Menu

#1556 YubiKey Configuration Dialog: Generate & Set Yubikey Prevents Future Access To Existing Password Safe Database

Next release
accepted
Rony Shapiro
None
Medium
2022-09-30
2022-03-28
Zian
No

If you secure your database with a primary and backup YubiKey, then after the primary breaks and you try to revoke the dead YubiKey, Password Safe will not warn you before you lock yourself out.

Steps to Reproduce

Caution: You will not be able to read the contents of the database that you use to reproduce this ticket.

Setup:

  1. Get 2 YubiKeys.
  2. Make a new Password Safe database.
  3. Follow the instructions in mk:@MSITStore:C:\Program%20Files\Password%20Safe\pwsafe.chm::/html/manage_menu.html to customize the YubiKey and create a backup YubiKey.
  4. Follow the instructions at mk:@MSITStore:C:\Program%20Files\Password%20Safe\pwsafe.chm::/html/change_combo.html to secure the database from step 2 with the primary YubiKey.
  5. Quit Password Safe.
  6. Remove all YubiKeys from the computer.

Disaster:

  1. Throw the primary YubiKey into a public trash can and wait for the trash can's contents to become irretrievable.
  2. Login to the database using the backup YubiKey.
  3. Walk through the steps under "To customize your YubiKey" (mk:@MSITStore:C:\Program%20Files\Password%20Safe\pwsafe.chm::/html/manage_menu.html) to keep the previous YubiKey from unlocking the current database.
  4. Try to change the safe combination to the new YubiKey secret key by going through the steps at mk:@MSITStore:C:\Program%20Files\Password%20Safe\pwsafe.chm::/html/change_combo.html. You will be unable to do so.
  5. Exit Password Safe.

Expected Result

Plugging the backup YubiKey into the computer and entering a password + touching the Yubico logo should unlock the database.

Actual Result

The database remains locked.

Comments

I can't think of a scenario where you would want to permanently lose access to your Password Safe database with no warning.

Since the YubiKey key-setting dialog is only accessible after unlocking a database, the program has enough information to figure out if the YubiKey secret key being overwritten is in use by the current database. If the current database uses the current YubiKey, then the program should not allow the user to continue. Instead, the program could tell the user to read Removing YubiKey Authentication at mk:@MSITStore:C:\Program%20Files\Password%20Safe\pwsafe.chm::/html/change_combo.html or go straight to that dialog. The user should also see a reminder that setting the new secret key will destroy access to any other databases or applications that use slot 2's existing value.

If the current database does not use the current YubiKey secret key in slot 2 and slot 2 is not empty, then the program should make the user acknowledge the potential risk of losing access to any other Password Safe databases and any other applications that rely on the existing secret key in slot 2. If I recall correctly, the program already has a good dialog that requires users to type an acknowledgement before a dangerous operation is performed.

I know this change will make it harder to set a new secret key on a YubiKey if the user is only playing around and has not linked the YubiKey to anything.

System Details

  • Microsoft Windows 10 21H2
  • Password Safe version 3.54.01
  • YubiKey 4 firmware version 4.3.3

Discussion

  • Zian

    Zian - 2022-03-28

    By the way, after encountering the bug, I managed to avoid losing my entire database by using a paper backup of the old secret key. Don't know if printing the secret key should be encouraged.

     

  • Rony Shapiro

    Rony Shapiro - 2022-04-02

    Thanks for the excellent write up of the scenario. If only all bug reports were so well written...

    To the point: The keys stored in the Yubikey slots are unreadable by design, so there's no way to detect if a slot is empty or not. The value you see in the Yubikey Configuration dialog is read from the database, as is kept solely for creating a backup.

    So the correct procedure for recovering from a lost Yubikey device would be:

    1. Remove Yubikey protection from all of your Yubikey-protected databases using your backup device and Manage->Change Safe Combination...
    2. Generate and set a new Yubikey secret key on your backup device using Manage->Yubikey...
    3. Set all your databases to be protected with Yubikey and the new secret via Manage->Change Safe Combination...
    4. Securely delete all old backup files (.ibak), as these are still protected with the old Yubikey secret.

    I think that documenting this in the help file is the best I can do, given the limitation described above. What do you think?

     

  • Rony Shapiro

    Rony Shapiro - 2022-04-02
    • status: open --> accepted
    • assigned_to: Rony Shapiro
     

  • Zian

    Zian - 2022-04-04

    The keys stored in the Yubikey slots are unreadable by design, so there's no way to detect if a slot is empty or not.

    You and I understand why that must be so but someone busy panicking about having lost their literal key(s) & Internet identity probably won't be as understanding.

    Would it be possible to make the user trigger their current YubiKey after the "Set" button is pressed? I assume that once the program receives the response, the program will know if it's talking to a YubiKey that's linked to the current database.

    Perhaps the dialog that appears after Set is pressed could look something like this:

    Title bar: Password Safe
    Dialog Body:
    You will lose access to everything that Slot 2 in the YubiKey is used for. This may include Password Safe databases, e-mail accounts, and doors.

    After you have verified that nothing relies on Slot 2 of the current YubiKey or that Slot 2 is empty, trigger the YubiKey by touching it or by pressing "green YubiKey button goes here".

    Buttons:
    Button to launch YubiKey's documentation site about the YubiKey manager to see if Slot 2 is occupied
    Button to launch the help page for the dialog -- Default Button

    After the button is pressed, if the key is not linked to the current database, then write the new value. Otherwise, show:
    Title: Password Safe
    Dialog Body:
    The current Password Safe database still requires the current YubiKey to unlock it. Remove the current YubiKey from the database before setting a new value.
    Buttons:
    Button to launch the help page for the dialog -- Default Button
    Cancel

    Generate Button

    I had to read the documentation again to realize that Generate doesn't save the new secret key to the Password Safe database. At the risk of ignoring a constraint that I'm unaware of, could "Set Yubikey" be changed to "Save to YubiKey and Change Safe Combination" to reuse the phrase from the Manage menu?

    Maybe this sort of wordy and dangerous button would look better if it were on a new line below Show and Generate.

     

    Last edit: Zian 2022-04-04

  • Juan Martinez

    Juan Martinez - 2022-09-30

    I just had the same thing happening to me.., I have generated a yubikey, which I copied temporarily to a text file, but I did not see the instructions (or were not clear enough) that you had to change the save combination before closing the database!!!. and the previous backups were from seconds before, so all backups are locked!!!. I was able to recover an old backup from 2020, but clearly not ideal.. I am loosing access to many of my recent passwords.. which I can get by requesting to change, but this is incredibly annoying.. is there a way to access my latest db with the key I had saved?

     

    Last edit: Juan Martinez 2022-09-30

Log in to post a comment.

MongoDB Logo MongoDB