Keeweb: Support YubiKey in challenge-response mode

Created on 27 Mar 2020  路  62Comments  路  Source: keeweb/keeweb

Is your feature request related to a problem? Please describe.
YubiKey supports challenge-response operations in form of HMAC-SHA1. This implementation has already gained some support in other well-known KeePass forks:

Describe the solution you'd like

  • desktop apps should use any of YubiKey API, such as native API or ykman, whichever is more feasible
  • webapp can support it in two ways:

    • as a one-time mode with a static key, which can be for example scanned as a QR code from the desktop app

    • using a workaround with storing the key on the device, which has to be carefully assessed in terms of security, to make sure the key doesn't end up in iOS backups

Describe alternatives you've considered
There are some alternatives described on this page:

  • Static Password Mode:

    • that's actually not 2FA and I doubt if it gives any additional security, since the password is typed using a keyboard driver

    • it's of course possible to use it in KeeWeb just as is, as well, but that's not what we're looking for here

  • One-Time Password Mode:

    • using the YubiKey in this mode is quite terrible in terms of UX, which is even worse on mobile devices

    • it will break sync and increase the risk of getting locked out, if sync fails

  • WebAuthn / U2F:

    • WebAuthn is neither about encryption, nor hashing. It does exactly what it says, which is authentication with a relying party. In our case we don't want to store secrets on a central server and destroy the decentralized nature of KeePass, even if it would be super easy to implement

  • Resident keys that were recently added to WebAuthn:

    • it looks very promising: completely eliminates phishing, is available for web and native API's, however:

    • there's no support in Safari, which means we won't be able to use it on mobile devices yet

    • unfortunately I don't see other clients willing to support it, which is understandable because the web topic is interesting to us, first of all, however we can write a plugin of course

    • this topic can be addressed later as an additional mode of YubiKey integration

Additional context
Previous issues in KeeWeb about YubiKey support:

  • #517
  • #410
desktop enhancement hardware kdbxweb

All 62 comments

This would be so neat, currently using keepass2android on Android with yubikey in challenge-response mode (which requires the app ykdroid for the nfc-driver) and keepassxc for desktops for secrets I'm paranoid about, but ofc KeeWeb with challenge-response mode would be ideal!

Just a note, it will work only on desktop without hacks; web/mobile version will be probably limited and not very convenient.

@jivarson what makes you paranoid?

@antelle that makes sense, there are at least one app for android with support for challenge-response :-) @ph00lt0 strong word, point being that for important passwords its good knowing that the second 2nd factor cant be copied after setup like a keyfile can

@jivarson good to know about Android, I'll add it to the manual that I'll write about YubiKey support. On iOS, most of KeePass-compatible apps already have support built-in.

the second 2nd factor cant be copied

Unfortunately it can, to some extent. YubiKey integration in KeePass-like apps is in Challenge-Response mode, which means that it's not a true 2FA, so if you have:

  • an old kdbx file
  • its password
  • access to YubiKey, no matter from what app or computer

You will be able to generate and save the response for this file. A more advanced technique can be sniffing USB, and again, as ChResp is not a one-time code, you can save and use it to open old files. However good news is that new files saved again will have a different challenge.

Well it certainly is a second factor. But not a time based second factor if that is what you mean.

Indeed, my reply was to the copying part.

Thanks for putting me straight

Just a note, it will work only on desktop without hacks; web/mobile version will be probably limited and not very convenient.

Has using the WebUSB API been investigated to allow use in browser?

https://github.com/SantiagoTorres/yubikey-webusb

Hello @antelle!
How do you intend to implement this?

I was thinking of doing something similar using Safari App Extensions on macOS. It would break the 100% web design of the project but we would have the benefit of reusing what was already implemented in other native apps. The app extension could be dropped in the future once browsers offer better native support.

In my case, I am more interested in smartphone-base keys (using the secure enclave) over BLE, so I am considering tweaking Krypton to add challenge-response support.

@thefonseca for now I think the web version will not support this feature at all.
Installing an app extension doesn't make a lot of sense, since it will be easier to download a desktop app instead.
If there's a smartphone-based key supporting challenge-response, it would be awesome, but I'm not sure if they exist, I'll try to find something.

Both Keepass2android and keepassium(ios) are supporting the challenge response mode through NFC, so it would be cool if the implementation of Keeweb is compatible with them

It will be compatible, but only the desktop version.

@thefonseca for now I think the web version will not support this feature at all.
Installing an app extension doesn't make a lot of sense, since it will be easier to download a desktop app instead.

Thanks @antelle, this makes sense. "a desktop app" you mentioned includes the KeeWeb electron version too? (I'd like to stick to KeeWeb for now).

Yes, KeeWeb desktop of course.

My use-case is on Chromebook. Sadly I don't think there is any solution for challenge-response mode at the moment (Android apps and Crostini/Linux can't directly access USB devices, either).

The feature is ready to test on desktop, if anyone would like to give it a try, please let me know.

@antelle I have a yubikey and can do some testing.

