keepassrfid icon indicating copy to clipboard operation
keepassrfid copied to clipboard

Published 20 hours ago verified publisher icon leosac

Challenge/Response support

Open Maxhy opened this issue 3 years ago • 7 comments

Add support for Challenge/Response (either HMAC-SHA1 or OATH-HOTP) to work with Yubikey on a more secure way.

From @kaczorws on https://github.com/islog/keepassrfid/issues/4#issuecomment-1011558093:

As for the Challenge-Response this is the method directly suggested by Yubico themselves (Check HERE) for KeePass encryption. In fact, there is a KeePass plugin which supports it via USB: KeeChallenge, it's on GitHub right here: https://github.com/brush701/keechallenge. However, on PC this works only via USB.

Surprisingly though, on Android there is ykDroid (also on GitHub, here: https://github.com/pp3345/ykDroid) which uses Challenge-Response through phone's NFC.

Maxhy avatar Jan 13 '22 08:01 Maxhy

Hello @Maxhy Is there maybe any update on Challenge/Response support?

kaczorws avatar Mar 28 '22 21:03 kaczorws

It's on implementation phase into the RFID middleware library first. Will take a while before being properly implemented but it is still on the plan and I have done some progress (local only for now). I'm not a big fan of the way it has been implemented on keechallenge tbh. But I guess that's the thing, it wasn't designed for data encryption but for authentication originally...

Maxhy avatar Apr 02 '22 17:04 Maxhy

Tthanks for the update @Maxhy, will be checking releases on LibLogicalAccess then 😄

kaczorws avatar Apr 03 '22 20:04 kaczorws

Just implemented on LLA with https://github.com/islog/liblogicalaccess/commit/39386eac85ec88ec5229098fbfa2fddd0a528fd4 :smile: OATH is implemented as well but for now the Challenge-Response card service will use the OTP endpoint (HMAC slots) by default. Now we need a new LLA release (that also takes a while ahah) and then proper consuming implementation on KeePassRFID plugin. Not sure yet which approach would be the best for Keepass (keechallenge one, fixed-password setup on Yubikey, ...).

Maxhy avatar Apr 03 '22 21:04 Maxhy

Whoa, that was fast 😄 According to official Yubico guide (LINK) the Challenge-Response key should be placed using Applications -> OTP -> Challenge Response in YubiKey Manager. Not sure if these are the HMAC slots you are talking about but this is what KeeChallenge is using (However, it works only with slot 2).

yubikey

Also, is it possible to make KeePassRFID interchangeable with normal USB operation of KeeChallenge? Like it currently works with ykDroid on Android? (so KeeChallenge/USB and ykDroid/NFC are using exactly same database without any problems?)

kaczorws avatar Apr 03 '22 23:04 kaczorws

This method seems to work for Yubikey only. I think the better solution would be to support FIDO2 hmac-secret which is a (proposed) standard. There are so many other keys around like Trustkey Badgeo Solo Nitrokey just to name a few.

viktoriasee avatar Jun 24 '22 06:06 viktoriasee

@Maxhy I can see that latest liblogicalaccess release (https://github.com/islog/liblogicalaccess/releases/tag/2.4.0) contains support for Yubico challenge-response. Any news on KeePassRFID support for this maybe? 😄

kaczorws avatar Jun 30 '22 22:06 kaczorws