Yubico Forum
https://forum.yubico.com/

[SOLVED] Is there a way to recover the HMAC-SHA secret key
https://forum.yubico.com/viewtopic.php?f=26&t=1979
Page 1 of 1

Author:  h3lix [ Thu Jul 23, 2015 7:18 pm ]
Post subject:  [SOLVED] Is there a way to recover the HMAC-SHA secret key

In an attempt to add a hardware component to make pwsafe a bit safer while sharing a database between users, I'm looking into a solution that uses yubikey and HMAC-SHA1.

The plan is to use HMAC-SHA1 on slot 2 with the same secret on multiple yubikeys with hopes that it will make decrypting a pwsafe database difficult for anybody without a properly configured yubikey. I realize if someone actually logged the output from HMAC-SHA1 request and stored the response, it would circumvent the use of the yubikey. We could potentially change passwords frequently to avoid this type of attack, but we also want people to use the solution.

Back to the question... Is there any ability to extract the secret key for HMAC-SHA1 once it is programmed onto a yubikey? I want to make sure nobody else will be able to create additional yubikeys for obvious reasons. I understand CCID and PGP doesn't allow for extraction of keys once programmed, but want to verify the same for challenge-repsponse.

Thanks!

Author:  Ericy [ Tue Aug 18, 2015 2:14 am ]
Post subject:  Re: [QUESTION] Is there a way to recover the HMAC-SHA secret

h3lix wrote:
Back to the question... Is there any ability to extract the secret key for HMAC-SHA1 once it is programmed onto a yubikey? I want to make sure nobody else will be able to create additional yubikeys for obvious reasons. I understand CCID and PGP doesn't allow for extraction of keys once programmed, but want to verify the same for challenge-repsponse.
Thanks!


I don't know whether one can extract the secret key directly from the yubikey, but I will make the observation that if you use a Yubikey with pwsafe, that the secret key is visible from the pwsafe application . Thus if you have one Yubikey that you have used to open the safe, you can do "Manage->Yubikey". When the Yubikey dialog comes up, click "Show" and it will display the secret key.

Is the key stored in the pwsafe database, or is it able to download from the key itself? I can't answer that question. It seems like one of these two possibilities must be true.

Author:  Tom2 [ Thu Aug 20, 2015 10:35 am ]
Post subject:  Re: [QUESTION] Is there a way to recover the HMAC-SHA secret

No known methodology is known to extract data to this date 2015-08-20

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/