search

keepassxreboot / keepassxc

KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.
https://keepassxc.org/
Other
21.48k stars 1.48k forks source link

Support RSA SecurID in TOTP #2441

Open philipsd6 opened 6 years ago

philipsd6 commented 6 years ago

Expected Behavior

Setup TOTP allows using Steam and Default RFC 6238 token settings, and I would like to be able to use my RSA SecurID as well. The modern RSA SecurID algorithm is not very different from TOTP.

Current Behavior

Configuring TOTP with the settings of my RSA SecurID "works" (i.e. doesn't cause an error) but it produces invalid tokens.

Possible Solution

Integrate the stoken code into KeePassXC. The only GUI change necessary would be adding a radio button for RSA SecurID like the Steam one, and a text input for an optional PIN.

Steps to Reproduce (for bugs)

Here's what I'm doing:

  1. I've imported the .sdtid file I got from our security manager into stoken and verified that it provides the same tokens as the RSA Windows app.
  2. I ran stoken show --seed and set up TOTP using:
    • Decrypted seed (as the Key)
    • Seconds per tokencode (as the Time step)
    • Tokencode digits (as the Code size)
  3. Select Show TOTP from the context menu, and see that the tokens it generates do not match the ones produced by the RSA app or stoken

Context

We use RSA SecurID for external VPN and internal 2FA for accessing secure networks. Currently, I can have KeepassXC autotype my personal authentication for the first layer, and then have my static pin prefix autotyped, but then I have to get the output of stoken and paste it, and then do another autotype for the final authentication layer.

Making this seamless would require autotyping the current TOTP token, which I'm not sure is possible either. But it should be!

Debug Info

KeePassXC - Version 2.3.4 Revision: 6fe821c

Libraries:

Operating system: Solus 3.9999 CPU architecture: x86_64 Kernel: linux 4.18.16-96.current

Enabled extensions:

droidmonkey commented 6 years ago

Make sure the seed you input into the TOTP setup dialog is Base32 encoded

philipsd6 commented 6 years ago

The output of stoken show --seed shows Encrypted seed and Decrypted seed as strings of 16 double hex chars, for example:

Decrypted seed          : d8 d0 30 66 30 73 00 fd 4e d6 7b d6 24 b7 7b 2d
Encrypted seed          : 89 95 40 c3 3e 47 bc 16 79 84 00 4e 79 34 55 67

Is that Base32 or not?

droidmonkey commented 6 years ago

Use this tool with the decrypted seed: https://www.translatorscafe.com/unit-converter/en-us/numbers/4-35/hexadecimal-base-32/

philipsd6 commented 6 years ago

Well, I already got a clue and did that myself in python2 like this:

In [21]: from base64 import b32encode
# ** these are not my real bytes of course! **
In [22]: byte_array = 'd8 d0 30 66 30 73 00 fd 4e d6 7b d6 24 b7 7b 2d'.split()
In [23]: byte_string = ''.join(byte_array)
In [24]: unhexed = byte_string.decode('hex')
In [25]: key = b32encode(unhexed)
In [26]: key
Out[26]: '3DIDAZRQOMAP2TWWPPLCJN33FU======'

But using the resulting base32 key in Setup TOTP has the same results -- it produces tokens, but they don't match what I get from stoken

droidmonkey commented 6 years ago

Yah I am not sure about this one. TOTP uses SHA1 hash of the seconds since epoch divided by the step size. RSA uses AES128 of some combination of the date/time.

droidmonkey commented 6 years ago

This would be a good use case for #1016

asbachb commented 3 years ago

I wonder if there's a workaround for now? I struggling with that sceurid/2fa authentication as well which is super annoying.

caltuntas commented 3 years ago

+1 for this feature

mcrocker commented 2 years ago

+1 for this feature

u9-5 commented 1 year ago

+1 for this feature though.. see the top comment here, at least one person thinks it would be difficult https://www.reddit.com/r/KeePass/comments/p7m6t7/implement_proprietary_2faotp_systems_into_keepass/