Implementation of YubiKey Challenge-Response?

Steven McG
  • Steven McG

    Steven McG - 2012-08-23


    I'm just wondering how the YubiKey HMAC-SHA1 challenge-response works with
    Password Safe? (I've had a look around the forum but previous entries seem to
    be about OTP rather than HMAC-SHA1)

    I might just be a bit slow, but in the current setup when you are creating the
    password database you only have to click the YubiKey button (in software) and
    press the Yubikey (physically) presumably going through a challenge-response.
    You don't have to type in the 'secret' the YubiKey was setup with and it
    should not be possible to read the 'secret' from the YubiKey, so in the future
    how does Password Safe know you are using the right YubiKey? Does Password
    Safe always send the same challenge and expects the same response each time
    (this seems unlikely for security reasons)? Otherwise if Password Safe sends a
    random challenge, how does it know what the response should be if it does not
    know the 'secret' on the YubiKey? (some sort of Diffie–Hellman–like exchange

    Many thanks,


  • Eric Dutko

    Eric Dutko - 2013-07-06

    At the moment, Password Safe does not use the OTP functionality of the YubiKey. Rather, it sends whatever you type in the password field as the challenge to the YubiKey. The response from the YubiKey (the SHA1 HMAC of your typed password) becomes the actual "password" that is used to lock/unlock the database.

    I understand from Rony that an upcoming change will include a random salt in the challenge, but I don't think there are plans to incorporate any of the YubiKey's OTP functionality.

    See also:


Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks