Secure ID (3-way authentication, SAM, HSM) support

[tps800]

Would be interesting if this worked cross platforms!

[viktoriasee]

This is an excellent idea. But in order to make it successful it needs compatibility with other applets.

• writing the key to the RFID chip should not overwrite keys and applications that are already stored there
• there should be the possibility to write several keys to the same chip. I.e. for the personal password database and for the company password database.
• Ideally it should work both with Legic Advant and Mifare Desfire
• There should be the possibility to protect the chip with a PIN in order to make it two factor.

[viktoriasee]

Well, instead of creating a new system one should better stick to a standard which would be FIDO2 as of today.

There have been some attempts: https://dspace.cvut.cz/bitstream/handle/10467/88264/F8-BP-2020-Kolarik-Martin-thesis.pdf https://github.com/brush701/keechallenge

There are Mifare Desfire compatible FIDO2 cards around today made by Neowave. (are there others?)

[Maxhy]

Thanks for the feedback @viktoriasee

* writing the key to the RFID chip should not overwrite keys and applications that are already stored there

Agreed.

* there should be the possibility to write several keys to the same chip. I.e. for the personal password database and for the company password database.

Agreed.

* Ideally it should work both with Legic Advant and Mifare Desfire

Legic Advant is a closed ecosystem (even if the protocol is now more standardized since a decade now) which requires proper "secrets" to be initialized on the reader firmware (only manufactured by Legic and some 'gold' partners then) or from a remote host application somewhere in the cloud. At least that's how it was a few years ago, feel free to update me if it changed.

* There should be the possibility to protect the chip with a PIN in order to make it two factor.

That do not necessary make sense if the PIN is checked application side only IMOO. It would only make sense in case the PIN is checked by the chip but modern chip are more using mutual authentication key which has stronger security. What could be possible is to diversify the authentication key from a PIN and a master key ; but that would be a dedicated feature (out of this ticket scope :wink:).

For Challenge-Response (not FIDO here), see WIP on #8.

[viktoriasee]

Starting from version 2.7.0 KeepassXC now supports Yubikeys via HMAC-SHA1. They also explain in their documentation why FIDO-U2F cannot work for unlocking a database. But it is Yubikey-only afaik.

[irrweg]

The Plugin OtpKeyProv does Support OATH-HOTP as Key Provider. Sure it is not really "time-based" but with 4-5 codes instead of minimum 3 like I did, should be safer.

[Martin-Forster]

Im interested in having a secure RFID functionality , however the title states sam/hsm which is not even discussed here. However i prefer desfire / advant anyway. for Desfire we would need parameters like Appid, and initial key to store the keepass master key, and to generate a unique read key. to be able to retrieve it. There is the picc master key option, but in an enterprise environement the user will not have access to it, but the enterprise can prepare a app for this usage. Desfire EV2/EV3 chips are in use, but they run mostly in EV1 emulation mode. This unique key could then be stored on the pc protected by dpapi for example. There can up up 13 keys be genereted like that. For advant, we would need a dedicated protection, because with advant you enable the legic chip to interact with the "Segment" so everyone with access to the reader can read the content. ( note key management for legic is completely based on physical master cards protected by ownership only.)