Challenge/Response support

leosac / keepassrfid

KeePass RFID/NFC Plugin for Smart Card

GNU General Public License v3.0

46 stars 9 forks source link

Challenge/Response support #8

Open Maxhy opened 2 years ago

Maxhy commented 2 years ago

Add support for Challenge/Response (either HMAC-SHA1 or OATH-HOTP) to work with Yubikey on a more secure way.

From @kaczorws on https://github.com/islog/keepassrfid/issues/4#issuecomment-1011558093:

As for the Challenge-Response this is the method directly suggested by Yubico themselves (Check HERE) for KeePass encryption. In fact, there is a KeePass plugin which supports it via USB: KeeChallenge, it's on GitHub right here: https://github.com/brush701/keechallenge. However, on PC this works only via USB.

Surprisingly though, on Android there is ykDroid (also on GitHub, here: https://github.com/pp3345/ykDroid) which uses Challenge-Response through phone's NFC.

kaczorws commented 2 years ago

Hello @Maxhy Is there maybe any update on Challenge/Response support?

Maxhy commented 2 years ago

It's on implementation phase into the RFID middleware library first. Will take a while before being properly implemented but it is still on the plan and I have done some progress (local only for now). I'm not a big fan of the way it has been implemented on keechallenge tbh. But I guess that's the thing, it wasn't designed for data encryption but for authentication originally...

kaczorws commented 2 years ago

Tthanks for the update @Maxhy, will be checking releases on LibLogicalAccess then 😄

Maxhy commented 2 years ago

Just implemented on LLA with https://github.com/islog/liblogicalaccess/commit/39386eac85ec88ec5229098fbfa2fddd0a528fd4 :smile: OATH is implemented as well but for now the Challenge-Response card service will use the OTP endpoint (HMAC slots) by default. Now we need a new LLA release (that also takes a while ahah) and then proper consuming implementation on KeePassRFID plugin. Not sure yet which approach would be the best for Keepass (keechallenge one, fixed-password setup on Yubikey, ...).

kaczorws commented 2 years ago

Whoa, that was fast 😄 According to official Yubico guide (LINK) the Challenge-Response key should be placed using Applications -> OTP -> Challenge Response in YubiKey Manager. Not sure if these are the HMAC slots you are talking about but this is what KeeChallenge is using (However, it works only with slot 2).

yubikey

Also, is it possible to make KeePassRFID interchangeable with normal USB operation of KeeChallenge? Like it currently works with ykDroid on Android? (so KeeChallenge/USB and ykDroid/NFC are using exactly same database without any problems?)

viktoriasee commented 2 years ago

This method seems to work for Yubikey only. I think the better solution would be to support FIDO2 hmac-secret which is a (proposed) standard. There are so many other keys around like Trustkey Badgeo Solo Nitrokey just to name a few.

kaczorws commented 2 years ago

@Maxhy I can see that latest liblogicalaccess release (https://github.com/islog/liblogicalaccess/releases/tag/2.4.0) contains support for Yubico challenge-response. Any news on KeePassRFID support for this maybe? 😄