keepassxreboot / keepassxc

KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.
https://keepassxc.org/
Other
21.4k stars 1.48k forks source link

Add support for Mifare DESfire smartcards #7889

Closed viktoriasee closed 2 years ago

viktoriasee commented 2 years ago

I would like to use a blank Mifare DESfire smartcard to unlock my database. The current solution is bond to Yubikey since it requires the Yubikey Personalization Tool which only works with Yubikeys. This is not elegant. Smartcard authentication would enable me to use one device for different purposes (door access, FIDO2, tickets). It would also allow for more convenient form factors such as cards or finger rings or even implants.

It is unclear to me whether this is a documentation issue or if we just need a non-branded personalization tool for HMAC-SHA1, or a combination of both.

droidmonkey commented 2 years ago

I assume this card supports PKCS#11, in which case it is covered by another issue requesting that. If not, we arent going to support any more proprietary protocols.

viktoriasee commented 2 years ago

I guess this is a reference to #255

This was in not necessarily a request to support additional protocols. It was more a question whether one could use the HMAC-SHA1 for other keys than proprietary Yubikey. Compared to PKCS#11 the HMAC approach has the advantage that it is anonymous. So if you loose the key it is stored to where it belongs on PKCS but not on HMAC.

droidmonkey commented 2 years ago

PKCS#11 is anonymous as well, you just ask the card to sign a challenge and use the hash of the response as the key, which is essentially what we do with HMAC. Either way, the smart card you referenced is entirely proprietary with zero documentation on their website, going to go with a no its not possible.

StarGate01 commented 2 years ago

@viktoriasee

a non-branded personalization tool for HMAC-SHA1

You might be able to use https://github.com/arekinath/yktool with slight modifications (changing the AID), more info at https://github.com/StarGate01/vk-ykhmac .

KeePassXC currently implements the Yubikey-style APDU exchange for HMAC-SHA1, using the yubikey libaries for the USB interface, or the system PC/SC libraries for accessing a wireless NFC reader. The protocol has an open-source JavaCard implementation (see the link above), which behaves exactly the same as the Yubikey applet.

I don't know what your card is able to do, but if its protocol adheres to the existing implementation, adding support for new cards is as easy as adding its HMAC-SHA1 applet AID to https://github.com/keepassxreboot/keepassxc/blob/develop/src/keys/drivers/YubiKeyInterfacePCSC.h#L76= , and optionally a description for its ATR to https://github.com/keepassxreboot/keepassxc/blob/develop/src/keys/drivers/YubiKeyInterfacePCSC.h#L83= .