Two cool features of the YubiKey are its small size (it fits entirely inside your USB port), and touch feature - it wont do anything unless you touch it, proving someone is physically present.
It has very basic integration with KeePass - it can enter OTPs for you, which is cool, but we can do better. In particular, I'd like to have the YubiKey decrypt KeePass managed passwords. This would be compatible with all sites, not just ones expecting an OTP password.
By the way, KeePass has unnecessarily weak dictionary attack resistance. 6,000 rounds of AES is out of date:
Check out Scrypt, and the Password Hashing Competition for more ideas about secure password hashing algorithms. A 1 millisecond Scrypt hash provides orders of magnitude greater protection than 6,000 AES rounds, and that protection goes as the square of the runtime (which is what differentiates it from linear AES rounds).
Bill
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
What do you have in mind? I believe YubiKey can be configured to output up to a 38 character static password and it identifies itself to the OS as a keyboard. These two capabilities should allow it to enter a Master Password directly into the KeePass database Master Key dialog. No modification to KeePass would be needed unless you have something else in mind.
Note: I believe the KeePass developer prefers to implement standards based solutions (e.g. HOTP) rather than product specific solutions (e.g. Yubico OTP).
The default 6000 key transformation rounds setting is database specific. It was probably chosen to capture much of the benefit of increasing the work factor required to calculate an encryption key from a given Master Key guess, while minimally impacting database opening performance. While this setting is low for modern laptops and desktops there may still be slow processors in use (phones?). The user can easily increase this database setting if it is appropriate.
Last edit: wellread1 2015-04-28
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Two cool features of the YubiKey are its small size (it fits entirely inside your USB port), and touch feature - it wont do anything unless you touch it, proving someone is physically present.
It has very basic integration with KeePass - it can enter OTPs for you, which is cool, but we can do better. In particular, I'd like to have the YubiKey decrypt KeePass managed passwords. This would be compatible with all sites, not just ones expecting an OTP password.
By the way, KeePass has unnecessarily weak dictionary attack resistance. 6,000 rounds of AES is out of date:
http://keepass.info/help/base/security.html#secdictprotect
Check out Scrypt, and the Password Hashing Competition for more ideas about secure password hashing algorithms. A 1 millisecond Scrypt hash provides orders of magnitude greater protection than 6,000 AES rounds, and that protection goes as the square of the runtime (which is what differentiates it from linear AES rounds).
Bill
What do you have in mind? I believe YubiKey can be configured to output up to a 38 character static password and it identifies itself to the OS as a keyboard. These two capabilities should allow it to enter a Master Password directly into the KeePass database Master Key dialog. No modification to KeePass would be needed unless you have something else in mind.
Note: I believe the KeePass developer prefers to implement standards based solutions (e.g. HOTP) rather than product specific solutions (e.g. Yubico OTP).
The default 6000 key transformation rounds setting is database specific. It was probably chosen to capture much of the benefit of increasing the work factor required to calculate an encryption key from a given Master Key guess, while minimally impacting database opening performance. While this setting is low for modern laptops and desktops there may still be slow processors in use (phones?). The user can easily increase this database setting if it is appropriate.
Last edit: wellread1 2015-04-28
See also the developer's comments regarding future plans to implement new hashing and authenticated encryption methods in KeePass.
Last edit: wellread1 2015-04-28
The OTPKeyProv plugin allows you to open a Keepass database with HOTPs generated by a YubiKey.