Can time-travellers use TOTP codes?
Imagine, just for a moment, you and your friends decide to travel in time. In order to make sure you can authenticate your communications with each other, you set up a shared Time-based One Time Password (TOTP).
The TOTP algorithm uses a Hash-based Message Authentication Code (HMAC). The hash is calculated from a shared key and a time-based component.
The key is a short string of characters. The time-based component is calculated as the number of seconds between now and the Unix Epoch. When is the Unix Epoch? 00:00:00 UTC on Thursday, 1 January 19700. It has been roughly 1.7 billion seconds since then. 64 bit computer systems can count up for another 290 billion years1. So chrononauts journeying to the future should be fine.
But what about people travelling backwards? You and your friends want to go and see The Beatles perform in 1966. That's before 1970. So the time-based component will be a negative number.
I've tried a bunch of different TOTP generators and fed them a variety of negative numbers. They all crashed.
So, no. TOTP doesn't work for anyone travelling backwards in the 4th dimension. Pity.
Is there a serious point to this? Well, sort of.
Negative time is an unexpected input and leads to unusual behaviours. Could a crash in HMAC generation lead to an exploit?
Standards get used in all sorts of places - including retrospectively. Should standards writers specifically account for inputs which occur in the past?
How should computers deal with "preposterous" times?
What other common security tools fail if they're subjected to time-travel?
Which Beatles concert would you go to in 1966?
-
As an aside, in 1970, the UK was on BST - British Standard Time rather than GMT / UTC. ↩︎
-
Or, if you're stuck using 32 bit time, until the year 2038. ↩︎
Jokes aside - cool post, thanks!
More comments on Mastodon.