Comments (12)
d-e-s-o
commented on May 30, 2024
1
...
Please not that the comment continues after the three dots, even if Github thinks that’s a signature. Also, as I cannot edit comments submitted by mail, I want to make clear that nitrokey-app only sets the time once a device is connected, not with every OTP generation.
Thanks for the explanation @robinkrahl ! No more questions at this point, your honor.
In conclusion, I think my previous suggestion is still valid. But we could use the
*_softfunction per default. If it fails, the user has to pass--ignore-timeto continue anyway or--reset-timefor a “hard” reset.
Sounds good to me!
Internal clock synchronization should be required only once per device's power cycle. It should keep the time then for further TOTP work. I do not know, how much its clock drifts with time, but never seen any issues during normal usage. Devices have no battery, hence the clock is reset on each boot.
Thanks for the clarification @szszszsz !
from nitrocli.
d-e-s-o
commented on May 30, 2024
Sounds good! In retrospect I would really have liked to cut a release earlier. We are cramming a lot of features into this one, for no real reason. In my opinion it would have been much better to ship, say the pws and volume command introduction and that's it. The rest would come as smaller incremental updates. That would have allowed us to focus on testing (I expect it to be much harder to roll out proper testing now and to think about the corner cases that we would have more easily thought of during feature development) and less features would have meant an easier time getting the documentation up to date (although admittedly that is not a big deal).
But we have what we have (and lack of testing hardware certainly was a factor), so no pulling back now. So yes, given that this sounds like an impediment to the functioning of already merged functionality we should add support for clock synchronization. Will that require an additional dependency (if we decide go with reading the host time)?
from nitrocli.
robinkrahl
commented on May 30, 2024
To be honest, I just forgot about this issue because it was six months
since I implemented the OTP support in `nitrokey`. After thinking about
the issue some more, I think it would be best to add a `--time` option
to the `otp get` command. Then we could always set the time before
generating the OTP – either to the system time or to the given timestamp
if `--time` is set.
Will that require an additional dependency (if we decide go with
reading the host time)?
No. We can use `std::time::SystemTime`. All in all, this is only a
minor change. I just wanted to file an issue so that we do not forget
about it.
from nitrocli.
d-e-s-o
commented on May 30, 2024
To be honest, I just forgot about this issue because it was six months since I implemented the OTP support in
nitrokey. After thinking about the issue some more, I think it would be best to add a--timeoption to theotp getcommand. Then we could always set the time before generating the OTP – either to the system time or to the given timestamp if--timeis set.
Sure, no worries. My remarks were more of a general nature than specific to this issue (so perhaps that wasn't the best place to articulate them). So the interface you propose is:
nitrocli otp get --timewould automatically sync the time to the host time, if it is out of sync.nitrocli otp getwould warn if out-of-sync.
Is that right? I think I may have to understand OTP a little more. What would be considered out-of-sync? Is that time window dependent?
Will that require an additional dependency (if we decide go with reading the host time)?
No. We can usestd::time::SystemTime.
Ah, perfect!
All in all, this is only a minor change. I just wanted to file an issue so that we do not forget about it.
Absolutely.
from nitrocli.
robinkrahl
commented on May 30, 2024
My proposal is:
- `nitrocli otp get` always sets the Nitrokey time to the system time
- `nitrocli otp get --time <ts>` sets the Nitrokey time to <ts>
Basically, HOTP generates an OTP by hashing a counter and the secret.
TOTP uses time mod time_window as the counter, where time is the current
time in seconds and time_window is variable but typically 30s.
So the authentication fails if T_N != T_A (mod time_window), where T_A
is the time when the application validates the OTP and T_N is the time
when the Nitrokey generates the OTP (according to the respective system
clock). Most applications also accept the next or previous OTP (i. e. a
deviation of one time_window). This means that a deviation of a few
seconds is fine, a deviation of up to 60 seconds might cause occasional
errors, and more than one minute deviation will fail all auhentication
attempts.
Possible problems with this solution are:
- We have one more command to send to the device (set time). But on the
other hand, we should always check the time, so it does not make any
difference.
- The system clock might be out of sync. But I think this should be a
rather rare exception.
- The application clock might be out of sync. But there’s nothing we
can do about that anyway.
There could be a case where a user only deals with a single application
that is known to have a wrong time and therefore wants the Nitrokey to
run with that time without nitrocli resetting the clock. But I consider
that highly unlikely. We could still add a `--no-system-time` option to
deal with this problem should it ever occur.
Alternative approaches are.
- Provide a `nitrocli otp sync` command and warn in `otp get` if the
time is out of sync.
- Only set the time if the user sets the `--system-time` options.
from nitrocli.
d-e-s-o
commented on May 30, 2024
Many thanks for the explanation!
