search

Kunzisoft / KeePassDX

Lightweight vault and password manager for Android, KeePassDX allows editing encrypted data in a single file in KeePass format and fill in the forms in a secure way.
https://www.keepassdx.com/
GNU General Public License v3.0
4.28k stars 261 forks source link

Adding challenge-response auth (without the necessity of a yubikey) #1858

Closed serrq closed 6 days ago

serrq commented 6 days ago

As described in

https://en.m.wikipedia.org/wiki/Challenge%E2%80%93response_authentication

«Alice must respond with the one string of characters which "fits" the challenge Bob issued.»

«Alice comes along seeking entry. Bob issues a challenge, perhaps "52w72y". Alice must respond with the one string of characters which "fits" the challenge Bob issued. The "fit" is determined by an algorithm agreed upon by Bob and Alice. (The correct response might be as simple as "63x83z", with the algorithm changing each character of the challenge using a Caesar cipher.»

J-Jamet commented 6 days ago

Good news : "The simplest example of a challenge-response protocol is password authentication, where the challenge is asking for the password and the valid response is the correct password." It has already been implemented.

serrq commented 6 days ago

Of course I talked about a second layer. Not of username and password (L1).

Also evident that you didn't read...

with the algorithm changing each character of the challenge using a Caesar cipher.

J-Jamet commented 5 days ago

No animosity here. You open an overly generic issue and then tell me I haven't read the wiki page (which isn't true by the way). So if you want me to implement the Ceasar algorithm, you're going to be disappointed.

The concept of Challenge-Respone encompasses many concepts and protocols, and each of these protocols has advantages, disadvantages and constraints. The KeePass symmetric key derivation authentication system is basically a challenge-response system and is at the heart of the application.

You're pointing to a technical documentation without understanding the current app constraints, and you're not suggesting any implementation ideas. So I just put on a smile. I also have a moral education, that has nothing to do with it, which is why I'm explaining it to you with this message.

RFC 6287 is indeed very interesting, but what's the real point of your issue, except your understanding? (Spoiler, I already know Alice and Bob)

If you don't want to use the Yubikey, which simply guarantees the physical presence of the user, don't use it and use a key file or/and a password. If you want another encryption algorithm, you can choose it in the database parameters.