Clock drift

Last updated

Clock drift refers to several related phenomena where a clock does not run at exactly the same rate as a reference clock. That is, after some time the clock "drifts apart" or gradually desynchronizes from the other clock. All clocks are subject to drift, causing eventual divergence unless resynchronized. In particular, the drift of crystal-based clocks used in computers requires some synchronization mechanism for any high-speed communication. Computer clock drift can be utilized to build random number generators. These can however be exploited by timing attacks.

Contents

In non-atomic clocks

Everyday clocks such as wristwatches have finite precision. Eventually they require correction to remain accurate. The rate of drift depends on the clock's quality, sometimes the stability of the power source, the ambient temperature, and other subtle environmental variables. Thus the same clock can have different drift rates at different occasions.

More advanced clocks and old mechanical clocks often have some kind of speed trimmer where one can adjust the speed of the clock and thus correct for clock drift. For instance, in pendulum clocks the clock drift can be manipulated by slightly changing the length of the pendulum.

A quartz oscillator is less subject to drift due to manufacturing variances than the pendulum in a mechanical clock. Hence most everyday quartz clocks do not have an adjustable drift correction.

Atomic clocks

Atomic clocks are very precise and have nearly no clock drift. Even the Earth's rotation rate has more drift and variation in drift than an atomic clock due to tidal acceleration and other effects. The principle behind the atomic clock has enabled scientists to re-define the SI unit second in terms of exactly 9192631770 oscillations of the caesium-133 atom. The precision of these oscillations allows atomic clocks to drift roughly only one second in a hundred million years; as of 2015, the most accurate atomic clock loses one second every 15 billion years. [1] [2] The International Atomic Time (TAI) time standard and its derivatives (such as the Coordinated Universal Time (UTC)) are based on weighted averages of atomic clocks worldwide.

Relativity

As Einstein predicted, relativistic effects can also cause clock drift due to time dilation. This is because there is no fixed universal time, time being relative to the observer. Special relativity describes how two clocks held by observers in different inertial frames (i.e. moving with respect to each other but not accelerating or decelerating) will each appear to either observer to tick at different rates.

In addition to this, general relativity gives us gravitational time dilation. Briefly, a clock in a stronger gravitational field (e.g. closer to a planet) will appear to tick more slowly. People holding these clocks (i.e. those inside and outside the stronger field) would all agree on which clocks appear to be going faster.

It is time itself rather than the function of the clock which is affected. Both effects have been experimentally observed.[ citation needed ]

Time dilation is of practical importance. For instance, the clocks in GPS satellites experience this effect due to the reduced gravity they experience (making their clocks appear to run more quickly than those on Earth) and must therefore incorporate relativistically corrected calculations when reporting locations to users. If general relativity were not accounted for, a navigational fix based on the GPS satellites would be false after only 2 minutes, and errors in global positions would continue to accumulate at a rate of about 10 kilometers each day. [3]

Random number generators

Computer programs often need high quality random numbers, especially for cryptography. [4] There are several similar ways clock drift can be used to build random number generators (RNGs).

One way to build a hardware random number generator is to use two independent clock crystals, one that for instance ticks 100 times per second and one that ticks 1 million times per second. On average the faster crystal will then tick 10,000 times for each time the slower one ticks. But since clock crystals are not precise, the exact number of ticks will vary. That variation can be used to create random bits. For instance, if the number of fast ticks is even, a 0 is chosen, and if the number of ticks is odd, a 1 is chosen. Thus such a 100/1000000 RNG circuit can produce 100 somewhat random bits per second. Typically such a system is biased—it might for instance produce more zeros than ones—and so hundreds of somewhat-random bits are "whitened" to produce a few unbiased bits.

There is also a similar way to build a kind of "software random number generator". This involves comparing the timer tick of the operating system (the tick that usually is 100–1000 times per second) and the speed of the CPU. If the OS timer and the CPU run on two independent clock crystals the situation is ideal and more or less the same as the previous example. But even if they both use the same clock crystal the process/program that does the clock drift measurement is "disturbed" by many more or less unpredictable events in the CPU such as interrupts and other processes and programs that run at the same time. Thus the measurement will still produce fairly good random numbers.

Most hardware random number generators such as the ones described above are fairly slow. Therefore, most programs only use them to create a good seed that they then feed to a pseudorandom number generator or a cryptographically secure pseudorandom number generator to produce many random numbers fast.

Timing attack

In 2006, a side channel attack was published [5] that exploited clock skew based on CPU heating. The attacker causes heavy CPU load on a pseudonymous server (Tor hidden service), causing CPU heating. CPU heating is correlated with clock skew, which can be detected by observing timestamps (under the server's real identity).

See also

Related Research Articles

In cryptography, pseudorandom noise (PRN) is a signal similar to noise which satisfies one or more of the standard tests for statistical randomness. Although it seems to lack any definite pattern, pseudorandom noise consists of a deterministic sequence of pulses that will repeat itself after its period.

A pseudorandom number generator (PRNG), also known as a deterministic random bit generator (DRBG), is an algorithm for generating a sequence of numbers whose properties approximate the properties of sequences of random numbers. The PRNG-generated sequence is not truly random, because it is completely determined by an initial value, called the PRNG's seed. Although sequences that are closer to truly random can be generated using hardware random number generators, pseudorandom number generators are important in practice for their speed in number generation and their reproducibility.

<span class="mw-page-title-main">Stream cipher</span> Type of symmetric key cipher

A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream). In a stream cipher, each plaintext digit is encrypted one at a time with the corresponding digit of the keystream, to give a digit of the ciphertext stream. Since encryption of each digit is dependent on the current state of the cipher, it is also known as state cipher. In practice, a digit is typically a bit and the combining operation is an exclusive-or (XOR).

<span class="mw-page-title-main">Hardware random number generator</span> Cryptographic device

In computing, a hardware random number generator (HRNG), true random number generator (TRNG), non-deterministic random bit generator (NRBG), or physical random number generator is a device that generates random numbers from a physical process capable of producing entropy, unlike the pseudorandom number generator that utilizes a deterministic algorithm and non-physical nondeterministic random bit generators that do not include hardware dedicated to generation of entropy.

A cryptographically secure pseudorandom number generator (CSPRNG) or cryptographic pseudorandom number generator (CPRNG) is a pseudorandom number generator (PRNG) with properties that make it suitable for use in cryptography. It is also loosely known as a cryptographic random number generator (CRNG).

Time dilation is the difference in elapsed time as measured by two clocks, either due to a relative velocity between them, or a difference in gravitational potential between their locations. When unspecified, "time dilation" usually refers to the effect due to velocity.

<span class="mw-page-title-main">/dev/random</span> Pseudorandom number generator file in Unix-like operating systems

In Unix-like operating systems, /dev/random and /dev/urandom are special files that serve as cryptographically secure pseudorandom number generators (CSPRNGs). They allow access to a CSPRNG that is seeded with entropy from environmental noise, collected from device drivers and other sources. /dev/random typically blocks if there was less entropy available than requested; more recently it usually blocks at startup until sufficient entropy has been gathered, then unblocks permanently. The /dev/urandom device typically was never a blocking device, even if the pseudorandom number generator seed was not fully initialized with entropy since boot. Not all operating systems implement the same methods for /dev/random and /dev/urandom.

The security of cryptographic systems depends on some secret data that is known to authorized persons but unknown and unpredictable to others. To achieve this unpredictability, some randomization is typically employed. Modern cryptographic protocols often require frequent generation of random quantities. Cryptographic attacks that subvert or exploit weaknesses in this process are known as random number generator attacks.

Fortuna is a cryptographically secure pseudorandom number generator (CS-PRNG) devised by Bruce Schneier and Niels Ferguson and published in 2003. It is named after Fortuna, the Roman goddess of chance. FreeBSD uses Fortuna for /dev/random and /dev/urandom is symbolically linked to it since FreeBSD 11. Apple OSes have switched to Fortuna since 2020 Q1.

In theoretical computer science and cryptography, a pseudorandom generator (PRG) for a class of statistical tests is a deterministic procedure that maps a random seed to a longer pseudorandom string such that no statistical test in the class can distinguish between the output of the generator and the uniform distribution. The random seed itself is typically a short binary string drawn from the uniform distribution.

A random seed is a number used to initialize a pseudorandom number generator.

<span class="mw-page-title-main">Random number generation</span> Producing a sequence that cannot be predicted better than by random chance

Random number generation is a process by which, often by means of a random number generator (RNG), a sequence of numbers or symbols that cannot be reasonably predicted better than by random chance is generated. This means that the particular outcome sequence will contain some patterns detectable in hindsight but impossible to foresee. True random number generators can be hardware random-number generators (HRNGs), wherein each generation is a function of the current value of a physical environment's attribute that is constantly changing in a manner that is practically impossible to model. This would be in contrast to so-called "random number generations" done by pseudorandom number generators (PRNGs), which generate numbers that only look random but are in fact pre-determined—these generations can be reproduced simply by knowing the state of the PRNG.

CryptGenRandom is a deprecated cryptographically secure pseudorandom number generator function that is included in Microsoft CryptoAPI. In Win32 programs, Microsoft recommends its use anywhere random number generation is needed. A 2007 paper from Hebrew University suggested security problems in the Windows 2000 implementation of CryptGenRandom. Microsoft later acknowledged that the same problems exist in Windows XP, but not in Vista. Microsoft released a fix for the bug with Windows XP Service Pack 3 in mid-2008.

GBDE, standing for GEOM Based Disk Encryption, is a block device-layer disk encryption system written for FreeBSD, initially introduced in version 5.0. It is based on the GEOM disk framework. GBDE was designed and implemented by Poul-Henning Kamp and Network Associates Inc..

In computing, entropy is the randomness collected by an operating system or application for use in cryptography or other uses that require random data. This randomness is often collected from hardware sources, either pre-existing ones such as mouse movements or specially provided randomness generators. A lack of entropy can have a negative impact on performance and security.

<span class="mw-page-title-main">Error analysis for the Global Positioning System</span> Detail of the global positioning system

The error analysis for the Global Positioning System is important for understanding how GPS works, and for knowing what magnitude of error should be expected. The GPS makes corrections for receiver clock errors and other effects but there are still residual errors which are not corrected. GPS receiver position is computed based on data received from the satellites. Errors depend on geometric dilution of precision and the sources listed in the table below.

RDRAND is an instruction for returning random numbers from an Intel on-chip hardware random number generator which has been seeded by an on-chip entropy source. Intel introduced the feature around 2012, and AMD added support for the instruction in June 2015.

A counter-based random number generation is a kind of pseudorandom number generator that uses only an integer counter as its internal state. They are generally used for generating pseudorandom numbers for large parallel computations.

xoroshiro128+ is a pseudorandom number generator intended as a successor to xorshift+. Instead of perpetuating Marsaglia's tradition of xorshift as a basic operation, xoroshiro128+ uses a shift/rotate-based linear transformation designed by Sebastiano Vigna in collaboration with David Blackman. The result is a significant improvement in speed and statistical quality.

References

  1. Vincent, James (22 April 2015). "The most accurate clock ever built only loses one second every 15 billion years". The Verge. Retrieved 17 September 2016.
  2. Gibney, Elizabeth (4 June 2015). "Hyper-precise atomic clocks face off to redefine time". Nature. 522 (7554): 16–17. Bibcode:2015Natur.522...16G. doi: 10.1038/522016a . PMID   26040875.
  3. Pogge, Richard W.; "Real-World Relativity: The GPS Navigation System" Accessed 30 June 2012.
  4. Aumasson, Jean-Philippe (2017). Serious Cryptography. No Starch Press. p. 24. ISBN   9781593278267.
  5. Steven J. Murdoch. Hot or Not: Revealing Hidden Services by their Clock Skew, ACM CCS 2006. (pdf)
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.