There are two more things that I am confused about, I guess.
- From your description it appears that the Nitrokey (or any TOTP capable device) really needs to have a way to keep time. But the device has no battery (from what I know), so it cannot do anything of that sort if it is unplugged. Is that why you would want to set the time by default? Because it is very likely out of sync?
- Are there other services that use the time? If OTP is the sole user I think unconditionally syncing it is fine.
Possible problems with this solution are:
- We have one more command to send to the device (set time). But on the other hand, we should always check the time, so it does not make any difference.
We would also need to retrieve the currently set time window, wouldn't we? (though that may come along with the time; not that this is a problem, I just want to understand)
from nitrocli.
robinkrahl
commented on May 30, 2024
1) From your description it appears that the Nitrokey (or any TOTP
capable device) really needs to have a way to keep time. But the
device has no battery (from what I know), so it cannot do anything of
that sort if it is unplugged. Is that why you would want to set the
time by default? Because it is very likely out of sync?
As far as I know, the Nitrokey devices do not have a RTC and do not keep
time. So some kind of synchronization is always necessary (see below
for the nitrokey-app implementation).
2) Are there other services that use the time? If OTP is the sole user
I think unconditionally syncing it is fine.
Yes, as far as I know. The corresponding libnitrokey function is called
`NK_totp_set_time`, and its comment says: “Set time on the device (for
TOTP requests)”. Also, I don’t know of any other application that could
use the time.
We would also need to retrieve the currently set time window, wouldn't we?
No, only the slot name is readable. The other information, including
the time window, are not exposed by the firmware. We would have to use
heuristics.
…---
I had a look at the nitrokey-app implementation, and I found some lost
memories. In fact, there are two commands to set the time: get_time
(sic!) and set_time. Please see Nitrokey/libnitrokey#114 [0] for
details. I could not use `get_time` in the `nitrokey` crate due to the
bugged C API, and I have not yet implemented the new
`NK_totp_set_time_soft` as I did not think it would be needed in the
beginning.
nitrokey-app always tries to update the time using
get_time/set_time_soft. If this fails, it warns the user and offers to
perform a “hard” set_time call. See nitrokey-app/mainwindow.cpp:381 [1]
for the implementation details.
[0] Nitrokey/libnitrokey#114
[1] https://github.com/Nitrokey/nitrokey-app/blob/6b6cd2fe31dd3bb2910c13acb480e8f15b33fac9/src/ui/mainwindow.cpp#L381
from nitrocli.
robinkrahl
commented on May 30, 2024
Please not that the comment continues after the three dots, even if Github thinks that’s a signature. Also, as I cannot edit comments submitted by mail, I want to make clear that nitrokey-app only sets the time once a device is connected, not with every OTP generation.
In conclusion, I think my previous suggestion is still valid. But we could use the *_soft function per default. If it fails, the user has to pass --ignore-time to continue anyway or --reset-time for a “hard” reset.
from nitrocli.
szszszsz
commented on May 30, 2024
Hi! Just wanted to add two words.
Internal clock synchronization should be required only once per device's power cycle. It should keep the time then for further TOTP work. I do not know, how much its clock drifts with time, but never seen any issues during normal usage. Devices have no battery, hence the clock is reset on each boot.
from nitrocli.
d-e-s-o
commented on May 30, 2024
Do you mind taking this issue, @robinkrahl ? I guess you already may have started work on it
from nitrocli.
robinkrahl
commented on May 30, 2024
I haven’t started working on it yet, but I can take care of it.
Shouldn’t be a big change.
from nitrocli.
d-e-s-o
commented on May 30, 2024
Merged. Thanks for bringing up this issue and resolving it @robinkrahl !
from nitrocli.
Related Issues (20)
- Compare strings instead of byte slices in tests HOT 2
- Access PWS slots by name HOT 8
- Improve otp subcommand HOT 1
- Validate PWS and OTP string length HOT 5
- Document scdaemon reset workaround in readme
- Publishing nitrocli-ext HOT 5
- Publishing the core extensions HOT 10
- Improve installation instructions HOT 6
- Split up commands module HOT 1
- Show retry count (< 3) in pinentry HOT 1
- "Wrong password, please reenter" after device reconnection HOT 22
- "Unexpected response: OK" if empty password is entred via pinentry HOT 1
- Add log messages to nitrocli HOT 12
- Add option to otp-cache to create custom aliases HOT 4
- pinentry-tty does not work HOT 13
- Change tests to not create python scripts during builds HOT 2
- Migrate to clap 3.0.0 HOT 2
- Move CI checks to Makefile HOT 4
- nitrocli (for NK2 Pro) not responsive while NK3 plugged in HOT 4
- Document extensions in readme HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nitrocli.