Challenge/Response support

Question

Challenge/Response support

Opened this issue 3 years ago · 7 comments

Add support for Challenge/Response (either HMAC-SHA1 or OATH-HOTP) to work with Yubikey on a more secure way.

As for the Challenge-Response this is the method directly suggested by Yubico themselves (Check HERE) for KeePass encryption.
In fact, there is a KeePass plugin which supports it via USB: KeeChallenge, it's on GitHub right here:
https://github.com/brush701/keechallenge. However, on PC this works only via USB.

Surprisingly though, on Android there is ykDroid (also on GitHub, here: https://github.com/pp3345/ykDroid) which uses Challenge-Response through phone's NFC.

Answer 1 · 2022-03-28T21:29:46.000Z

Hello @Maxhy
Is there maybe any update on Challenge/Response support?

Answer 2 · 2022-04-02T17:13:18.000Z

It's on implementation phase into the RFID middleware library first. Will take a while before being properly implemented but it is still on the plan and I have done some progress (local only for now).
I'm not a big fan of the way it has been implemented on keechallenge tbh. But I guess that's the thing, it wasn't designed for data encryption but for authentication originally...

Answer 3 · 2022-04-03T20:51:13.000Z

Tthanks for the update @Maxhy, will be checking releases on LibLogicalAccess then 😄

Answer 4 · 2022-04-03T21:18:00.000Z

Just implemented on LLA with liblogicalaccess/liblogicalaccess@39386ea 😄
OATH is implemented as well but for now the Challenge-Response card service will use the OTP endpoint (HMAC slots) by default. Now we need a new LLA release (that also takes a while ahah) and then proper consuming implementation on KeePassRFID plugin. Not sure yet which approach would be the best for Keepass (keechallenge one, fixed-password setup on Yubikey, ...).

Answer 5 · 2022-04-03T23:28:42.000Z

Whoa, that was fast 😄
According to official Yubico guide (LINK) the Challenge-Response key should be placed using Applications -> OTP -> Challenge Response in YubiKey Manager. Not sure if these are the HMAC slots you are talking about but this is what KeeChallenge is using (However, it works only with slot 2).

Also, is it possible to make KeePassRFID interchangeable with normal USB operation of KeeChallenge? Like it currently works with ykDroid on Android? (so KeeChallenge/USB and ykDroid/NFC are using exactly same database without any problems?)

Answer 6 · 2022-06-24T06:46:37.000Z

This method seems to work for Yubikey only. I think the better solution would be to support FIDO2 hmac-secret which is a (proposed) standard. There are so many other keys around like Trustkey Badgeo Solo Nitrokey just to name a few.

Answer 7 · 2022-06-30T22:37:06.000Z

@Maxhy
I can see that latest liblogicalaccess release (https://github.com/islog/liblogicalaccess/releases/tag/2.4.0) contains support for Yubico challenge-response. Any news on KeePassRFID support for this maybe? 😄