canokey-core
canokey-core copied to clipboard
canokeys
Request for Adding Support for HMAC-SHA1 Challenge-Response Protocol
Issue Description:
Currently, I have encountered some limitations while using the canokeys hardware key. I have found that many tools I need to use, such as the keepassxc password manager, require support for the HMAC-SHA1 Challenge-Response protocol. However, it seems that the current canokeys hardware key does not support this protocol, which prevents me from using these tools effectively.
Request:
I would like to request the addition of support for the HMAC-SHA1 Challenge-Response protocol in the canokeys hardware key. This enhancement would enable me to seamlessly use the tools I require and would improve the compatibility of the canokeys hardware key.
Additional Information:
I have encountered this issue in practical usage, and I believe that this improvement would be beneficial not only for me but also for other users. I hope to receive your prompt response and support on this matter.
English is not my native language, so please excuse any mistakes in this report.
Thanks for the message. We understand HMAC-SHA1 Challenge-Response protocol is used in some popular apps. Unfortunately, we could not identify a documentation that clearly describe this protocol. It would be greatly appreciated if you could provide such a protocol description.
While I'm not certain if this is accurate, the documentation for YubiKey(https://docs.yubico.com/yesdk/users-manual/application-otp/challenge-response.html) seems to point to https://datatracker.ietf.org/doc/html/rfc2104 for an explanation of the HMAC-SHA1 challenge-response protocol.
The link in the KeePassxc source code directs to the same YubiKey documentation.
void YubiKeyEditWidget::initComponent()
{
// These need to be set in total for each credential type for translation purposes
m_ui->groupBox->setTitle(tr("Challenge-Response"));
m_ui->addButton->setText(tr("Add Challenge-Response"));
m_ui->changeButton->setText(tr("Change Challenge-Response"));
m_ui->removeButton->setText(tr("Remove Challenge-Response"));
m_ui->changeOrRemoveLabel->setText(tr("Challenge-Response set, click to change or remove"));
m_ui->componentDescription->setText(
tr("<p>If you own a <a href=\"https://www.yubico.com/\">YubiKey</a> or "
"<a href=\"https://onlykey.io\">OnlyKey</a>, you can use it for additional security.</p>"
"<p>The key requires one of its slots to be programmed as "
"<a href=\"https://docs.yubico.com/yesdk/users-manual/application-otp/challenge-response.html\">"
"HMAC-SHA1 Challenge-Response</a>.</p>"));
}
Although I believe this protocol is insecure due to the use of the vulnerable SHA1 hash algorithm, there are still numerous software systems relying on it. Therefore, maintaining compatibility with this protocol is essential.
While I'm not certain if this is accurate, the documentation for YubiKey(https://docs.yubico.com/yesdk/users-manual/application-otp/challenge-response.html) seems to point to https://datatracker.ietf.org/doc/html/rfc2104 for an explanation of the HMAC-SHA1 challenge-response protocol.
Unfortunately,this does not describe how the protocol works.
OnlyKey is an open-source hardware key that supports this protocol. After reviewing its source code, I suspect that the implementation code can be found at https://github.com/trustcrypto/libraries/blob/master/onlykey/okcrypto.cpp#L687.
Thanks for providing the OnlyKey source code link. However, after carefully reviewing the code, it appears that while it does indeed implement the HMAC-SHA1 Challenge-Response protocol functionality, it does not clearly describe the complete process of the protocol. From my understanding, the protocol involves multiple phases, with each phase potentially involving specific commands and responses. Unfortunately, there does not seem to be any documentation that comprehensively outlines all the details and phases of this protocol. Based on this code alone, it is difficult to accurately grasp all the nuances and implementation specifics of the protocol. Therefore, having access to a more comprehensive and accurate protocol specification document would be helpful for us to better understand and implement this feature.
@dangfan comments on https://github.com/canokeys/canokey-qemu/issues/7#issuecomment-2168259229?
