Yubikey: Challenge-Response (KeePassXC mode)

[markchalloner]

iOS doesn't support Yubikey Challenge-Response for 2FA on Keepass files.

A workaround to be able to open Yubikey protected databases can be found in: https://github.com/keepassxreboot/keepassxc/issues/1734 which shows how to create a pre-computed key file:

CHALLENGE_RESPONSE_KEY=
DATABASE_FILE=/tmp/passwords.kdbx
KEY_FILE=/tmp/passwords.key
xxd -p -c 33 -s 0xc5 -l 32 "$DATABASE_FILE" | xxd -r -p | openssl dgst -sha1 -hmac "$(echo -n "$CHALLENGE_RESPONSE_KEY" | xxd -r -p)" | cut -c 10- | xxd -r -p > "$KEY_FILE"

Unfortunately each time the database is changed this key file needs to be regenerated and imported into iOS.

It might be useful to add an Advanced Unlock option that takes the Challenge-Response secret and password and computes the key on the fly, avoiding the need for manual steps.

[CueHD]

There are different ways that KeePass implementations incorporate Yubikey Challenge-Response. The implementation used by KeepassXC and Keepass2Android for KDBX4 does not change the challenge nor response every time the database is saved.

See keepassxreboot/keepassxc#1060 for an explanation.

[mrclschstr]

It does change. See https://github.com/keepassxreboot/keepassxc/issues/1734#issuecomment-484194343

[mmcguill]

Hi, I'd like to add Yubikey support eventually, so thanks for opening the issue. I'm not super familiar with your use case here...

Could you describe in a little more detail the steps you follow with your device and KeePassXC to Unlock your database?

I will probably need to purchase a Yubikey to get started on this process. Any recommendations for use on iOS?

[markchalloner]

Hi Mark,

Thanks for coming back to me so quick.

Could you describe in a little more detail the steps you follow with your device and KeePassXC to Unlock your database?

The steps required to login to a Yubikey Challenge-Response protected Keepass file with KeepassXC are:

• provision a Yubikey slot with an HMAC-SHA1 Challenge-Response secret (backed up off key),
• connect Yubikey to a desktop PC via USB
• configure the KDBX4 database to use the HMAC-SHA1 secret on the Yubikey
• on opening the database in KeepassXC tick the Challenge Response field in the Enter master key screen.

The current steps required to login to a Yubikey Challenge-Response protected Keepass file with Strongbox are:

• generate a key file from the KDBX4 database master seed and HMAC-SHA1 Challenge-Response (see script above - this needs to be done each time the database changes)
• transfer the key to iOS,
• open database with Strongbox Advanced Unlock option Password & Key File... and select the imported key file.

The steps I envision would be:

• save the HMAC-SHA1 Challenge-Response secret in secure storage on iOS (simple: a local password protected only Strongbox database, complex: iOS local Keychain?)
• retrieve the secret (simple: manually input via Strongbox Advanced Unlock option Password & Challenge-Response secret, complex: automatically via pin mechanism?)
• Strongbox generates the master key from password and secret with the same algorithm implemented in KeepassXC
• open database

I will probably need to purchase a Yubikey to get started on this process. Any recommendations for use on iOS?

Unfortunately iOS support for Yubikey is currently limited to read-only modes: Yubikey's proprietary OTP, Static password and OATH-HOTP.

Because apps are unable to write via NFC/USB/Lightning the Challenge-Response wouldn't work. It looks Yubico are bringing out an iOS device supporting at least U2F which implies the ability to send data to the key. Unfortunately however Challenge-Response does not seem to be mentioned either in the press release, blog or the signup for the developer preview.

With the physical hardware out of the picture, the only other option is to use the actual secret for now (either off or on-device) as in the current steps documented above.

Cheers

[mmcguill]

Ok, thanks for the detailed response, very helpful.

[Mukrosz]

This feature would be amazing. I see Lastpass is doing a similar/if not the same approach as mentioned above.

[mmcguill]

Hi @markchalloner how do you see inputting Yubikey secret? Should it be a hex byte space separated string like:

96 84 43 35 60 2b 5f 00 42 78 07 c6 26 f1 ae 25 af 10 f0 2a

Any examples would be great. I'll try to investigate this soon...

[markchalloner]

Hi @mmcguill,

Thanks! It looks like (when generating):

• the HMAC-SHA1 output by the older Yubikey Personalization Tool is space separated as in your example: 96 84 43 35 60 2b 5f 00 42 78 07 c6 26 f1 ae 25 af 10 f0 2a, but
• the HMAC-SHA1 output by the newer Yubikey Manager is non-separated: 96844335602b5f00427807c626f1ae25af10f02a,

It's not inconceivable that the secret be backed up in either format (weirdly I have the non-separated format even though I generated it using the Personalization Tool).

When using:

• Keepass2Android's Challenge Response secret (recovery mode) can take the HMAC-SHA1 as both space separated and non-separated hex formats (though note this is for KeeChallenge's recovery rather than KeePassX's).
• openssl can only take the HMAC-SHA1 as a non-separated string: openssl dgst -sha1 -mac hmac -macopt hexkey:96844335602b5f00427807c626f1ae25af10f02a.

As an aside as I understand the CCHmac method takes an ascii encoded c string so I might be wary of treating the input as anything other than a string anyway to avoid accidentally converting it to the values represented in hex (though I'm not familiar with Objective C so wildly guessing here).

Hope that helps!

[mmcguill]

Alright yeah, I think it should be no issue supporting both formats... Cheers

[ssa3512]

It would be great to see support for this with Yubikey 5 NFC. I've been using Keepass2Android with "Password + Challenge-Response for Keepass XC" mode for some time. Considering moving to iOS but the lack of any applications that support Keepass + Yubikey NFC challenge-response is frustrating.

[mmcguill]

@ssa3512 Sure, understood. The issue is really do with hardware. There's no 2 ways comms capable Yubikey for iOS at the moment, which means challenge response is impossible right now. This issue itself is actually a way to workaround this by supplying the Yubikey secret to Strongbox and having it execute the challenge response (HMAC-SHA1) itself and use that generated response to open the database, which is no doubt a handy feature and something I hope to get done soon.

[SilverBut]

Unfortunately iOS support for Yubikey is currently limited to read-only modes: Yubikey's proprietary OTP, Static password and OATH-HOTP.

Update: iOS 13 would allow write to empty NFC tags. Wondering if this would be helpful if we want to add NFC capabilities for Strongbox.

[mmcguill]

Just an update. In theory Yubikey's new 5Ci should allow this Challenge/Response. I've been in touch and hopefully will get enrolled into their developer program. @SilverBut re the iOS 13 NFC, I don't know, but I'll ask Yubikey about this.

[mmcguill]

Update: Confirmed with Yubikey that iOS 13 NFC support should work too... Just a matter of allocating dev time to this, and a stable iOS 13 build.

[mmcguill]

This feature is now ready for you to test, it would be great to have some feedback. There are a couple of steps to get this working

1) You'll need your Yubikey master secret in Hex form as above (can be spaced couplets or just a long string)

2) You'll need version 1.36.0 from the app store (you might need to uninstall and re install from the app store to get this release)

3) You need to switch this feature on by going to Preferences > Advanced and turning on 'Show Yubikey Workaround' (Screenshot below)

4) You'll see a field where you can enter this secret when you tap on your database.

5) This should open your Yubiekey protected database, in read-only mode for the moment.

[markchalloner]

Hi Mark,

Great, thanks for the feature and the clear steps. The basic functionality works well!

I tested:

1. Opening a copy of my normal Keepass XC file from a remote with my Yubikey Challenge Response secret with and without the Read-only toggle enabled: PASS

   • The file opened successfully, under Read-only mode in both cases
   • Note: I was unable to easily retrieve the Challenge Response from another local Strongbox database as the clipboard is wiped on database close (with and without clipboard timeout enabled).

2. Setting and reopening the database with a convenience pin: FAIL

   • The pin appeared to be set correctly.
   • The database could not be opened with the message:

     Could not open database
     The Convenience Password or Key File were incorrect for this database.
     Convenience Unlock Disabled.

3. Setting and reopening the database with Touch ID: FAIL

   • The database could not be opened with the message:

     Could not open database
     The Convenience Password or Key File were incorrect for this database.
     Convenience Unlock Disabled.

4. Opening the same database via Autofill: PASS

   • The file opened successfully and the correct entries were shown.

5. Opening the same database via Autofill with convenience pin set: FAIL

   • A convenience PIN was not requested even though it had been set, the login page was shown instead.
   • The file opened successfully and the correct entries were shown.

6. Opening the same database via Autofill with Touch ID set: FAIL

   • Touch ID was not requested even though it had been set, the login page was shown instead.
   • The file opened successfully and the correct entries were shown.

Cheers

[mmcguill]

Thanks for the feedback @markchalloner... Yes, should have mentioned Convenience Unlock not supported either.

This is basically the most minimal release possible, I want to make sure the opening/unlocking works well. The next feature could/should be

1) Write Mode 2) Convenience Unlock

Convenience Unlock is probably straightforward enough. Write mode will take more work.

Any extra feedback from anyone else using this method welcome!

[markchalloner]

@mmcguill

If the Challenge Response field was type password could it be autocompleted from another database?

[mmcguill]

@markchalloner Yes, that would work, I'll see about adding that in the next release. I wonder if anyone else in this issue has tried this open method out yet?

[ssa3512]

I started testing this today and everything seems to be working well. Great job 👍 Looking forward to convenience unlock.

[mmcguill]

Thanks for the update @ssa3512 - Convenience Unlock coming soon...

[mmcguill]

Convenience Unlock should work for you with 1.37.0 - Let me know if it works ok!

[ssa3512]

Validated convenience unlock with 1.37.0.

PIN unlock works, Face ID works and the two together works. Just to confirm, is the expected behavior when Face ID and a PIN are enabled is that BOTH are required? Based on the setting of "Allow Face ID" I was expecting it to be either/or but it is requiring both.

Additionally, when using Face ID, there doesn't seem to be any sort of fallback to using the master key/password to unlock whereas PIN unlock has the "Manual" button that allows you to use those. Is this by design?

[mmcguill]

Great news, thanks for the update.

Re: Using Both, yes that's by design, it's (bio AND pin) not (bio OR pin). There was some discussion about this back when I introduced pins and we decided this was probably what most people wanted.

Re: The device PIN fallback on App Lock, that is actually an oversight, I'll get that in place for the next release.

[markchalloner]

Both pin and touch id works well for me.

You're probably on top of it already but the secret field is still a text field so won't trigger the iOS password autofill option.

Cheers

[mmcguill]

Yes, thought I'd got it in the last release, but must have slipped past me... Coming soon

[abalakov]

Hi,

I have problems logging into the database and get the message: "Incorrect Creditials".

I am running Windows with Keepass 2 V2.42.1 with KeeChallenge 1.5.0.0. Yubikey Personalzation Tool 3.1.25.

I have programmed my Yubikey 5 NFC for Change-Response HMAC-SHA1 with fixed 64 byte input. I have duplicated my database with "save as". Then changed the master key with "show expert options"; "Key file / provider is "Yubikey challenge-response". I enter the 64bit key and everything works. I can close and open the database as long as the Yubikey is in my USB slot.

When I try to open the new Keepass Database in Strongbox - using "Yubikey Workaround" and entering my 64bit key I run into the error message above. I have tried with and without password (according to how I changed the master key).

Any idea?

[mmcguill]

Hi @abalakov - I'm afraid KeeChallenge does things differently than how KeePassXC and KeePass2Android does things.

It seems to me that KeePassXC's method of managing Yubikey Challenge Response is the right way and so Strongbox only supports that method.

Hope that helps, though probably isn't ideally what you wanted to hear.

[mrclschstr]

This might help: https://github.com/Yubico/yubikey-personalization-gui/issues/86

[abalakov]

I did some more testing with KeeChallenge under Windows: trying a Yubikey Neo instead of 5 NFC. Generating the key with Yubikey Manager instead of Yubikey Personalization Tool. Using Variable length instead of fixed 64 bit length. None of this is getting it to work. Seems that KeeChallenge is indeed doing things differently than KeepassXC...

I also installed KeepassXC on Windows and get the same error as with Strongbox...

Seems there is no way in getting it to work other than working with KeepassXC.

[mmcguill]

Hi @abalakov - Yeah, as mentioned, there are (at least) 2 systems for using Yubikey with a KeePass database.

The KeePassXC one seems to be the best one which is why Strongbox supports that one.

The KeeChallenge system is not supported by Strongbox.

[abalakov]

Hi @mmcguill ,

I got it. There is an explicit FAQ section on this:

https://keepassxc.org/docs/#faq-yubikey-incompatible

I switched to KeepassXC (but am fighting with browser integration. "Kee" seems to be superior as first impression).

Will IOS13 make it work with the Yubikey itself? Will it work with any NFC version or just the new Yubikey 5Ci (Lightning connector)?

Anyway. Many thanks for making this feature available.

[mmcguill]

I got it. There is an explicit FAQ section on this:

https://keepassxc.org/docs/#faq-yubikey-incompatible

Ah yes, I should have posted that FAQ, it's excellent.

I'm afraid even with iOS13 (which should make two way comms possible with Yubikey) or even with the upcoming release of the Lightning connector - you will still have to pick 1 method to use your Yubikey with KeePass.

The issue isn't really with Yubikey itself, but the "method" used to fuse this 2nd factor into the Composite Key used to encrypt your database.

I'd recommend the KeePassXC method (IMO, it's technically better and a more authentic form of 2FA).

[abalakov]

I'm afraid even with iOS13 (which should make two way comms possible with Yubikey) or even with the upcoming release of the Lightning connector - you will still have to pick 1 method to use your Yubikey with KeePass.

Sorry, this was a misunderstanding. I have switched over to KeepassXC. My understanding is that one still has to use the "Yubikey Workaround" and enter the key manually but not read the code from Yubikey itself. I wonder when I can use the Yubikey instead of the workaround method.

[mmcguill]

Yes, ok, understood now. At the moment this isn't technically possible due to hardware. But there is hope on the horizon with Yubikey Lightning and iOS 13. At that point I hope to add full Yubikey support but it's a few months off yet...

[ssa3512]

@mmcguill It looks like the yubikey lightning is released now and some features of it are supported now in other apps (via the lightning connection not NFC yet).

Were you able to get your hands on a yubikey lightning and do you think this method of challenge auth will be supported?

[mmcguill]

Yes plan to add but I don’t have a key yet!

[xatage]

Thanks for the feedback @markchalloner... Yes, should have mentioned Convenience Unlock not supported either.

This is basically the most minimal release possible, I want to make sure the opening/unlocking works well. The next feature could/should be

1. Write Mode
2. Convenience Unlock

Convenience Unlock is probably straightforward enough. Write mode will take more work.

Any extra feedback from anyone else using this method welcome!

Any news about the Write Mode (without a Yubikey, only using the workaround method)?

[mmcguill]

I think I'm going to wait and try to do this with the actual Yubikey rather than this workaround. Hopefully I'll have the device soon!

[xatage]

If possible, I'd really love to see the opportunity to use those by KeePassXC with Yubikey protected databases in full write mode.

[jtpsky]

After some trial and error I got it working... Turned out I had to reprogram my yubikey for variable input length when programming the HMAC-SHA key...

Now for the big question: I am trying to find a setup that works cross-platform, ie. Linux, Android and ios. Based on the thread above I can get KeepassXC and Strongbox to play nicely together using the yubikey with KeepassXC. Now the challenge seems to be that Keepass2Android seems to only support the KeeChallenge way....

Is it possible to find a solution on Android that will also work when using a yubikey in the way that is compatible with KeepassXC/Strongbox?

[jtpsky]

Let me answer my own question above: Keepass2Android has a specific authentication method called "Password + Challenge-Response for KeepassXC".

So finally got it working across PC/Android/ios. Now just hoping to soon have support for the Yubico 5ci lightning adapter in Strongbox..

[mmcguill]

Yes... coming soon! :)

[mmcguill]

Just an update, I've been playing with an NFC Yubikey (still waiting on delivery of the 5Ci) and have had some success using the SDK...

However, at the moment adding support for Challenge Response isn't super well supported by Yubico...

See here where I've asked for a rough ETA for SDK support

[antnythr]

Hi, I've recently set up a test database that I created with KeePassXC with a Yubikey 2FA.

I enabled the "Show Yubikey Secret Workaround Field" in Strongbox and manually entering the password and Yubikey secret unlocks the database successfully.

I enabled TouchID to unlock the database. I assumed this stored the password and Yubikey secret in my Keychain, but when I look at my keychain on MacOS, I can't find the entry.

Where are the database login credentials stored?

[mmcguill]

Hi @antnythr

They're stored in the Keychain:

https://github.com/strongbox-password-safe/Strongbox/blob/5069a81c58c28fdaa8980e2be1ba7954e4753ed5/StrongBox/SafeMetaData.m#L455

but as far as I'm aware you won't be able to view these on MacOS, they're not uploaded to iCloud or anything like that.

[Mukrosz]

So in the layman's terms, I have to preprogram the Yubikey and then type that secret into Strongbox. The stupid question is ... I still need to have Yubikey in proximity to my iphone (Yubikey 5 NFC) in order to unlock database, correct?

[mmcguill]

Hi @Mukrosz

• You don't necessarily have to preprogram your Yubikey if you already know the secret.
• Once you have the secret, you do NOT need to have the Yubikey in proximity to the iPhone (Strongbox basically simulates what the Yubikey would generate from the secret)... This is quite handy in case of a lost Yubikey, or in this case where we can't interact with the Yubikey device from iOS until we get a usable API

Hope that helps!

[Mukrosz]

Thank you @mmcguill . So this is an additional master key then. I hope the usable API becomes available soon for it to be the ideal case of: unlock with what I know + what i have, versus what I know + the other thing that I know.

Thanks for all your hard work! I'd really love to use Strongbox but my database has a keyfile as an additional 2FA which I don't trust to reside on the same device where I type my master password. Enter Yubikey :)

[Frichetten]

I'm sorry to resurrect this thread if my understanding is wrong. But the Yubico Authenticator on IOS can now read NFC from Yubikey 5's (and I presume NEOs as well). Does this imply that strongbox could implement the new IOS NFC APIs to encrypt and decrypt password databases? Using a similar methodology to how KeePassXC does this?