I'm just wondering how the YubiKey HMAC-SHA1 challenge-response works with
Password Safe? (I've had a look around the forum but previous entries seem to
be about OTP rather than HMAC-SHA1)
I might just be a bit slow, but in the current setup when you are creating the
password database you only have to click the YubiKey button (in software) and
press the Yubikey (physically) presumably going through a challenge-response.
You don't have to type in the 'secret' the YubiKey was setup with and it
should not be possible to read the 'secret' from the YubiKey, so in the future
how does Password Safe know you are using the right YubiKey? Does Password
Safe always send the same challenge and expects the same response each time
(this seems unlikely for security reasons)? Otherwise if Password Safe sends a
random challenge, how does it know what the response should be if it does not
know the 'secret' on the YubiKey? (some sort of Diffie–Hellman–like exchange
At the moment, Password Safe does not use the OTP functionality of the YubiKey. Rather, it sends whatever you type in the password field as the challenge to the YubiKey. The response from the YubiKey (the SHA1 HMAC of your typed password) becomes the actual "password" that is used to lock/unlock the database.
I understand from Rony that an upcoming change will include a random salt in the challenge, but I don't think there are plans to incorporate any of the YubiKey's OTP functionality.
See also: https://sourceforge.net/p/passwordsafe/discussion/134800/thread/f1a2e2da/