought about "recovering", "determining", "guessing", "calculating" or "reproducing" the HOTP/TOTP secrets when only the outcome (6-digit code + time) is known. In case we can view the live creation of HOTP/TOTP codes without knowing the actual…
Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
7
votes
1 answer

PHP Session Vulnerability

I'm trying to solve a challenge on a CTF, with PHP sessions. The goal is to make check.php echo $_PASSWORD. I do not have access to the files themselves, and therefore I cannot edit them. My proposed solution is: We want the session to be locked…
Roee H
  • 139
  • 1
  • 5
6
votes
1 answer

Mitigate Time Spoofing Attack

Say Alice receives synchronized time from Tina the timekeeper. Say Ted spoofs a GPS signal, fooling Tina about the current time. Tina sends this fake time to Alice. What can Alice do to avoid being too seriously fooled? Are there implementations…
jtpereyda
  • 1,430
  • 2
  • 16
  • 26
5
votes
1 answer

Brute Forcing LUKS Full Disk Encryption - Time?

let's say we have encrypted our drive with AES 256 XTS and the following Hash: SHA1 with ~500k Iterations and a 20+ password SHA512 with ~250k Iterations and the same 20+ password. Let's think of the best hardware and the fastest hardware out there.…
user284148
  • 303
  • 5
  • 8
5
votes
1 answer

Securely detecting and correcting time drift for TOTP

RFC 6238 recommends the server to implement some form of resynchronization algorithm to account for time drift of the device used to generate the OTP. However, the RFC provides very little information on how to actually implement such a…
Emond Papegaaij
  • 51
  • 2
5
votes
1 answer

How can wrong time synchronization be exploited?

It happened to me a few times that I installed a Windows PC after the CMOS battery has been replaced and all sorts of things stopped working or threw security warnings, only to realize that I just need to set the clock, or click on the sync…
Andrei
  • 209
  • 1
  • 6
5
votes
1 answer

What use does a TPM have for accurate timekeeping?

I stumbled across this image and something immediately stood out to me. This is a photograph of a discrete TPM card. That silver cylinder on the left is a crystal oscillator, used to tell time with very high precision. At first I thought it must be…
forest
  • 64,616
  • 20
  • 206
  • 257
5
votes
1 answer

Overall Security of Network Time Protocol

I am doing some research in order to get an understanding of the security of the Network Time Protocol. In particular, my goal was/is to understand how the protocol is secured and what the issues are. So far, I understood that there are basically 2…
Mark
  • 159
  • 1
4
votes
2 answers

Does x509 have an "issued at" timestamp? Can you tell when an x509 certificate was issued?

The JWT Spec (RFC 7519) has an issued at field ("iat"). Does x509 have any analogous value? I see a Validity field, but nothing else time related.
jtpereyda
  • 1,430
  • 2
  • 16
  • 26
4
votes
1 answer

Can I disable access to JS APIs in the browser such as highres timers?

In the wake of recent news of CPU bugs like Meltdown and Spectre which rely on precise(-ish) measurments of elapsed time, I find myself in the mood for disabling things like window.performance.now() in my browser (apart from other mitigations,…
kralyk
  • 161
  • 3
1
2 3