Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

Implementation of YubiKey Challenge-Response?

Steven McG
2012-08-23
2013-07-06
  • Steven McG
    Steven McG
    2012-08-23

    Hi,

    I'm just wondering how the YubiKey HMAC-SHA1 challenge-response works with
    Password Safe? (I've had a look around the forum but previous entries seem to
    be about OTP rather than HMAC-SHA1)

    I might just be a bit slow, but in the current setup when you are creating the
    password database you only have to click the YubiKey button (in software) and
    press the Yubikey (physically) presumably going through a challenge-response.
    You don't have to type in the 'secret' the YubiKey was setup with and it
    should not be possible to read the 'secret' from the YubiKey, so in the future
    how does Password Safe know you are using the right YubiKey? Does Password
    Safe always send the same challenge and expects the same response each time
    (this seems unlikely for security reasons)? Otherwise if Password Safe sends a
    random challenge, how does it know what the response should be if it does not
    know the 'secret' on the YubiKey? (some sort of Diffie–Hellman–like exchange
    perhaps?)

    Many thanks,

    Steven

     
  • Eric Dutko
    Eric Dutko
    2013-07-06

    At the moment, Password Safe does not use the OTP functionality of the YubiKey. Rather, it sends whatever you type in the password field as the challenge to the YubiKey. The response from the YubiKey (the SHA1 HMAC of your typed password) becomes the actual "password" that is used to lock/unlock the database.

    I understand from Rony that an upcoming change will include a random salt in the challenge, but I don't think there are plans to incorporate any of the YubiKey's OTP functionality.

    See also: https://sourceforge.net/p/passwordsafe/discussion/134800/thread/f1a2e2da/