

Show HN: YubiKey HMAC-SHA1 support for KeePassX - 2bluesc
https://github.com/keepassx/keepassx/pull/52

======
ef4
Thanks, this looks interesting. I'm not clear on how the master seed gets
regenerated at every save.

Presumably the secret key used to generate the HMAC never leaves the YubiKey?
So when you want to change the seed, you need to ask the YubiKey to sign the
new seed? So saving the database requires pushing the button on the YubiKey
again?

~~~
2bluesc
The secret is generated by a PC using Yubico's tools (see the screenshots in
the PR). If you're truly paranoid you'd do this on an offline computer so that
the secret doesn't some how leak to the Internet. This secret could then be
programmed to other YubiKeys if desired (at least 2 are recommend for backup).

Every time the KeePass2 database is written, a new master seed is
generated[1]. The master seed is stored raw in the header of the KeePass2
database so that it can be read later for decryption.

This pull request is a nutshell submits the master seed as a challenge to the
YubiKey which replies with a deterministic response. We then use the response
to generate the final key. The final key is the true encryption key and the
file is written out. To decrypt[2], we do the same thing, but read the master
seed from the header file. Commit that ties everything in to the final key[3].

[1]
[https://github.com/keepassx/keepassx/blob/master/src/format/...](https://github.com/keepassx/keepassx/blob/master/src/format/KeePass2Writer.cpp#L48)
[2]
[https://github.com/keepassx/keepassx/blob/master/src/format/...](https://github.com/keepassx/keepassx/blob/master/src/format/KeePass2Reader.cpp#L102)
[3]
[https://github.com/kylemanna/keepassx/commit/45d2add8a3037c3...](https://github.com/kylemanna/keepassx/commit/45d2add8a3037c3bd57e37ab320bf9597d567133)

~~~
ef4
Right, that's what I was assuming. Good.

The only part I trying to confirm was that you issue a challenge to the
yubikey at save time, not just at decryption time.

------
2bluesc
Open to criticisms, suggestions and testing :)

~~~
tomkinstinch
Looks nice. Is there functionality for a fallback/backup passcode in case the
YubiKey is lost?

~~~
hathvi
Wouldn't this defeat the YubiKey's purpose? One of the points in the pull
request mentions only supporting a single YubiKey, which I believe is how
you'd most commonly solve this issue (having a backup YubiKey). It's also
possible to store a backup of your KeePass database with a passcode somewhere
safe.

------
gnoway
What are the benefits of this vs. KeeChallenge?

[http://sourceforge.net/projects/keechallenge/](http://sourceforge.net/projects/keechallenge/)

~~~
2bluesc
Wasn't aware of that. Sounds similar, I'll take a look.

The immediate benefit is that KeePassX is that it is cross platform (tested
first hand on Linux and OS X) whereas KeePass itself is Windows only (maybe
mono?).

~~~
gnoway
Yeah, keepass2 works w/ mono. I have it installed on an xubuntu system.
There's an official package (in universe).

keechallenge is also supposed to work w/ mono. That said, at least on my
machine the fonts in keepass2 are rendered too small, making the application
very difficult to use. I spent about an hour trying to figure out how to fix
them and could not, so I have not tried setting up keechallenge there.

