Solo2 Key OATH HOTP unable to register with Secrets from Keepass

[lsascha]

Hello. I am trying to secure my keepass database with OATH HOTP.

So in keepass it lets me generate a random 128-Bit Secret Key or an 256-Bit Secret Key. Since the example from the CLI is 128-Bit i went with that, but for some reason i am unable to get the CLI to accept the generated Key.

I am always getting Error: invalid symbol at 4 etc. number always changing when generating a new Secret Key. Since i haven't found to let the CLI generate the Secret, i am a bit lost and the error is not really helpful what is wrong with the key. I tried to delete and replace the symbols at the mentioned locations but only got to Error: invalid symbol at 0

And no matter what i change the first number/letter to, it stays at location 0.

Any idea or solution how this is supposed to work?

btw. using the example secret like this: solo2-v0.1.1-x86_64-pc-windows-msvc.exe app oath register -c 20 -k hotp -d 8 keepass JBSWY3DPEHPK3PXPJBSWY3DPEHPK3PXP it works, but i don't want to use a secret everybody knows.

[nickray]

I think I only implemented standard TOTP on CLI side, might be that.

[lsascha]

Sorry to ask, but what does that mean exactly? Can i do something differently to get it to work? Does this need to be fixed?

I would also be happy to use Challenge-Response (https://richardbenjaminrush.com/keechallenge/) with my Solo2 Key, but i have no idea how to set this up using the CLI at all.

[nickray]

The following command sequence works for me on Linux (with dev-builds of firmware + CLI):

% solo2 app oath register -c 20 -k hotp -d 8 keepass JBSWY3DPEHPK3PXPJBSWY3DPEHPK3PXP
keepass
% solo2 app oath totp keepass
08433023
% solo2 app oath totp keepass
52934625

Regarding challenge-response, we will not implement Yubico's HMAC-SHA1 functionality. The reason is that a) it's proprietary, b) SHA1 is deprecated, and c) FIDO has HMAC-SHA256 functionality built-in via the hmac-secret extension. We don't currently have FIDO functionality implemented in the Solo 2 CLI, but the description for the Solo 1 CLI works: https://github.com/solokeys/solo-python#challenge-response

[lsascha]

Yes it works, but only with the example secret you used as well. Which wonders me, because there must be a way to generate a usable secret here. How can i generate one? I will not use the example secret for it obviously.

And the secrets generated by keepass are not accepted.

[nickray]

You can take any secret you like and base32-encode it.
Linux example:

% export SECRET=$(head -c 32 /dev/urandom|base32 -w0)
% echo $SECRET
MBS2D6BLW543YA7XSKFL2BBTJX3WCB5VYHYFCQV7VJK24GVDST6A====
% solo2 app oath register example ${SECRET}          
example
% solo2 app oath totp example                    
563741

However, note that your counterparty will need this secret too; typically that party gives you the secret, base32-encoded.

What is an example from keypass?

Have you seen https://github.com/google/google-authenticator/wiki/Key-Uri-Format?

[lsascha]

Oh. so the secret has to be Base32 encoded? Why does it work with the example secret then which seems to be not base32 encoded?

Still confused. But thanks anyway. will try it that way.

[nickray]

It is. You can omit the trailing equal signs.

[theerror]

hmmm, sorry I'm adding myself here, but I do have some strange problem:

~/tmp/solov2  ✖1 ❯ solo2 app oath register test MBS2D6BLW543YA7XSKFL2BBTJX3WCB5VYHYFCQV7VJK24GVDST6A
Error: invalid length at 48
~/tmp/solov2  ✖1 ❯ solo2 app oath register test MBS2D6BLW543YA7XSKFL2BBTJX3WCB5VYHYFCQV7VJK24GVDST6A====
test
~/tmp/solov2  ❯ solo2 app oath totp test
Error: p1/p2 parameters not supported on this transport

Any idea what could be wrong?

solo2 app admin version 2:20220822.0 solo2 -V solo2 0.2.1

MacOS 12.6, M1

[foosinn]

Hey running into the same issue as @theerror

[theerror]

Just getting back, to let you know that on Ventura it's working fine as far as I can say.

panelacek$ solo2 app oath totp test
814238

[schwukas]

I was experiencing the p1/p2 parameters not supported on this transport error as well. This comment mentions that OATH only works over PCSC but the PCSC daemon (pcscd) wasn't running on my machine. After starting the service, I can use the above oath command just fine. Hope that helps someone.

[daryltucker]

Thanks for the discussion. I wanted to mention that the issue I ran into was that solo2 is expecting specific casing on the Base32 secret. By using oathtool, you can generate the proper Base32 secret...

oathtool -b --verbose ${lowercase_base32_secret}
oathtool --verbose ${hex_secret}

Either of these should display Base32 secret, which is compatible with solo2. Sure, there are other ways of capitalizing a string, but this is helpful regardless of what type of secret you've been provided.