2

I have read the question on HOTP implementation in KeePass HERE. This question is however on the other newer plugin KeeChallenge.

According to the documentation, the a secret is encrypted and can only be decrypted using the TOTP. However if it is done so, isn't the weak link now the encrypted xml file (plus there is a recovery key backdoor) rather than the encryption algorithm of KeePass? As far as I can tell, things that KeePass does to keep itself safe from brute attacks (e.g. encrypt multiple times) is compromised by the use of this plugin. Am I right or did I miss something?

Community
  • 1
R J
  • 123
  • 6

1 Answers1

5

KeeChallenge is based on the predictable result of HMAC-SHA1 with a known key. The key in the XML file is encrypted using the result of performing HMAC-SHA1 on the challenge also stored in the XML file. To decrypt the key, the challenge is passed to the Yubikey which performs HMAC-SHA1 to generate the same value that was used to encrypt the key data last time. Once the key is decrypted, a new challenge is generated and the expected response (generated using the decrypted key) is used to reencrypt the key.

The source is pretty easy to follow.

mdonoughe
  • 276
  • 3
  • 3
  • what about the recovery key backdoor? – R J Nov 27 '14 at 03:38
  • The recovery key is just the same key stored in the Yubikey and encrypted in the XML file. You should write it down and keep it somewhere safe offline. – mdonoughe Nov 27 '14 at 13:52
  • So is this key that is encrypted in the xml file protected by the same protections within keepass e.g. we can set the number of iterations of encryption – R J Nov 28 '14 at 01:41
  • 1
    No, it looks like just a single AES, but I don't think iterations is all that important here. An attacker would need to guess the 160 bit secret, or the 160 bit HMAC-SHA1 result. Random binary data isn't vulnerable to dictionary attacks, and 160 bits is going to take a long time to guess even without any extra barriers. If you wanted to make guessing more expensive you would need to do something like hash the secret many times. As it is right now, if somebody wanted to guess the secret they would need to perform up to 2^160 SHA256 hashes. – mdonoughe Nov 28 '14 at 02:25
  • Maybe a follow up question on this matter; since KeePass is using composite keys: even IF there would be a problem with KeeChallenge an attacker still would require the password (in *addition* to the key returned by KeeChallange) to open the KeePass database, correct? – omni Jun 13 '17 at 20:43
  • @masi yes that is correct. you can use up to three authentication methods concurrently. Password, Windows Account Authentication (which is not based off the user but the actual created account instance, meaning making a new user with identical credentials is not enough), and finally a keyfile, which with plugins, can be converted to HMAC-SHA1 Cllng-Resp, HOTP, or others. – Nalaurien Jun 21 '17 at 07:14