Closed gynet closed 1 year ago
strongbox-mark
commented
1 year ago Strongbox should rotate/change the challenge on each save. Could you triple check what your doing (verify that you have loaded the latest database) before I spend time checking on this. Also, if you could describe your test scenario, repro steps, database format (KDBX3 vs KDBX4) etc. Cheers.
gynet
commented
1 year ago I did verify a couple of times the issue can be reproduced at StrongBox; however, no such issue if I did the update at KeeWeb with different laptops.
Have a database with Yubikey Challenge-response enabled and put it synced over Google Drive
Open the database in both StrongBox and KeeWeb
Set KeeWeb to remember Challenge-response while the app is open
Make a change on StrongBox, for example, adding a note "test" in one entry. Save the change and commit, and save.
Open KeeWeb, and sync the database; there is no Challenge-response promoted, and the change is directly synced to KeeWeb; Verify the targeting entry has added "test" in the note field. The latest database gets synced and decrypted without a new Challenge-response code at KeeWeb
gynet
commented
1 year ago I think this is concerning because if the challenge-response did not get change per saving, then it lose the security advantage of using the feature
strongbox-mark
commented
1 year ago That would be a bug if that is the case, so we'll need to investigate. Will come back to you shortly, thanks for the extra info.
strongbox-mark
commented
1 year ago Hi @gynet - You were right on this, this is a bug with the KDBX4 serializer, so thanks for raising. We'll have a fix out in the next release, hopefully in the next week, which will rotate the challenge on each save as it should have. Will keep open until then, or if you like you can test a Testflight build if you prefer to verify sooner.
strongbox-mark
commented
1 year ago Hi @gynet - This should be fixed for you now with 1.58.1+ - Could you please verify and close if all ok? Thanks!
gynet
commented
1 year ago @strongbox-mark I just verified, it works now, thanks!
strongbox-mark
commented
1 year ago Awesome, thank you and great catch.
What is the seed of the challenge-response implementation of Strongbox? As I tested, if I update the database using StrongBox, I can still use the old response + master pass to decrypt the latest database(using KeeWeb); this is not expected; KeeWeb's implementation regenerates the response codes after each saving.
Is there any doc about the KeeChallenge implementation? Can StrongBox provide a way to rotate the challenge-response code?