![]() KeeChallenge violates this principle by bringing the secret to computer. The secret should never leave the YubiKey - this is the whole point of a write-only hardware key.That is, there is no point in randomizing the challenge and re-encrypting the secret - it is a security theater. Any of the previous XML files can be used to decrypt the database. As a result of the above, KeeChallenge is wide open to replay attack.From KeePass’ point of view, KeeChallenge is no different than a static key file that provides the same bytes every time. The secret key never changes, it only gets reencrypted.There are several security issues with KeeChallenge’s approach: KeeChallenge regenerates the XML file (generates a new random challenge C, calculates the new response R, encrypts S using R', and stores the updated C and S enc to the XML file)įor more detail, please check the full workflow diagram.Importantly, this is the same secret as the one stored in YubiKey. The decrypted secret S is used for decrypting the database.The response R is used for decrypting the secret S enc stored in the XML file.The YubiKey transforms the challenge (using the secret S stored in the key) and returns a response R.KeeChallenge loads the challenge C from the XML file and sends it to the YubiKey.Additionally, KeeChallenge encrypts the S with the pre-calculated challenge-response pair, and stored the encrypted secret and challenge in an auxiliary XML file. This key is stored in the YubiKey and is used for generating responses. ![]() KeeChallenge encrypts the database with the secret HMAC key ( S). YubiKey adds another layer of protection to your database: in order to decrypt the file, the owner has to present their physical YubiKey. ![]() KeeChallenge is a plugin that adds YubiKey support to KeePass 2. ![]() KeeChallenge for YubiKey, and why you should avoid it # yubikey ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |