RFC: Add YubiKey HMAC-SHA1 Challenge-Response #52
Conversation
kylemanna
changed the title
|
Nice addition! One of the things that is disappointing about some services is that they only allow one key to be registered with the application, which means that you're screwed if you lose that key. It'd be nice to be able to associate a back up key as well. Does this PR provide support for multiple keys? Cheers! |
|
@OJ You can't use multiple encryption keys. Instead you can generate and save the 20 byte HMAC secret prior to programming the YubiKey. You could then program an infinite number of other YubiKeys with the same secret. See the screenshot in the PR showing the Yubico GUI tool, note the key field. Alternatively, the HMAC-SHA1 process could probably be done manually if the secret was saved. That is to say that if you saved the secret, you could hack together some KeePassX code to unlock your database without the physical hardware. This would only be done in an emergency. |
|
@kylemanna Thanks for the response mate. Back when I got my key I wasn't able to do this (but that was a while ago) and so I had to go with the "add multiple keys" approach. Things appear to be a bit different now. Thanks for the education. Cheers! |
FWIW, I think the "emergency process" should be defined here. I'd be really nervous about losing my key and losing access to the database (but I guess this is the same with the file.key on a USB stick?). Edit: missed this
Is there something that I can print out on a piece of paper and put in a safe somewhere? Something like the 2FA recovery codes GitHub provides. |
|
Someone on HN mentioned http://sourceforge.net/projects/keechallenge/ for KeePass2. Is there a way this could be compatible? |
|
@voltagex A recovery mode could be added, but that's outside the scope of this PR. I'd rather people just purchase and use 2 YubiKeys, that way the HMAC secret is (most likely) secure rather then potentially sitting in a plain text file somewhere... forgotten. If there is more interest, there isn't any reason a recovery mode couldn't be added where the HMAC secret could be input. You can easily print out the YubiKey's HMAC secret, see the screenshots in my pull request of the Yubico Personalization tool, it has my test HMAC secret cleary visible. As for KeeChallenge, it's different in the actual implementation according to the README:
KeeChallenge is using the HMAC-SHA1 feature in the same general manner, but storing an extra xml file and using the HMAC secret (ironically stored encrypted in the XML file) to unlock the KeePass DB. The KeePass plugin API may not have access to the master seed or it didn't occur to the author. I personally prefer my implementation as I don't want to have an extra xml file to lose/corrupt. Additionally, I derive the final key by hashing the HMAC response + password + key file. His authentication scheme appears to be just the YubiKey encrypting it's own internal secret which is then used to unlock the KeePass database. A potential attack against KeeChallenge might be to grab the HMAC secret from memory after it's decrypted from the XML file and then circumvent all security by using recovery mode. With my implementation, the HMAC secret is in memory only once when writing the configuration to the YubiKey(s) (which for the paranoid, can be done offline). At least that's how it appears with the initial review of the code. On a side note, KeeChallenge appears to handle the GUI operation (particularly blocking mode) better then mine currently does. |
|
@kylemanna I really appreciate your contribution! Great work. Thank you. If there are concerns to loose the key it is always recommended to have two Yubikeys and store the backup secret offline or on paper. Buying two of them shouldn't be a problem compared to the value you have probably stored in Keepassx. Moreover, Yubikeys are physically well build and even function under water if USB slots would :) Yubikey security: http://www.yubico.com/2014/04/improvements-physical-yubikey-attacks/ Btw. Yubico recently published YubiX, an open source authentication solution: http://www.yubico.com/develop/open-source-software/yubix/ |
|
A good point on using KeeChallenge is that it has now a counterpart on an Android-client (Keepass2Android). Using it and Keepass (mono-version on linux...) it is possible to use an HMAC-SHA1 based DB unlock (off-line) using my yubi neo key. |
|
@kylemanna: Thank you for your good work! I noticed that database locking does not work as expected - it only checks the password (and/or keyfile) but not the yubi key (I can even remove it unnoticed by keepassx). But perhaps the most serious flaw I found is a database corruption, which is triggered when opening a challenge-response secured database, removing the yubikey and then trying to save the database. The save was not delayed as before with no error and apparently led to database corruption (was reproducable for me)! Could you please adress the corruption problem? |
|
@fabian-z Thanks for the feedback, glad to hear some people have given it a test drive! The current patch set lacks user feedback (ie the pop-up) and doesn't actively monitor for YubiKey insertions/removals to keep the initial pull request simple. These are things that could definitely be enhanced. As for the database locking, I never used that feature so I'll have to look in to it. The YubiKey removal and corruption issue is a big oversight on my part, I'll have to fix that for sure. |
|
@kylemanna Sure, those nice 'lil user friendly popups are not needed until now - I just wanted to give you my full test feedback. If database save corruption issue is fixed, this pull request can imho be considered pretty stable. Locking support would be optimal, but I actually don't use locking too. Current behaviour is different from what the user may expect, so it could get a security issue in larger environments. Glad to know you are working on it - I am already eager to give this a shot in long-term use :) If you have any problems reproducing, let me know. |
|
Will be testing this out ASAP. |
|
Hi, thank You for Your work, I am waiting for Yubikey support as I feel increasing uncomfortable having all my sensible information stored in KeePassX with only a password. I offer You also test support for it on Linux (Debian Wheezy). |
|
KeePassX provides the possibility to use a key file stored on a Op Zo aug 17 2014, om 19:00 schreef wodry: Hi, thank You for Your work, I am waiting for Yubikey I offer You also test support for it on Linux (Debian — References |
|
Yes, just realized that, too. But I do not really like it. One needs to have an extra usb stick, one has to connect it every time (and I use KeepassX nearly every day) and then disconnect it again at once (because when it is mounted, the attacker can steal the file and then the security is gone). And if the attacker just watches for usb mount and then copies the file, there is no advantage. |
|
@digineut yeah, what's the state of the keyfile at rest? Readable or offline? It affords the opportunity for the user to get lazy and leave the keyfile exposed in a data backup or stolen from the flash drive as @wodry mentioned. YubiKey would force good security practice. I'm going to fix the issues @fabian-z pointed out, but want to see if anyone else has opinions / input? Life has consumed too much of my free time so hopefully we can get this cleaned-up and merged? :) Most importantly I'd like input from @debfx to see what his thoughts are on this feature. It certainly breaks compatibility with the original KeePass and may constitute a fork if that's unacceptable. @debfx Any thoughts on merging this after I fix the YubiKey removal issues described above? |
|
@kylemanna |
|
Awesome work ! Note : it's not very annoying since you only have to do it once at startup, but if there could be a config option to automaticly check the "challenge response" box if the key is plugged in... Many thanks again, keep up the good work ;) |
|
@fabian-z Want to give it a shake down now? |
|
@constint thanks! The problem with error handling is that currently KeePassX doesn't handle write errors as well as I'd like when dealing with external hardware that can do 100s of wacky things. Write it up on my repo fork so it's not forgotten. I've seen another annoying bug due to this, but it escapes me. For the config issue, write-up on my repo fork and I'll look at adding it. Should be simple. I want to keep this initial pull / merge request as simple as possible. |
|
@kylemanna Only issue left was already outlined by @constint. When the YubiKey is not plugged in while closing the database and one decides to save the changes, the error message will appear but closing the database will proceed afterwards, losing the previous changes since the last save. I wrote this up on your fork as kylemanna#4. Thanks for these awesome fixes! |
|
What's the status of Yubikey support ? I tried Password Safe Linux-Beta 0.94, which has Yubikey support working, but I could not use it successfully stable, sometimes it works, sometimes not... So I uninstalled it... |
|
I would consider it stable since I am using it daily for about 2 months You can simply compile keepassx with YubiKey support from @kylemanna : If you want latest keepassx master patches, you can always fork your own |
|
@kylemana, or knowledegable others. There is a HTML5 implementation of RFC4226 (like Google Auth) on github and I'd like to use this with Keepassx since it does not require I give out my phone number. See here, To quote, "A simple application which generates TOTP tokens when multi-factor authentication is used with your Google account. It implements RFC4226 (HMAC-based OTP) and has been tested to work with Google Authenticator, Dropbox, Dreamhost and Amazon." |
|
This fork/pull request will currently not work with anything else than a Am 28.11.2014 um 13:59 schrieb Topher Khaew:
|
|
@fabian-z |
|
@tkhaew It's not implemented in traditional sense of an OTP mechanism. Traditional OTP mechanisms are used for authentication. This implementation derives an encryption key from a HMAC-SHA1 mechanism integrated in Yubikey. It functions completely offline and is used to derive the key. HAMC-SHA1 response is significantly more secure then any user memorable password. HMAC-SHA1 + user password creates a 2 factor encryption key and eliminates dictionary attacks. Malware would not be able to steal the HMAC-SHA1 response unless a) it caught the generation operation in flight (i.e. save KeePassX DB) or b) the Yubikey was plugged in and malware was able to access it (i.e. no hw button press required). And the encryption key (via seed and challenge-response) changes every time, so if malware caught the derived encryption key only once, and the user saved the file again, the old key would no longer work. In a password only mechanism, the password caught once would be usable in the future. |
|
+1 Thanks! |
|
+1 on this, any updates? |
2.0.2 release
|
+1, I'd love to have this feature implemented. |
|
Hello, I am in the process of evaluating different methods of securing my KeepAss password store. My main concerns:
If I understand correctly verification of OTP is done on both sides (client and server) Please help me to understand where secret key is stored? After some reading I have found OtpKeyProv is somehow related to key file feature If the secret key is not present withing the KP database, then how HMAC(Key,Count) is calculated by the plugin? But if the secret key is present in the database or in another place on the computer then it is not secure at all and the only another secure method is challenge-response with asymmetric keys? |
|
Im using KeePassX 0.4.3 for Ubuntu Linux. I cannot find the challenge response settting for the master key, as per your first uploaded image. |
|
@Canalytic, this pull request wasn't merged. Afaik you have to use his fork for this feature. |
|
@Canalytic, also, this repo is for KeePassX 2.0. KeePassX 0.4 is the (rather) older previous version. |
|
Hi, I manage to compile this fork on Mac OS X (El Capitan) I'm unable to open my keepass db using my Yubiley. However, if I create a new DB with KeePassX with the challenge response it works. I know my kdbx is good because I use it with Keepass2droid and Keepass on Windows. Any idea on why it's not working and how I can fix it? One thing I noticed, when I created my kdbx with keepass it also created a .xml file. When I created it with KeePassX it didn't. I really want to be able to use my kdbx on my mac. Thanks. |
|
Is there still no comment from the maintainers on this? What needs to happen to get this merged and released? |
|
@denibertovic : Look when was the last commit of @debfx (the maintainer, I suppose), 25 May. I think he's really busy. Also, a lot of others PR hasn't been merged yet... I don't know if he accepts PR by the way. |
|
News? |
|
You could try to create this pull request over at https://github.com/keepassxreboot/keepassx |
|
Willing to support this feature with cash as well. Please update. |
| int rowCount(const QModelIndex& parent = QModelIndex()) const override; | ||
| QVariant data(const QModelIndex& index, int role = Qt::DisplayRole) const override; | ||
| void setIcons(const QHash<Uuid, QImage>& icons, const QList<Uuid>& iconsOrder); | ||
| virtual int rowCount(const QModelIndex& parent = QModelIndex()) const Q_DECL_OVERRIDE; |
There was a problem hiding this comment.
Why the virtual keyword and the Q_DECL_OVERRIDE instead of C override ?
There was a problem hiding this comment.
Great question, I don't recall. Likely two minor bugs. I think you're the first person to review the code. Ever. :)
Added issues link to Readme
|
I requested a review about your code from YubiKey support team. They say
Please, contact Aaron of the support team for troubleshooting the case further. It would be nice to get some reviews about the condition of the ticket. |
|
@sami10007 this feature has been merged in KeePassXC (the community fork of KeePassX) here: keepassxreboot/keepassxc#127, we talked with @a-dma in the PR and we will be happy to discuss further |
|
Thanks @TheZ3ro and others on the KeePassXC team for giving this a new home. Closing issue. |
Overview
This pull request adds support for YubiKey, a USB authentication device commonly used for 2FA. Support is added by configuring a YubiKey slot to operate in HMAC-SHA1 challenge-response mode. The mechanism works by submitting the database master seed as a challenge to the YubiKey which replies with a HMAC-SHA1 cryptographic hash. The resultant hash is then hashed with the other keys (password, keyfile) to generate the final key used to encrypt the database.
I have uploaded a few screenshots to imgur.
Details
libyubikeyandykpers-1libraries are necessary for support. These libraries are detected at compile time to enable support and necessary at run-time.cmake -DCMAKE_DISABLE_FIND_PACKAGE_YubiKey=TRUEQuick Start Guide
Install necessary libraries to appease KeePassX's CMake configuration step
Install yubikey-personalization-gui and configure slot 2 for HMAC-SHA1 challenge-response. Be sure to write the configuration. Optionally it can be programmed via the command line.
Start up KeePassX with the YubiKey inserted and the challenge-response form of the DatabaseOpenWidget ChangeMasterKeyWidget should enable themselves asynchronously listing the inserted YubiKey. Review screenshots on imgur for the configuration tool.
Upstream / Reference