Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Request for Adding Support for HMAC-SHA1 Challenge-Response Protocol #83

Open
cangkuai opened this issue Apr 27, 2024 · 10 comments
Open

Comments

@cangkuai
Copy link

Issue Description:

Currently, I have encountered some limitations while using the canokeys hardware key. I have found that many tools I need to use, such as the keepassxc password manager, require support for the HMAC-SHA1 Challenge-Response protocol. However, it seems that the current canokeys hardware key does not support this protocol, which prevents me from using these tools effectively.

Request:

I would like to request the addition of support for the HMAC-SHA1 Challenge-Response protocol in the canokeys hardware key. This enhancement would enable me to seamlessly use the tools I require and would improve the compatibility of the canokeys hardware key.

Additional Information:

I have encountered this issue in practical usage, and I believe that this improvement would be beneficial not only for me but also for other users. I hope to receive your prompt response and support on this matter.

@cangkuai
Copy link
Author

English is not my native language, so please excuse any mistakes in this report.

@dangfan
Copy link
Member

dangfan commented Apr 29, 2024

Thanks for the message. We understand HMAC-SHA1 Challenge-Response protocol is used in some popular apps. Unfortunately, we could not identify a documentation that clearly describe this protocol. It would be greatly appreciated if you could provide such a protocol description.

@cangkuai
Copy link
Author

While I'm not certain if this is accurate, the documentation for YubiKey(https://docs.yubico.com/yesdk/users-manual/application-otp/challenge-response.html) seems to point to https://datatracker.ietf.org/doc/html/rfc2104 for an explanation of the HMAC-SHA1 challenge-response protocol.

@cangkuai
Copy link
Author

The link in the KeePassxc source code directs to the same YubiKey documentation.

void YubiKeyEditWidget::initComponent()
{
    // These need to be set in total for each credential type for translation purposes
    m_ui->groupBox->setTitle(tr("Challenge-Response"));
    m_ui->addButton->setText(tr("Add Challenge-Response"));
    m_ui->changeButton->setText(tr("Change Challenge-Response"));
    m_ui->removeButton->setText(tr("Remove Challenge-Response"));
    m_ui->changeOrRemoveLabel->setText(tr("Challenge-Response set, click to change or remove"));

    m_ui->componentDescription->setText(
        tr("<p>If you own a <a href=\"https://www.yubico.com/\">YubiKey</a> or "
           "<a href=\"https://onlykey.io\">OnlyKey</a>, you can use it for additional security.</p>"
           "<p>The key requires one of its slots to be programmed as "
           "<a href=\"https://docs.yubico.com/yesdk/users-manual/application-otp/challenge-response.html\">"
           "HMAC-SHA1 Challenge-Response</a>.</p>"));
}

@cangkuai
Copy link
Author

Although I believe this protocol is insecure due to the use of the vulnerable SHA1 hash algorithm, there are still numerous software systems relying on it. Therefore, maintaining compatibility with this protocol is essential.

@dangfan
Copy link
Member

dangfan commented Apr 29, 2024

While I'm not certain if this is accurate, the documentation for YubiKey(https://docs.yubico.com/yesdk/users-manual/application-otp/challenge-response.html) seems to point to https://datatracker.ietf.org/doc/html/rfc2104 for an explanation of the HMAC-SHA1 challenge-response protocol.

Unfortunately,this does not describe how the protocol works.

@cangkuai
Copy link
Author

OnlyKey is an open-source hardware key that supports this protocol. After reviewing its source code, I suspect that the implementation code can be found at https://github.com/trustcrypto/libraries/blob/master/onlykey/okcrypto.cpp#L687.

@dangfan
Copy link
Member

dangfan commented May 21, 2024

Thanks for providing the OnlyKey source code link. However, after carefully reviewing the code, it appears that while it does indeed implement the HMAC-SHA1 Challenge-Response protocol functionality, it does not clearly describe the complete process of the protocol. From my understanding, the protocol involves multiple phases, with each phase potentially involving specific commands and responses. Unfortunately, there does not seem to be any documentation that comprehensively outlines all the details and phases of this protocol. Based on this code alone, it is difficult to accurately grasp all the nuances and implementation specifics of the protocol. Therefore, having access to a more comprehensive and accurate protocol specification document would be helpful for us to better understand and implement this feature.

@tlaurion
Copy link

@dangfan comments on canokeys/canokey-qemu#7 (comment)?

@tlaurion
Copy link

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants