KeePassDX
KeePassDX copied to clipboard
Kunzisoft
Support yubikey challenge response
Would be nice if the app would support challenge response via the yubichallenge app
This is not a priority because I have to solve bugs and put more basic features but why not in the future.
For reference KeePassXC implements this on the desktop and if you want code for Android OpenKeyChain supports YubiKey (in a different use case for PGP keys, but well… it's something.
Keepass2android has a working implementation with calling the yubichallenge app
Hmm… don't know whether depending on another app is so good. At least it would be nice to not only support this one vendor, but well… future plans anyway. But thanks FYI.
This feature would be great and please compatible to the KeepassXC implementation.
might as well use ykdroid instead of the yubichallenge app as keepass2android does for a while now. Just to update on my first post
Yes, I'm just going to release the final 2.5 version before starting big jobs like this issue. I must also look at the other existing physical keys (open source) and study the functioning of KeePassXC.
Is there any forecast which version could be have finally yubikey support?
I have not yet looked at the technical operation of the yubikey for lack of time because of new bugs and more important features to implement, but if a technician is motivated to make a pull request, it will be very nice.
I bought a Yubikey4 and an Onlykey to be able to test, I still have to study how the challenge response works with these keys and think about the architecture.
Hi there! I'm buying KeePassDX Pro now to show my support for this issue! I was using passwdsafe which implements it via NFC.
Thanks for your work.
Hi there! I'm buying KeePassDX Pro now to show my support for this issue! I was using passwdsafe which implements it via NFC.
Thanks for your work.
Hi there! I'm buying KeePassDX Pro now to show my support for this issue! I was using passwdsafe which implements it via NFC.
Thanks for your work.
I would like do the same but I am using f-droid (no Pro available). Any update on Yubikey support (like KeePassXC Desktop). I would also like to do a donation for this new feature :1st_place_medal: .
All my BAT to you @J-Jamet ;) ... you should add this to your Cryptocurrency donation section.
I use F-Droid so can't buy pro, but I just donated E10 because thank you and to support this feature! I have to use different software until this feature makes it into KeePassDX. :(
Thanks for your support, the feature is planned ~for version 3.3.0~ (priority bug fixes). I am aware that many users want this feature, I just need to do things in order because otherwise there will be bugs in the app. I prefer to do things properly by studying the technical functioning correctly and don't add any security holes. https://github.com/Kunzisoft/KeePassDX/projects/43 So for the moment I'm concentrating on version 3.0.0 which restructures the application for a better code architecture (so also indirectly prepares this feature). I would also like to be able to use my keys with KeePassDX, it just takes time and working with specific hardware is different than working with only the software side.
For me the same, I just don't use the app now since I need to sync. my database and I do not sync. it without a challenge response. I really looking forward to this implementation. I will also wait patiently.
Got me the pro version now and in happy anticipation of the yubikey feature. (100 euros, 1 yubikey, 1 spare yubikey and KeepassDX Pro) Money good invested. :blush:
Edit: I hope I got that right and the NFC feature will work.
As I said in my previous comment, things are done in order to have as few bugs as possible. Of course, the integration of physical keys is still planned. The project section allows you to see all the work to be done and planned for future versions. Thanks for your patience.
I bought Pro version. But now, I started using Yubikey and switched to Keepass2android, because I can't unlock my db. I see that is planned, but I can't just wait
I hacked together a working prototype. "Working" means: I can open a database with my Yubikey via NFC in combination with the ykdroid app (needs to be installed first). The database was created with KeePassXC on Ubuntu.
@J-Jamet: If you like, I can clean the code, do more tests and create a pull request, but I would need to know, which direction to take: Is it okay to depend on the ykdroid app? Or maybe you want to simply integrate the code (it has the same license, so shouldn't be a problem in that respect).
@uduerholz Awesome! No problem for the ykdroid dependency, that looks very good. It's also an open source app so it will be easier for maintenance.
I just stumbled upon a small usability problem. The current implementation creates a new random transform seed (part of the database header) each time the database is saved. When the master key is derived, the algorithm sends this transform seed as challenge to the Yubikey and uses the response. In effect this means that each time the database is saved, the app needs access to the Yubikey. Via USB this is not a problem, but via NFC it could be annoying.
I see the following solutions:
- When the database is protected with a Yubikey, never modify the transform seed (makes it a bit less secure).
- Require of the user to present the Yubikey each time the database is saved.
- When the Yubikey is used the first time, create some random seeds in advance and send them to the Yubikey. Store the responses and use them later when the database is saved. (Does not work with the current ykdroid implementation though.)
I imagine that you want to implement the Challenge Response of KeePassXC (And not the KeeChallenge plugin of KeePass2 which is very good because it requires another XML file to load and is a rather old technique.).
Solution 2 is the most relevant. KeePassXC does require the key to be present for each save in the database, so users will not be lost. I don't have the workflow in mind for NFC, does it require a lot of steps?
It would be nice to be able to easily select the credentials to unlock the database. I will think about a correct UI, because I would like to implement other algorithms in the future (hmac-sha1 kpxc, hmac-sha1 kp2, oath hotp, hmac-secret fido2).
Yes, one main requirement is to be compatible with KeePassXC. When you have a suggestion for the UI, please post it here.
For the UI, I was thinking of simply adding a field with a switch button below the key file field. If compatible drivers or applications are detected (so with an intent test), (The field becomes visible, otherwise is hidden. Maybe all the time displayed at first, this is to not lose new users as it is an advanced feature but maybe the best is to hide the key-file and challenge-response field in a section to be extended.)
It would be composed of a dropdown list to select the type of challenge protocol used. (At first, can just be a label if there is only the hmac-sha1 kpxc).
For the recovery mode, a small icon to the right of the field. When clicked, would display an edit text field below the challenge-response field.
If the recovey mode text field is [hidden] or [displayed and its content is empty], we go through ykdroid otherwise we test the number of characters requested (we display an error if necessary), and we enter directly the recovery key if the size is good.
What do you think about it?