Open Morthawt opened 7 years ago
rvp-nl
commented
7 years ago Read here: https://sourceforge.net/p/keepass/discussion/329220/thread/1a490c90/ And other threads about keechallenge safety/security
Author disappeared, current maintainer does not answer questions.
awnz
commented
7 years ago I have a different variant of Keepass and it has built in Yubikey c/r feature
@Morthawt which variant is this? Given the concerns expressed here, I'd be interested in knowing what alternatives are available.
Morthawt
commented
7 years ago 
whinis
commented
6 years ago @Morthawt I am just starting into keepass plugins because I rather like the added benefit of my yubikey. That being said if I had to guess why its not performed as you ask is likely because the plugin does not get passed the password or hash of the password even at any point. From what I can tell from the code at https://github.com/dlech/KeePass2.x/blob/VS2017/KeePass/Util/KeyUtil.cs the password is calculated entirely separately and never get passed to any plugin.
In order to do what you ask the plugin would need to ask for another password since it doesn't get access to the user supplied master password. I am going to attempt to take over this project and am open to suggestions. I have currently forked the code, gotten it almost working in plgx format, and added slot auto-detect over at https://github.com/whinis/keechallenge
Why on earth does it need this? If you send the Yubikey data, you get a result. I have a different variant of Keepass and it has built in Yubikey c/r feature. It does not require the private key.
In my imagination, I imagine the user enters a password, the program salt-hashes it and passes that to the Yubikey and gets the response and adds that to the salted hash, then salt hash all of that and use that for the encryption key. No secret key of the Yubikey needed. But yours asks for the secret and makes me feel uneasy using it. Can this be explained so that I understand it, or it be changed to not require the private key? The private key is not always accessible after the fact when you are already using your Yubikey all over the place. Nothing else I have used needs to know the key.