Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 12:25 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 3 posts ] 
Author Message
PostPosted: Mon Jun 13, 2016 6:42 pm 
Offline

Joined: Sun Jun 12, 2016 5:58 pm
Posts: 2
Hi all,

there is something I do not understand regarding the usage of OTP (HOTP/TOTP) or U2F along with local password managers. With local I mean the program is running on your local machine and the database-file is also stored on your local machine.
A use-case with KeePass is described here: https://www.yubico.com/why-yubico/for-i ... s/keepass/

As the database-file is stored encrypted on the local machine, the password manager needs to get information about the encryption key from somewhere. The key itself or some information it can derive the key from.
As the authentication through OTP or U2F does not bring in any information about the encryption key, I assume the password manager must store the encryption key also on the local machine. At least as long you do not specify a additional master password, what doesn't seems to be the case in the mentioned KeePass tutorial.
So an attacker would "simply" extract the encryption key from the local password manager program and decrypt the database-file.

Even if you use a master password (from which probably the encryption key will be derived), OTP or U2F would not give you more security. With the master password and the data on the local machine all the information is there to do the encryption. An attacker could modify the password manager program to skip authentication. So, no need for the YubiKey to access the database.

What am I missing?
Thanks in advance to help me understanding OTP or U2F authentication on local password managers.
Hans


Last edited by ausi on Sun Jul 03, 2016 4:18 pm, edited 2 times in total.

Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Sun Jul 03, 2016 4:15 pm 
Offline

Joined: Sun Jun 12, 2016 5:58 pm
Posts: 2
If anybody else has the same question, I found the answer in the KeePass Forum
https://sourceforge.net/p/keepass/discu ... 33f7/#af0d

This applies at least for HOTP. I think, using U2F to secure a local password database is no good idea.


Top
 Profile  
Reply with quote  
PostPosted: Fri Nov 18, 2016 2:34 pm 
Offline

Joined: Tue Feb 02, 2016 9:23 pm
Posts: 58
The only problem is that using HOTP for crypto means you have a SERIOUS Problem if you desync.
and aside from that that's not how OTP normally works, although it is an intresting kind of system abuse.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group