@gynet which operating system are you using?

@antelle I have win10 & Macos

Good, here's a version for macOS and Windows x64. The macOS version will most likely work, I haven't tested it on Windows yet. Please don't forget to backup your file!
Three's also a wiki page about using YubiKey with KeeWeb: https://github.com/keeweb/keeweb/wiki/YubiKey

Cool, will try it later today @antelle

It also has config encryption, after which the previous version won't be able to read configs, so better to try it as a portable installation: https://github.com/keeweb/keeweb/wiki/Configuration#portable

Here are some results so far:

MacOS:

  1. The keeweb-portable.json does not work for me, and after I launch the app, and it's still use the old profile.
  2. After I plugging my 'Yubikey NEO', the Yubikey icon shows up on the panel, but after I clicking on it, it shows "No Yubikey found", also the 'refresh the list' does not show anything either.
    I tried 'ykman list', it did list my Yubikey.

Windows 10

  1. For the first time, keeweb-portable.json seems not got loaded, and it was still using the old profile I previous used, but it generated a new profile folder after second launch.
  2. change response worked as expected with a test db.

Some Feedback:

  1. the dependency tree of 'ykman' is pretty heavy, and I spent quite long time to get it and its dependencies installed on my Mac and Windows. As I remember, the keepassxc does not depend on ykman, it there any alternative way for Keeweb interact with Yubikey without ykman? It's also would impact UX and the portability if it has dependency on ykman.

Thanks!

  1. keeweb-portable.json: could you please paste the absolute path to the file and KeeWeb? Sometimes it may be not loaded, depending on where it is.
  2. Is KeeWeb is added to "Input Monitoring" in system security & privacy settings? YubiKey is implemented as a keyboard, so we need this permission to interact with it.
  3. ykman is required only for one-time codes (OATH), OTP should work without ykman installed. When did you see the ykman prompt? The big YubiKey button on the start screen is OATH, the small one below the password field should work without it.

I've added a warning about "Input Monitoring" to the app, now it will show the explanation when there's a yubikey but it can't be used.

@antelle Do you mean the Challenge-response does not require ykman?
I did not see any prompt, I just installed it anyway as I read wiki too fast :)

MacOS updates

  • After I adding the app into "Input Monitoring", all the Yubikey slots are showing up now.
  • The portable json with abs path does not work either, also tried with granting full disk access. The path I am using is a folder under user desktop

Test Ran

  • Test case 1: [x] Passed | Create a DB by Keeweb with Yubikey + key file.
  • Test case 2: [x] Passed | Create a DB by Keeweb with Yubikey + key file, decrypt it by KeepassXC.

    Issues

  • Sometimes, the Keeweb does not show up the Yukikey slot list anymore after I opened another app using Yubikey, e.g., KeepassXC. (could not repro anymore now)
  • One more feedback: Current, the slot list does not the slot functionality, it would be better like to show the slot functionality as the KeepassXC

Screen Shot 2020-06-01 at 10 52 31 PM

I also tested with Keepass2droid. The database created by Keeweb failed on decryption by Keepass2droid + NFC. It shows "Invalid composite key". However, the database created by KeepassXC does not have this issue.

Do you mean the Challenge-response does not require ykman?

Exactly, my first intention was to implement everything with ykman, so it was said in the wiki, however I quickly realized that there are too many limitations. Updated the wiki, thanks!

After I adding the app into "Input Monitoring", all the Yubikey slots are showing up now.

馃憤

show the slot functionality as the KeepassXC

Makes sense, KeePassXC actually does a test challenge for that, I'll add it as well.

The database created by Keeweb failed on decryption by Keepass2droid + NFC.

Can it be opened with KeePassXC? Could you please upload your database if it's a test one?

Here is the testing db file created by KeeWeb. It can be decrypted by both Keeweb and KeepassXC using MacOS, but it can not be decrypted by Keepass2droid.
ybk_test_createdByKeeweb.kdbx.zip

The portable json with abs path does not work either

What I meant, is please tell me the absolute path to KeeWeb and the json config

  • App path: /Users/gynet/Desktop
  • The json content is below
{
    "userDataDir": "/Users/gynet/Desktop/mydir"
}

And where's the json config located?

app path: /Users/gynet/Desktop/KeeWeb.app
json path:
/Users/gynet/Desktop/keeweb-portable.json

Cool, I'll check why it doesn't work.
Thanks for the file! I'll look into this file a bit later today. Could you please tell me:

  • the password
  • result of
ykman otp calculate 2 d8a30cffaae97a52134550a3c852ef2a6b19203b96fea4154de5ededd3861f3c2020202020202020202020202020202020202020202020202020202020202020

(replace "2" with "1" if you're using slot 1)


...and the password please
Another question, if you re-save the file, can it be opened with other apps?

@antelle password is 'test'. Re-saved the file with Keeweb, it was able to reopen by KeepassXC

Also, another UX feedback, I saw iTerm do send notification about requesting security permission, would it be better the Keeweb also initialize the same permission request

What about Keepass2droid where it could not be decrypted before?
I'll check how it's done, not sure how to request those.

Tried use Keepass2droid to open the db modified by Keeweb, it still shows "Invalid composite key"

what happens if you re-save the file in KeePassXC, can it be opened there?

just tried, re-save the file in KeePassXC, the Keepass2droid still could not open it. Keeweb works fine with the file modified by KeePassXC

About the portable config: I just tried running KeeWeb from Desktop with these paths:
~/Desktop/KeeWeb.app
~/Desktop/keeweb-portable.json

{ "userDataDir": "kw-data" }

It displayed a question about accessing files in the desktop folder and worked well.

I implemented testing YubiKey slots, however I discovered that:

  • it adds a significant delay (about .8 .. 1.5 s)
  • sometimes it times out at all
  • actually it behaves in the same way in KeePassXC if you refresh it several times

So, if we compare having a stable API vs displaying "touch (non)required" and hiding non-working slots, I would say, let's show less information but with better quality.

Just checked, if KeeWeb is launched for the first time, it shows this question when trying to access YubiKeys:
Screen Shot 2020-06-02 at 15 11 57

I looked into keepass2android, looks like their implementation is compatible with KeePass/KeeChallenge, especially this part, as well as the docs explain. This means you won't be able to use files written by KeeWeb or KeePassXC, as it's also mentioned in the KeePassXC FAQ. I've added a compatibility table to the wiki page as well.
However Strongbox and KeePassium for iOS are compatible.

It seems like Keepass2android supports two mode: 'KeePass's Challenge reponse' and KeePassXC's challenge reponse".

I've tried the database created by KeepassXC, and it works fine on keepass2android.
I also saw Keepass2android Android UI do have two optios, "challenge reponse" and " challenge reponse for KeepassXC"

This was an closed issue on keepass2android's github

Here is also the issue regarding Keepass2android's implementation to be compatiable with KeepassXC .

Interesting, and still, both KeePassXC and KeeWeb write the db in a non-compatible format. I wonder what's the difference there. I guess, I need to somehow run keepass2android to understand what it is 馃

Status update: I didn't manage to install the necessary tooling on macOS, and looks like the project can't be built on mac, or at least there's no official guide how to do that, so tomorrow I'll try to read the code to understand why this can happen, however I won't be able to test it.

Meanwhile, what happens if you change the file format to KDBX4 in KeeWeb, does it become compatible?

@antelle

  • I uninstalled the existing Keeweb and cleaned all the settings in the Security & Privacy, then "Keystroke receiving" pop up window will up. Is that expected?
  • The portable json is still not working for me, and there is no questions or either any pop-up windows showing on my Mac for request any permission
  • After changing to kdbx4 + argon2, the database created by Keeweb is working for all the three pass managers(Keepass2droid, KeeWeb, KeePassXC) now 馃帀

@antelle for the keepass2droid issue I think it's by design, just found their release note mentioned that kdbx4 is required, but it would be better to document on the "compatibility table" as well.

Keystroke receiving

Yes, YubiKey registers itself as a keyboard and this permission is required to interact with it. Not the best solution, I would say, but that's how it is now.

portable json

Could you please try this build? I've added more logs there, if you launch it from terminal, it should print what's going on around portable configs.

kdbx4

Awesome so it was KDBX3 compatibility, then it's solved, thank you! I've changed the default file format of files created by KeeWeb to KDBX4 and added a note to the wiki page.

@antelle
I tried this build, but I don't see anything related

Command I used:

open -a KeeWeb.app --args --devtools

image

The logs should be in Terminal, you need to start it not with open, but as an executable: KeeWeb.app/Contents/MacOS/KeeWeb

Hi @antelle ,
If I launch the build from a terminal, things look good now. It starts using the new profile I defined in the json file. However, when it requests permission using the popup window, it shows the app requesting is iTerm.app instead of the Keeweb, I had to manually add the path of the app. I am guessing the MacOS treat the requesting app as iTerm, so it became working, so I think that may be related to the issue we saw.

I guess for some reason, the MacOS will still treat the new version of Keeweb.app as the previous one installed? I wonder is there any identifier that needs to be updated to indicate the app version? Because I previously had an issue with Keeweb upgrading scenario, and the auto-type stopped work, and I had to manually clean up the existing "Security & Privacy" settings regarding KeeWeb in macOS, then it would work

Is portable: true
Portable config path: /Users/gynet/Desktop/keeweb-portable.json
Portable config path exists
Portable user data dir: /Users/gynet/Desktop/mydir

I did reset, and everything works now

tccutil reset All

I think it checks by bundle id, and I really hope that also certificate, but maybe not, I鈥檒l check. So you don鈥檛 need to update it for the new version.
It will show terminal in this case yes, otherwise it would be easy to bypass.
Ok cool that it works now!

Uploaded a new build here: https://github.com/keeweb/keeweb-ci-sandbox
This is probably what will be there in the release, at least for me everything seems to be working.

Was this page helpful?
0 / 5 - 0 ratings