Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to use HMAC-SHA1 Challenge Response with NK3 #281

Closed
orolhawion opened this issue Jun 5, 2023 · 13 comments
Closed

How to use HMAC-SHA1 Challenge Response with NK3 #281

orolhawion opened this issue Jun 5, 2023 · 13 comments
Labels
app:fido app:secrets support Something needs addtional explanation

Comments

@orolhawion
Copy link

orolhawion commented Jun 5, 2023
edited
Loading

Hi,

I just updated my NK3 to 1.5.0 and could not find any instructions on how to use HMAC-SHA1 Challenge Response? I thought the secrets app was the app to use for it, but I could not find anything in the docs. How do you guys do it?

I use nitropy 0.4.37.
@szszszsz szszszsz added support Something needs addtional explanation app:secrets app:fido labels Jun 5, 2023
@szszszsz
Copy link
Member

szszszsz commented Jun 5, 2023
edited
Loading

Hi!

This new feature is aimed to support KeepassXC and other compatible applications, so no CLI was added to pynitrokey for it. To set it up a new pynitrokey release is needed, which should be published this week. The specific code is here:

Setup for HMAC slot 2 will look like this:

$ nitropy nk3 secrets add-challenge-response 2 (echo 1234567890123456789 |  base32)

Do you have any specific use case for this Yubikey's protocol? Just a reminder, that it is already possible to use HMAC challenge response through FIDO2, though I think this might be broken in the current nitropy 0.4.37:

$ nitropy fido2 challenge-response  --help

@orolhawion
Copy link
Author

I basically use it to unlock KeepassXC and to not type a password when I use sudo.

I didn't know about challenge-response through FIDO2, thanks for the hint.

@scholzri
Copy link

scholzri commented Jun 5, 2023
edited
Loading

Hi,
I compiled keepassxc with keepassxreboot/keepassxc#9397 an pynitrokey with Nitrokey/pynitrokey#393
Then, I added a secret to the second HMAC slot with nitropy nk3 secrets add-challenge-response 2 $(echo 20-byte-secret | base32)
I can list it with nitropy nk3 secrets list but cannot get it to be detected in keepassxc.

Am I missing something here?

@szszszsz
Copy link
Member

szszszsz commented Jun 5, 2023

Hi @AdmerStroh,

  1. Make sure you are building KeepassXC with Yubikey support - WITH_XC_YUBIKEY switch. This covers all devices implementing this protocol. You can use ccmake to configure the build in a TUI.
  2. The communication happens over pcscd - check if it is not blocked by other application. Perhaps try to restart pcscd service.

@scholzri
Copy link

scholzri commented Jun 5, 2023
edited
Loading

Hey @szszszsz ,
for me, pcscd was not started at boot. Starting it manually fixed my problem and the Nitrokey 3 gets detected in keepassxc.

Thank you for that hint in the right direction! :)

@szszszsz
Copy link
Member

szszszsz commented Jun 5, 2023

Thank you for testing!

@szszszsz
Copy link
Member

szszszsz commented Jun 6, 2023

For the completeness I have added to my original reply a link to the low-level tests in case anyone would like to use the response in his custom solutions. The solution is generic enough to support virtually infinite Yubikey's-like HMAC slots.
However the recommended way is to use FIDO2's HMAC challenge-response, as a more standardized and flexible tool.

Closing as done. Transforming this into actionable task.

@szszszsz szszszsz closed this as completed Jun 6, 2023
@szszszsz szszszsz mentioned this issue Jun 6, 2023
Open
@orolhawion
Copy link
Author

I would just like to confirm that challenge response through fido2 is broken in nitropy 0.4.37 as assumed by @szszszsz in an earlier post.

@szszszsz szszszsz mentioned this issue Jun 6, 2023
Closed
@orolhawion
Copy link
Author

With nitropy 0.4.38 I can use the secrets app to create an HMAC-SHA1 challenge response credential. Why is the secret limited to 20 bytes? I use a secret with 40 bytes with my yubikeys and would like to do so with NK3.

The FIDO2 way is still broken.

@szszszsz szszszsz mentioned this issue Aug 19, 2023
Closed
@szszszsz
Copy link
Member

Just for the final note, the KeepassXC support for Nitrokey 3 was just released.

@orolhawion I've registered your request for longer secrets at Nitrokey/trussed-secrets-app#89

@bhmarscheck
Copy link

The release notes for 1.6.0 states that it "Remove challenge response authentication method". Does this mean I can't use my nk3 for unlocking my KeepassXC if I update my firmware?

@robin-nitrokey
Copy link
Member

No, these are two different things:

  • The challenge-response authentication that is “removed” in 1.6.0 was used for authentication towards the device, i. e. unlocking data that is protected with a PIN. It used a challenge-response mechanism instead of sending the user PIN to the device. Actually, this feature was already disabled in previous releases, this release just completely removes the code that was used for it. So the changelog is somewhat misleading here. I will remove the line.
  • The HMAC challenge-response used for KeepassXC is a special credential type and is not affected by this change.

@bhmarscheck
Copy link

Thank you for clearing that up and responding so fast. I almost had a heart attack reading that line when I was about to do a firmware upgrade.

@keepassium keepassium mentioned this issue Oct 8, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
app:fido app:secrets support Something needs addtional explanation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@szszszsz @orolhawion @scholzri @robin-nitrokey @bhmarscheck