Yubico Forum

[PROJECT] KeeChallenge challenge-response for Keepass2
Page 1 of 2

Author:  ChainReaktion [ Mon Mar 10, 2014 3:56 pm ]
Post subject:  [PROJECT] KeeChallenge challenge-response for Keepass2

License: GPL2

One frustrating limitation of the OTP protocol is that it is not possible to use multiple yubikeys to unlock the same Keepass database. To address this, I created the KeeChallenge plugin for Keepass2 which implements HMAC-SHA1 challenge-response authentication to create a composite Keepass key. The mutual secret is used as the encryption key. The secret is itself encrypted using AES-256 and stored in a separate xml file. If the file is lost or corrupted, a recovery mode allows the user to enter their secret manually to unlock the database. The plugin works by pre-computing the next challenge response pair. The challenge is stored in plain text in the xml file while the expected response is used to generate the encryption key.

Platforms: Windows, Linux via Mono, Mac (untested)

Webpage: https://sourceforge.net/projects/keechallenge/

As of v1.0.1 both Windows and Linux (Ubuntu) have been tested successfully. To run under Linux using mono, you must modify KeeChallenge.dll.config and add a dllmap entry to let Mono know where to find the native libraries. On my system this looks like <dllmap dll="libykpers-1-1.dll" target="libykpers-1.so">. For this to work, you must also obtain the appropriate versions of the Yubico libraries. Make sure all of the yubico libraries are installed where mono can find them (for example, /usr/lib on Linux or the KeePass2 folder). Put both KeeChallenge.dll and KeeChallenge.dll.config in the KeePass2 folder (on Ubuntu this is /usr/lib/keepass2). This should presumably work on Mac as well, but as of this release this is untested.

KeeChallenge requires Keepass2, available from http://keepass.info/download.html. It also requires the Yubico open source library yubico-personalization (which in turn depends on yubico-c). Prebuilt bundled binaries are available from http://opensource.yubico.com/yubikey-pe ... eases.html.

Open the top level solution using Visual Studio and adjust the references to point at your installed Keepass.exe. It should (hopefully) build without problems once this is done. You should check that the DllImport statements in Yubiwrapper.cs match the file names of the binaries you have obtained.

Copy KeeChallenge.dll and all the Yubico libraries and dependencies into the directory containing Keepass.exe. The plugin should be loaded as a key provider when creating/chainging your database password.

KeeChallenge works using the HMAC-SHA1 challenge response functionality built into the Yubikey. First, configure your Yubikey to use HMAC-SHA1 in slot 2. Ensure that the challenge is set to fixed 64 byte (the yubikey does some odd formatting games when a variable length is used, so that's unsupported at the moment). I recommend requiring a button press to issue the response, but it should work either way. Copy the secret and keep it somewhere safe since you'll need it to recover your database if you lose your yubikey.

When you set the password on your database, you should select yubikey challenge-response under key providers and click ok. In the window that comes up, copy and paste the secret from your yubikey. You will be prompted to insert your yubikey and press the button to verify that you entered the correct secret.

Your secret is used as the key to encrypt the database. In order to avoid storing the secret in plain text, we generate a challenge-response pair ahead of time. The challenge is stored to be issued on the next login and the response is used as an AES256 key to encrypt the secret. All relevant data is stored in a xml file in the same directory as your database.

If the xml file gets corrupted or deleted (or if you lose your yubikey) a recovery mode is provided to allow you to enter your secret (you did save it, didn't you?) and decrypt the database.

Author:  Morphlin [ Tue Mar 18, 2014 9:08 pm ]
Post subject:  Re: [PROJECT] KeeChallenge challenge-response for Keepass2

Cool! I wanted to do exactly this but I hardly had enough time to come on the forum!
I'm trying this! :mrgreen:

Author:  RopoMen [ Sat Nov 01, 2014 11:39 pm ]
Post subject:  Re: [PROJECT] KeeChallenge challenge-response for Keepass2

I hope this post helps other Mac OS X 10.9.4 users to enable KeeChallenge plugin usage on OS X. To get the KeeChallenge to work on OS X you need to follow the OP's guide and create .config file etc. The problem comes with the libykpers because it is build only for x86_64 and thereof cannot work with Mono 32-bit version. The best solution was to build universal version of the libykpers.
<dllmap dll="libykpers-1-1.dll" target="libykpers-1.1.dylib" />

Prepearing libykpers build
Before begining libykpers build process, you need to have Home brew installed and then install following dependencies.
brew install autoconf automake libtool pkg-config help2man asciidoc

To prevent errors from a2x (asciidoc) you need to do following (because a2x cannot access "XML_CATALOG_FILES" environment variable set for asciidoc, read more)
sudo mkdir /etc/xml
sudo ln -s /usr/local/etc/xml/catalog /etc/xml/catalog

Create some folders to keep your machine cleaner.
cd ~/
mkdir workspace
cd workspace/
mkdir Yubico
cd Yubico/

Building libyubikey (yubico-c)
Libykpers is dependent of libyubikey and thereof we need to build it first, we are building universal build so that it will work in both 32 and 64 bit environments.
cd ~/worspace/Yubikey/
git clone https://github.com/Yubico/yubico-c.git
cd yubico-c/
autoreconf --install

./configure CC="gcc -arch i386 -arch x86_64" \
    CXX="g++ -arch i386 -arch x86_64" \
    CPP="gcc -E" CXXCPP="g++ -E"

make check
make install

#Clean up
make clean

To check that libyubikey is installed correctly, type:
ls -l /usr/local/lib

...and you should see libyubikey.dylib in the file list.

