Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Challenge/Response support #8

Open
Maxhy opened this issue Jan 13, 2022 · 7 comments
Open

Challenge/Response support #8

Maxhy opened this issue Jan 13, 2022 · 7 comments
Labels
enhancement

Comments

@Maxhy
Copy link
Member

Maxhy commented Jan 13, 2022

Add support for Challenge/Response (either HMAC-SHA1 or OATH-HOTP) to work with Yubikey on a more secure way.

From @kaczorws on #4 (comment):

As for the Challenge-Response this is the method directly suggested by Yubico themselves (Check HERE) for KeePass encryption.
In fact, there is a KeePass plugin which supports it via USB: KeeChallenge, it's on GitHub right here:
https://github.com/brush701/keechallenge. However, on PC this works only via USB.

Surprisingly though, on Android there is ykDroid (also on GitHub, here: https://github.com/pp3345/ykDroid) which uses Challenge-Response through phone's NFC.
@Maxhy Maxhy mentioned this issue Jan 19, 2022
Closed
@kaczorws
Copy link

Hello @Maxhy
Is there maybe any update on Challenge/Response support?

@Maxhy
Copy link
Member Author

Maxhy commented Apr 2, 2022
edited
Loading

It's on implementation phase into the RFID middleware library first. Will take a while before being properly implemented but it is still on the plan and I have done some progress (local only for now).
I'm not a big fan of the way it has been implemented on keechallenge tbh. But I guess that's the thing, it wasn't designed for data encryption but for authentication originally...

@Maxhy Maxhy mentioned this issue Apr 2, 2022
Open
@kaczorws
Copy link

kaczorws commented Apr 3, 2022

Tthanks for the update @Maxhy, will be checking releases on LibLogicalAccess then 😄

@Maxhy
Copy link
Member Author

Maxhy commented Apr 3, 2022

Just implemented on LLA with liblogicalaccess/liblogicalaccess@39386ea 😄
OATH is implemented as well but for now the Challenge-Response card service will use the OTP endpoint (HMAC slots) by default. Now we need a new LLA release (that also takes a while ahah) and then proper consuming implementation on KeePassRFID plugin. Not sure yet which approach would be the best for Keepass (keechallenge one, fixed-password setup on Yubikey, ...).

@kaczorws
Copy link

kaczorws commented Apr 3, 2022

Whoa, that was fast 😄
According to official Yubico guide (LINK) the Challenge-Response key should be placed using Applications -> OTP -> Challenge Response in YubiKey Manager. Not sure if these are the HMAC slots you are talking about but this is what KeeChallenge is using (However, it works only with slot 2).

yubikey

Also, is it possible to make KeePassRFID interchangeable with normal USB operation of KeeChallenge? Like it currently works with ykDroid on Android? (so KeeChallenge/USB and ykDroid/NFC are using exactly same database without any problems?)

@viktoriasee
Copy link

viktoriasee commented Jun 24, 2022
edited
Loading

This method seems to work for Yubikey only. I think the better solution would be to support FIDO2 hmac-secret which is a (proposed) standard. There are so many other keys around like Trustkey Badgeo Solo Nitrokey just to name a few.

@kaczorws
Copy link

kaczorws commented Jun 30, 2022
edited
Loading

@Maxhy
I can see that latest liblogicalaccess release (https://github.com/islog/liblogicalaccess/releases/tag/2.4.0) contains support for Yubico challenge-response. Any news on KeePassRFID support for this maybe? 😄

@Maxhy Maxhy mentioned this issue Nov 7, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Maxhy @viktoriasee @kaczorws