Open serrq opened 1 year ago
cbiere
commented
1 year ago How does TOTP force an internet connection? Precise clocks have been invented before the internet. GNSS builtin into every smartphone works without any mobile or wifi connection, although it can decrease time to get a fix significantly.
serrq
commented
1 year ago I want to make it clear that I am not an IT expert, I just reported news as I compresr read it on the web.
As for the TOTP, from what I have read, it seems that between server and client, while sharing the same Unix time, there may be a time lag of a few thousandths of a second every few days, enough for wrong numbers to be generated.
In this regard, the TOTP scheme defends itself by accepting so-called "time steps," that is, when both server and client agree to pass values to each other outside of synchronization time (-3,-2,-1, current time, +1,+2,+3) at the expense of security, however.
This problem is overcome by the challenge-response scheme because it does not need synchronization to work; it would be better to specify that it works with implicit synchronization that is provide within every challenge proposed.
ZenMasta
commented
1 year ago How does TOTP force an internet connection? Precise clocks have been invented before the internet. GNSS builtin into every smartphone works without any mobile or wifi connection, although it can decrease time to get a fix significantly.
https://keepassxc.org/docs/#faq-yubikey-why-hmac-sha1 "Both FIDO-U2F and TOTP require a dynamic component (i.e., a counter or timestamp) for successful authentication. This is perfect for authenticating at an online service, but doesn't work for an offline database which needs to be encrypted with a fixed key. HMAC-SHA1, on the other hand, can be computed ahead of time as it only needs a fixed secret and no dynamic component of any kind. "
I signed up for beta through the play store as supposedly the beta version supports this yubikey (challenge response). But so far I don't see the option, or maybe I haven't been able to download the beta version yet. I'll keep checking.
J-Jamet
commented
1 year ago As @ZenMasta says, the challenge response can only be used under certain conditions : linked to https://github.com/Kunzisoft/KeePassDX/issues/8 It is well available in beta 3.5.0 using a Yubikey, I think you just didn't join the beta program on the Play Store correctly.
Initially I had proposed the one-time TOTP authentication system, but in both time-based and counter-based OTP (HOTP) there is a problem called synchronization, which, among other things, forces in case of problems to connect to the Internet to re-sync.
Wandering around the web I found this new authentication scheme called OCRA (One-time Challenge Response Authentication) which responds to RFC 6287.
What makes this new method particularly valuable?
Mainly it keeps security standards high and works without synchronization.
It will need to be equipped with some sort of external calculator (the token generator). If implemented in KeePass unlocking the database would work more or less like this:
The app (KeePassDX) queries the database which responds by proposing a challenge (typically 6 numeric digits).
From an already configured external generator I go to enter the challenge through the built-in button pad.
The generator "chews" and "spits out" another 6 pseudo-random digits.
Those six digits unlock the database. As soon as the session ends you will need to pass a new challenge. And the database will come up with more numbers...
That is all.
Here a conference about it:
https://www.youtube.com/watch?v=kBOhP7Hlvlg