Yubico Forum

In an attempt to add a hardware component to make pwsafe a bit safer while sharing a database between users, I'm looking into a solution that uses yubikey and HMAC-SHA1.

The plan is to use HMAC-SHA1 on slot 2 with the same secret on multiple yubikeys with hopes that it will make decrypting a pwsafe database difficult for anybody without a properly configured yubikey. I realize if someone actually logged the output from HMAC-SHA1 request and stored the response, it would circumvent the use of the yubikey. We could potentially change passwords frequently to avoid this type of attack, but we also want people to use the solution.

Back to the question... Is there any ability to extract the secret key for HMAC-SHA1 once it is programmed onto a yubikey? I want to make sure nobody else will be able to create additional yubikeys for obvious reasons. I understand CCID and PGP doesn't allow for extraction of keys once programmed, but want to verify the same for challenge-repsponse.

Thanks!

I don't know whether one can extract the secret key directly from the yubikey, but I will make the observation that if you use a Yubikey with pwsafe, that the secret key is visible from the pwsafe application . Thus if you have one Yubikey that you have used to open the safe, you can do "Manage->Yubikey". When the Yubikey dialog comes up, click "Show" and it will display the secret key.

Is the key stored in the pwsafe database, or is it able to download from the key itself? I can't answer that question. It seems like one of these two possibilities must be true.

No known methodology is known to extract data to this date 2015-08-20