solo2-cli icon indicating copy to clipboard operation
solo2-cli copied to clipboard
verified publisher icon solokeys

Solo2 Key OATH HOTP unable to register with Secrets from Keepass

Open lsascha opened this issue 3 years ago • 13 comments

Hello. I am trying to secure my keepass database with OATH HOTP.

So in keepass it lets me generate a random 128-Bit Secret Key or an 256-Bit Secret Key. Since the example from the CLI is 128-Bit i went with that, but for some reason i am unable to get the CLI to accept the generated Key.

I am always getting Error: invalid symbol at 4 etc. number always changing when generating a new Secret Key. Since i haven't found to let the CLI generate the Secret, i am a bit lost and the error is not really helpful what is wrong with the key. I tried to delete and replace the symbols at the mentioned locations but only got to Error: invalid symbol at 0

And no matter what i change the first number/letter to, it stays at location 0.

Any idea or solution how this is supposed to work?

btw. using the example secret like this: solo2-v0.1.1-x86_64-pc-windows-msvc.exe app oath register -c 20 -k hotp -d 8 keepass JBSWY3DPEHPK3PXPJBSWY3DPEHPK3PXP it works, but i don't want to use a secret everybody knows.

lsascha avatar Feb 26 '22 17:02 lsascha

I think I only implemented standard TOTP on CLI side, might be that.

nickray avatar Mar 07 '22 18:03 nickray

Sorry to ask, but what does that mean exactly? Can i do something differently to get it to work? Does this need to be fixed?

I would also be happy to use Challenge-Response (https://richardbenjaminrush.com/keechallenge/) with my Solo2 Key, but i have no idea how to set this up using the CLI at all.

lsascha avatar Mar 08 '22 10:03 lsascha

The following command sequence works for me on Linux (with dev-builds of firmware + CLI):

% solo2 app oath register -c 20 -k hotp -d 8 keepass JBSWY3DPEHPK3PXPJBSWY3DPEHPK3PXP
keepass
% solo2 app oath totp keepass
08433023
% solo2 app oath totp keepass
52934625

Regarding challenge-response, we will not implement Yubico's HMAC-SHA1 functionality. The reason is that a) it's proprietary, b) SHA1 is deprecated, and c) FIDO has HMAC-SHA256 functionality built-in via the hmac-secret extension. We don't currently have FIDO functionality implemented in the Solo 2 CLI, but the description for the Solo 1 CLI works: https://github.com/solokeys/solo-python#challenge-response

nickray avatar Mar 08 '22 10:03 nickray

Yes it works, but only with the example secret you used as well. Which wonders me, because there must be a way to generate a usable secret here. How can i generate one? I will not use the example secret for it obviously.

And the secrets generated by keepass are not accepted.

lsascha avatar Mar 08 '22 10:03 lsascha

You can take any secret you like and base32-encode it.
Linux example:

% export SECRET=$(head -c 32 /dev/urandom|base32 -w0)
% echo $SECRET
MBS2D6BLW543YA7XSKFL2BBTJX3WCB5VYHYFCQV7VJK24GVDST6A====
% solo2 app oath register example ${SECRET}          
example
% solo2 app oath totp example                    
563741

However, note that your counterparty will need this secret too; typically that party gives you the secret, base32-encoded.

What is an example from keypass?

Have you seen https://github.com/google/google-authenticator/wiki/Key-Uri-Format?

nickray avatar Mar 08 '22 11:03 nickray

Oh. so the secret has to be Base32 encoded? Why does it work with the example secret then which seems to be not base32 encoded?

Still confused. But thanks anyway. will try it that way.

lsascha avatar Mar 08 '22 14:03 lsascha

It is. You can omit the trailing equal signs.

nickray avatar Mar 08 '22 14:03 nickray

hmmm, sorry I'm adding myself here, but I do have some strange problem:

~/tmp/solov2  ✖1 ❯ solo2 app oath register test MBS2D6BLW543YA7XSKFL2BBTJX3WCB5VYHYFCQV7VJK24GVDST6A
Error: invalid length at 48
~/tmp/solov2  ✖1 ❯ solo2 app oath register test MBS2D6BLW543YA7XSKFL2BBTJX3WCB5VYHYFCQV7VJK24GVDST6A====
test
~/tmp/solov2  ❯ solo2 app oath totp test
Error: p1/p2 parameters not supported on this transport

Any idea what could be wrong?

solo2 app admin version 2:20220822.0 solo2 -V solo2 0.2.1

MacOS 12.6, M1

theerror avatar Oct 15 '22 20:10 theerror

Hey running into the same issue as @theerror

foosinn avatar Oct 26 '22 21:10 foosinn

Just getting back, to let you know that on Ventura it's working fine as far as I can say.

panelacek$ solo2 app oath totp test
814238

theerror avatar Oct 29 '22 00:10 theerror

I was experiencing the p1/p2 parameters not supported on this transport error as well. This comment mentions that OATH only works over PCSC but the PCSC daemon (pcscd) wasn't running on my machine. After starting the service, I can use the above oath command just fine. Hope that helps someone.

schwukas avatar Jun 25 '23 11:06 schwukas

Thanks for the discussion. I wanted to mention that the issue I ran into was that solo2 is expecting specific casing on the Base32 secret. By using oathtool, you can generate the proper Base32 secret...

oathtool -b --verbose ${lowercase_base32_secret}
oathtool --verbose ${hex_secret}

Either of these should display Base32 secret, which is compatible with solo2. Sure, there are other ways of capitalizing a string, but this is helpful regardless of what type of secret you've been provided.

daryltucker avatar Aug 29 '23 22:08 daryltucker