lusich - 2013-12-17


I have a question about the security of Yubikey + Password Safe. I have been reading the on this forum and the yubico forum and I am trying to understand how the challenge response process works in Password Safe.

  1. when Yubikey sends the hash-based message authentication code (HMAC) back to Password Safe, this code is always the same? Or is there some randomness in the process (such as a counter or
    a random number?)

  2. If it the HMAC is always the same, and Yubikey is basically a USB keyboard, isn't the HMAC vulnerable to keyloggers?

If you do have a keylogger on your PC and if the above is true, it is safe to assume that your master password has been compromised, too.

  1. thus, could an attacker access your database by now having both the master password and a copy of the HMAC? or does the Yubikey have to be actually physically present when HMAC is sent to the Password Safe?

In other words, can an attacker access a locked database without having the physical object of Yubikey in his hand?