Yubikey with Password Safe, questions about protection..

  • SourceBoot

    SourceBoot - 2013-05-09

    I'm trying to figure out how the Yubikey implementation actually works, ie. is it actually part of the encryption process of the database or just a "GUI lock" of sorts. In other words, if someone were in possession of the database, would he need to bruteforce both "safe combination" and challenge-response of the Yubikey to open it?

    I found this thread (https://sourceforge.net/p/passwordsafe/discussion/134800/thread/f1280957/) that discusses this, but it seems to be talking about older version of Password Safe.

  • SourceBoot

    SourceBoot - 2013-05-10

    Another thing that boggles my simple unencrypted mind is how the secret that is used to create the Yubikey challenge-response configuration is never given to Password Safe. How can Password Safe figure out the correct response without the secret and why couldn't an adversary do the same then? From Yubicos site:

    "YubiKey creates a “Response” based on a provided “Challenge” and a shared secret".

  • Eric Dutko

    Eric Dutko - 2013-06-22

    When you enter a password into Password Safe and click the YubiKey button, Password Safe sends your password to the YubiKey. The YubiKey calculates a hash-based message authentication code (HMAC).

    There are some subtle distinctions between a regular hash and an HMAC, but if you aren't familiar with either, think of the process as one-way encryption of your password. This isn't technically encryption, since there's no way to "decrypt" the HMAC, but it does produce a unique value that depends on both your password and your secret.

    Password Safe uses the HMAC that it gets back from the YubiKey as the password for the database, so this is not simply UI-level security. If you want to prove this to yourself, try opening a YubiKey-protected safe in a non-YubiKey version of Password Safe or a similar app like pwSafe for iOS.

  • Rony Shapiro

    Rony Shapiro - 2013-06-22

    Eric's description is correct. Thanks for the write-up Eric!

  • SourceBoot

    SourceBoot - 2013-07-03

    Thank you. Also found your other post about Yubikey implementation - will keep an eye for that update :)


Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.

No, thanks