Building libykpers (yubikey-personalization)
If you got the libyubikey successfully build, you can start building the actually needed library libykpers. We are making universal build of this library as well.
cd ~/workspace/Yubikey/
git clone https://github.com/Yubico/yubikey-personalization.git
cd yubikey-personalization/
autoreconf --install

./configure CC="gcc -arch i386 -arch x86_64" \
    CXX="g++ -arch i386 -arch x86_64" \
    CPP="gcc -E" CXXCPP="g++ -E" \

make check
make install

#Clean up
make clean

To check that libykpers is installed correctly, type:
ls -l /usr/local/lib

...and you should see libykpers-1.1.dylib in the file list. That is the library which KeeChallenge plugin is needing.
To make sure that is it universal, type:
lipo -info /usr/local/lib/libykpers-1.1.dylib
#And you should get this output
Architectures in the fat file: /usr/local/lib/libykpers-1.1.dylib are: i386 x86_64

Now you should be able to run KeeChallenge plugin in Mac OS X 10.9.4. If you cannot get it working you can run KeePass from shell and use Mono logging mode to get more information.
cd /Applications/KeePass2.23.app/Contents/MacOS/
MONO_LOG_LEVEL=debug mono KeePass.exe

Now try to use KeeChallenge plugin and you get the log information in to console. Those should help you to resolve the possible issues.

I hope this helps others as well, I got my KeeChallenge working now on Mac OS X 10.9.4 and I'm able to share same KeePass db through private git repository to my Windows machine. :)

Author:  erikhubers [ Thu Nov 13, 2014 10:15 am ]
Post subject:  Re: [PROJECT] KeeChallenge challenge-response for Keepass2

Is there anyone having the same problem as described here: http://sourceforge.net/p/keechallenge/d ... /6211035a/

Unfortunately I do and don't know a fix for this. Does anybody here have a solution?

Author:  niceuser [ Thu Nov 20, 2014 6:05 pm ]
Post subject:  Re: [PROJECT] KeeChallenge challenge-response for Keepass2

So, Yubikey Neo just started supporting OTP+UF2+CCID at the same time, however when all are enabled it seems keechallenge cannot talk to the key. My key is still detected by the personalization tool, and it still works with Keepassdroid (challenge-response through nfc).

Is there anything I can do configuration-wise so I can have all modes active and keechallenge still work?


Author:  Tom [ Fri Nov 21, 2014 11:51 am ]
Post subject:  Re: [PROJECT] KeeChallenge challenge-response for Keepass2

what firmware version is your NEO?

Author:  niceuser [ Fri Nov 21, 2014 3:40 pm ]
Post subject:  Re: [PROJECT] KeeChallenge challenge-response for Keepass2

Tom wrote:
what firmware version is your NEO?

The personalization tool reports firmware version 3.3.0.

Author:  niceuser [ Sun Nov 23, 2014 5:57 pm ]
Post subject:  Re: [PROJECT] KeeChallenge challenge-response for Keepass2

niceuser wrote:
Tom wrote:
what firmware version is your NEO?

The personalization tool reports firmware version 3.3.0.

Just to answer my own question, updating the Yubikey libraries to their latest versions solved the issue.

Author:  flipflop [ Sun Dec 28, 2014 1:24 am ]
Post subject:  Re: [PROJECT] KeeChallenge challenge-response for Keepass2

Never mind, problem solved.

Apparently, KeeChallenge don't like KeePass running from a network directory :O

Author:  KernelSnarky [ Thu May 21, 2015 8:29 am ]
Post subject:  Re: [PROJECT] KeeChallenge challenge-response for Keepass2

This plugin to keepass does not work with the following config: linux+keepass+keechallenge plugin+yubikey neo (firmware 3.4.1)

Looking at the change log for the keechallenge plugin it would appear that it does not work with the newer yubikey firmware.
The keechallenge plugin also seems to not have been updated for some time.
In addition the instructions listed in the first post are very out dated.

The keechallenge plugin is recongnized by keepass and seems to funtion correctly however it seems to have an issue talking to the yubikey

Things I have tried:
editing every version of the keechallenge.dll.config every way I can think of to try and get it to work and copying it into the correct folder.
The above mentioned with every version of the other files in all the versions of the plugin.

I would love to be using my yubikey with keepass in challenge response mode. Any assistance would be greatly appreciated.

I am aware of the OTP support for keepass how ever I do not want to use that as many people of problems with this.

Page 1 of 2 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group