Add support for hmac-secret FIDO2 extension #3560
Comments
|
I would love that, I have a Solo that supports HMAC-SHA1 and I would love to be able to use it to unlock KeePassXC. If you need a tester at some point just ping me here, I would be more than happy to help. |
|
Do you think about adding this in terms of a second factor or "passwordless"? |
|
With Trezor both use cases are possible, because the device contains touchscreen where you can enter your PIN (which is the second factor, the other one is having the device). But I think starting with 2factor might be a good start. |
|
It would be really cool to have this. Currently Trezor cannot be used with KeePassXC, which is unfortunate, as it is the most secure 2FA hardware key on the market, simply because it was originally designed for storing huge amounts of Bitcoin. In practice this comes down to super reliable backups and secure PIN with exponential escape and keypad scrambling. |
|
Just like OnlyKey, Trezor is more than welcome to use the new Yubikey API that allow us to specify a vendor hardware id. @prusnak please let me know if you need more information on this. |
|
@droidmonkey Yes, please give me more info on this - point me to the new Yubikey API. Is this using libfido2? |
|
No it's hmac-sha1. Take a look at Yubikey.cpp init function |
|
@droidmonkey I know about this, of course, but this is not relevant to this issue. The old hmac-sha1 method by Yubikey is obsoleted by FIDO2 hmac-secret extension and that's what new tokens will use. This issue is about implementing this via libfido2. Trezor will not use the obsolete and proprietary Yubikey API. |
|
Ah I see, I was confused by the conversation above a little. We do not have plans (yet) to implement libfido2. |
|
I am interessed in FIDO U2F / FIDO2 support for the Nitrokey FIDO2 and would add $150 as a bounty if it would be implemented. I would love to use it as a second factor if possible. It would be nice be able to add multiple keys to one database for backup reasons. |
|
What do I need to do to make the bounty added to the topic of this like on the other issues with bounty? |
|
Here is a implementation for LUKS using libfido: https://github.com/mjec/fido2-hmac-secret/blob/fd19bf40a94f177818bce5d2c50cc5eb57136478/src/authenticator.c#L315 that could be build upon |
|
I actually managed to do a very dirty quick POC : d63e737 . It seems only diligence work if someone wants to grab that bounty ;) To get it to work you first need to create a resident hmac token with the hostname 'keepassxc.org' I doubt that I fully understood how the whole thing is supposed to work though ;) |
|
Just one more comment: I guess it makes sense to support multiple drivers by passing not only the slot, but also the driver to the challenge function and add an intermediate proxy class. Currently only one device with multiple slots is supported by design (getSerial, getVendor), that IMHO could be fixed in any case. Currently credential management is only supported by Yubikey, so on my Solo Key I also cannot search any slots but only define the assertion to hopefully match. I haven't quite got if you need the resident key. I am happy now with the challenge that I got something mysteriously working. As this is a security product, I would ask someone with much better C++ / QT skills take on the task though :) |
|
Actually on my solo key now the credman extension is working (FIDO_2_1_PRE) . So listing the rk (slots) would be possible. However this might require a PIN, which would probably break the UX a bit. |
even normally when you enter the PIN on the computer instead of the fido device you have 2 factors, although it's not perfect security-wise
resident credentials only? if yes then sad. couldnt keepass just keep the credentialID in the db file but not encrypted so it can be used to poll a "normal" credential?
you can iirc poll RKs for a specific RP without having the credential management. like I have had a few devices which dont have credential management but when getting asked to log in they just listed all RKs nicely. (it did require PIN though as browsers as far as I am aware always force PIN for RK stuff) |
don't rks make sense in the case of HMAC? Why is is this sad? You do not need a credentialID if its not resident don't you? I can try if it generates a HMAC also from the builtin key. It might however be a security risk, because some other "service" might just do the same and then your secret is exposed. IMHO this breaks security a bit.
Yes you can simply do try and error with assertions, so that is polling. So you suggest to simply have also 2 "slots" and poll them like for yubikey. Or poll the maximum (in my case) of 50 ? |
isnt hmac same as with normal credential based on the keys it generates instead of the master secret? would be pretty bonkers if not. also big problem is that
also considering the fact that there is a "salt" as the CTAP2 spec calls it needed, which obviously would be random on database creation, it would be the same as with file based secrets that there certainly is a small chance you can just hit the same, but probably negligible
no random try and error involved, the user just enters PIN and gets a list and selects the one needed. |
This is (ab-)using the HMAC as symmetric key so things are a bit more difficult I guess. "Normal" credential work in an asymmetric way so there is no risk in replaying. I don't have much time to experiment at the moment. I tested the interface with the commandline libfido2 tools, so if you can also easily try the workflow there without programming.
Can you explain the screenshot and may make a reference to the FIDO2 CTAP spec? A command line version would also help! |
|
sure. in chrome and Windows 10 implementations (which are the most widespread webauthn implementations I have seen so far) when multiple RKs exist for any RP (relying party, generally meaning domain of a website in webauthn contexts) after entering the pin is spawns a selection of the Resident Keys for that RP. linking to CTAP2.0 for obvious reasons here: step 9 and 10 say:
basically you can use this and obviously no matter whether an RK is used or not, if you keep the credentialID around, you dont have to do any ambiguity steps |
|
I am a big fan of fido stuff and I am more using it in context of webauthn and just gained experience by also testing quite a few fido devices both U2F and Fido2, I have played around with U2F for about 4 years already. probably cant help with programming though as I have borderline no experience in desktop programming, I mostly do webstuff in PHP, CSS and HTML, although I could give a look over the code and hack though a bit the part about how this stuff works just now was not something I knew prior to the last response, I just gave the spec a quick read at the places where I would think they would have to be, lol. |
|
the biggest piece of fun though will be multi-OS support as W10 >= 1903 does Fido stuff from the OS side, but all others do not do this so keepass needs to run all the fido requests by itself on all other OSes and needs to either |
This sounds more like an oversight than intended behavior. Do you have more information about this? Will Microsoft ever backport the functionality to Windows 10 API? |
althugh the timing of the change makes it seem more like it's already included in the base version of w11, 21h2, at worst being enabled by a minor update. with recent version of w11 I assume you mean 22h2, as w11 only has had 2 versions yet. any chance you (or anyone for that matter) tried w10-22h2? |
|
I will reproduce the relevant exchange with fido-dev@microsoft.com :
|
|
I see, you know what version of w10 you used at the time? also maybe one could check insider if the Webauthn API Version was upped there already. (I have no idea how to check) |
|
I used Windows 10 22H2 (19045.2604) and Windows 11 22H2 (22621.525) respectively. |
|
Ledger recently published a new application for their main hardware device, making them compatible with FIDO2 protocol and supporting HMAC extension. |
|
@My1 I saw some discussion above regarding HMAC extension and the questionned need of using RK for credentials supporting HMAC. |
neat
sadly only for new models only tho (I hope they bring it for the S too as that was the primary reason I got them, years worth of promises)
cant agree more. |
|
Hi, from the above I understand that there is some issue with implementation for Windows. As a Linux user I would kill for an option to have this at least on Linux (and Mac?). 💰 I am offering +$300 to the bounty 💰, redeemable upon release of the build that allows me to use my Trezor as a hardware key-stick using FIDO2 on Linux. Bounty will be payed in Bitcoin over Lightning (or in any shitcoin that is supported by https://fixedfloat.com/ or some other reputable swap service).
(My email to claim the bounty: * Bounty of course applies for general implementation that works everywhere as well. |
|
@anton-isidore I hope you have a trezor T, as the T1 currently only supports U2F, and using the same functions the trezor Passowrd manager uses would be way too specific. Edit: although, I dunno of the Trezor T has hmac-secret on its fido2. |
Yes, Trezor Model T supports FIDO2 hmac-secret extension |
|
Is anyone else interested in taking on the bounty above? I'm taking a shot at it. I don't have a Trezor, but I have a Yubikey 4C and an older Yubikey "Security Key NFC", both support FIDO2, and both have the hmac-secret extension. With the latest version of libfido2 supporting Window's WebAuthN (Windows Hello) API, and the latest version of Windows supporting the hmac-secret extension, it seems like the roadblocks are behind us. I have mocked up a working proof of concept in python using the fido2 python module from yubikey, and now I am working on building that functionality into KeepassXC. My limitations being that I only have the two Yubikey devices to test with, I don't have a Trezor, and I only work on Linux, I can't test on Windows or MacOS. In terms of implementation, there are a couple of points of concern. Firstly, KeepassXC uses the Botan library for all of it cryptographic functionality. Libfido2 uses OpenSSL for crypto. By integrating libfido2 into KeepassXC, this will pull an OpenSSL dependency into KeepassXC. That may or may not be received well. Secondly, in order to do this integration correctly, Fido2 will need to be added in a way that complements the existing Yubikey support, and doesn't replace it. That would necessitate a large refactoring of that part of the codebase, that seems out of scope for the bounty. Perhaps it can happen in two parts. First add the Fido2 integration, and secondly refactor the code. |
|
@ashleysommer Hi, I trully appreciate that you are picking up the bounty. I am happy to see the movement. Regarding the concerns in the implementation, it must be done in a way that will be merged and integrated into standard release, so it will be supported and maintained for all future versions. (I am however not technical enough in this topic to provide any specific opinion on the technicalities, that you have mentioned.) |
Unfortunately a Yubikey is not optimal for testing since we already have a solution for Yubikeys. What we need is a solution for all those who cannot rely on Yubikey. A better test device would be a Neowave Badgeo since this is dual interface wireless and wired. |
There are many different types of Yubikeys and same have features that others don't. For example, my cheaper Yubikey "Fido Security Key NFC" does not include the "Challenge-Response", feature, that is something only the higher-end Yubikeys support. That means it does not work with the current KeePassXC implementation. However since it supports FIDO2, it will work with the new feature. That is the one I am currently testing with. I'm also talking with the company Hypersecu about their product Hyperfido PRO FIDO2 Titanium. It is a very low cost device (only AUD$25) that does support FIDO2 and does appear to support the hmac-secret extension. I am planning to test with that model too. |
|
Just bear in mind there are other interfaces than USB. NFC is needed on smartphones and supported by many laptops. Mechanical card readers are common on most business laptops. |
|
it's not about the security Key series being older, the "blue yubis" as I call them as they traditionally have been blue always were FIDO-only (first U2F, and later FIDO2 as well) keys and also priced lower than the "do-everything" Yubikeys (save for the Yubi-Bio which imo should be classed as a Yubico Security Key, but well ever since USB3.1 came out, naming consistancy be damned lol) I also have a small army of different FIDO Devices which I can gladly help. @robinschwab somewhere between almost and all FIDO Devices are USB, I literally know TWO smartcard formfactor FIDO Devices currently. |
Yes, that was bad phrasing on my part. I am aware they still sell the "security key" series. It just happens that my particular one is around 4 years old. My new Yubikey is a 4C, only a year old, so I call them "my old Yubikey" and "my new Yubikey", but I know in reality they are different product segments, and the age of them does not dictate the feature set.
KeepassXC does not run on Android or IOS. I don't know if any of the Linux phones have NFC. I don't think NFC is a great requirement for this feature. |
Not true. In Switzerland the public transport ID is a FIDO2 card. So 80% of all adults have a fido2 smartcard but I guess only about 1% have a fido2 USB stick. This may be different in other countries. There is probably a chicken and the egg problem: As long as fido2 cannot be used widely many issuers of smartcards will not implement it but if the cards are not readily available some developers will say it's not worth the effort. It's better to think about requirements prior to writing code instead of adapting existing code years later.
Off topic, but is the X in KeepassXC not standing for cross-platform? At least this argument is not the fault of smartcards. |
Why does it matter for testing that there is a solution for another feature/protocol it supports? It's not like one affects how the other works, they are distinct. There are Yubikeys with NFC support as well, if your concern is the protocol. |
Hey @ashleysommer, how about we send you a Trezor Model T free of charge so you can get this going? I'll ping you on email to talk details 👌. |
|
ideally any decent fido2 enabled device should work for testing, like I currently only know one that has actual FIDO2 but no hmac (being the Mooltipass). |
Having Trezor Model T is great for testing, because not only it implements full FIDO2 spec including hmac-secret and resident credentials, but also you can also see what's happening by looking at its display (where you are shown the confirmation screens). |
|
yeah this is a reason I also thought about getting one but if I am just gonna use it as a FIDO device it's WAY too expensive. (and sadly ledger after doing something after years of promises, left out the nano S, and the T1 also has no FIDO2 sadly) |
|
@banym Support for Nitrokey FIDO2 will be part of this new feature, do you wish to add your bounty (you proposed back in January 2020) to that of @anton-isidore? |
|
Anyone interested, I have created a discussion thread about the specifics of the "hmac-secret" implementation, here: #9506 |
I think the Trezor Emulator might be helpful for you |
and others
FIDO2 standard (the superset of the older U2F standard) includes hmac-secret extension introducing behaviour similar to older Yubikey HMAC-SHA1 Challenge-Response merged in #127 but much more universal as FIDO2 is an open standard.
We could try to expand the current Challenge-Response implementation in KeePassXC to cover this too (using libfido2) which will make KeePassXC compatible with any FIDO2 dongle.
This will satisfy #3450 and any other vendor-specific requests in the future.
The text was updated successfully, but these errors were encountered: