Challenge/Response correct configuration

[kaczorws]

Hello @Maxhy

Thank you for implementing Challenge/Response into the plugin. However, could you provide more information on correct configuration of it?

1. What is the correct "Force Card Type" setting - I tried leaving it empty and also tried few random ones (don't know which corresponds to YubiKey) but each time I get "Challenge/Response is unsupported by this chip" error.
2. Does it work with existing OTP Challenge/Response Secret Key (stored on a YubiKey) and if so, which setting ("Get a new challenge each time" or "Fixed challenge") could make use of that?

Thanks :)

[Maxhy]

Sure you're welcome @kaczorws. Thanks for pushing it ahah.

Force Card Type may or may not be required depending of your Yubikey model and configuration (it is automatically resolved according to the ATR). To be sure, safer to force it. At the end of the dropdown list you should now have "YubiKey" as a new card type to be selected.
Yes it should work with existing OTP Challenge/Response. In fact the difference between "Get a new challenge each time" and "Fixed challenge" is related to your Yubikey configuration.

With Fixed Challenge, you request a challenge from the Yubikey at configuration time (using Query link) and then always provide the same challenge to the Yubikey to receive always the same response.
With Get a new challenge each time a new challenge is requested at each use to the Yubikey, before we ask immediately for the response. Obviously the OTP slot needs to be configured to a static password then.

As I said on the original feature request thread, I don't believe this solution to be the best as it kills the idea behind Challenge/Response by having static data at one or the other side. It's nothing more than a password but stored on a NFC device (Yubikey here) and transmitted in plain as the protocol being used has not been designed for such purpose. It is what the other Keepass related solution are doing as well with Yubikey according to the analyze done on #8 and still better than nothing. Good enough if it is only part of the secret 😉.

[kaczorws]

Hello @Maxhy

Thank you for your response. I can now see that I was missing 'Yubikey' option in the 'Force Card Type' because I was using outdated liblogicalaccess-swig binaries. After downloading the latest ones, the option is now there.

So in order for everything to work I need both liblogicalaccess-swig binaries (also included in the PATH variable so plugin can see it) as well as the actual plugin itself (both plgx and dll files) in the KeePass plugins dir? It is working for me now, so I guess that's the way :)

As for the plugin, I still can't open my existing database although I can see that KeePass is reading something from the YubiKey but unfortunately it's returning info about invalid master key. This is happening for both 'Fixed' and 'Get new challenge' options. I though that this may be related to the slot number on the Yubikey (I'm using slot 2), but copying the Challenge-Response key to both slots still ends in the same result.

Do you have any idea what I may be doing wrong? KeeChallenge as well as ykDroid are at the same time working normally with this key.

Thanks :)

[Maxhy]

Just to be sure, is the feature working as expected with a fresh new database and your issue only about encryption key compatibility with KeeChallenge/ykDroid?

[kaczorws]

Unfortunately, I am unable to create a new database using "RFID/NFC Key Provider" - When I set everything as on the screenshot below and click OK, the reader flashes but nothing else happens. The window does not close and just stays there. "Help" and "Cancel" work normally, just "OK" does not let through. Some logic is working because when the key is not on the reader, "OK" returns "No card inserted".

The plugin settings are as below: