This is not really a security property, but it can sometimes help if your system is compromised with a generic key logger that does not intercept all USB inputs. The YubiKey response does not appear on-screen and does not use a conventional keyboard interface.Of course, you will have to change all exposed passwords in that case anyway, but it adds additional protection against compromise of any new passwords you add between the time of the attacker breaking into your database and you noticing the exposure and it also keeps previous passwords that are not in the exposed database anymore secure (probably not that valuable, but may actually be helpful in some cases). Even if an attacker gets hold of both your password and a particular YubiKey response, they will be unable to decrypt any previous and even any future version of your database. It gives your otherwise static symmetric encryption scheme what you may call "pseudo forward (or backward?) secrecy".In the case of a key file, I would actually concur with Jeffrey that it may give users a false sense of security, but a YubiKey is different and almost impossible to use incorrectly. A YubiKey is much more secure than a key file, however, because it is a separate device that cannot be compromised and it performs a cryptographic calculation based on a hidden secret key, whereas a key file contains the secret in plaintext. This is the same reason why people use key files as soft tokens. Adding a YubiKey keeps your database secure even if your actual password gets leaked somehow.As an attacker, you are probably better off guessing the transformed 256-bit AES key instead. Used in combination with a strong password or passphrase and Argon2 as your KDF, it makes your database very resilient against any kind of brute-force attack. It adds 160 pseudo-random bits to your password, which on its own is already stronger than most users' passwords (especially considering that most passwords are vulnerable to dictionary attacks).Using a YubiKey in this way is not a hazard, but actually offers some unique security benefits: So, this is where I think that, although his technical description is correct, Jeffrey's conclusion is wrong. So, a YubiKey for your KeePassXC database isn't really a second factor in the sense of authentication (we are doing offline encryption, not online authentication after all), but it definitely makes your key stronger. This response is then used to enhance your decryption key by hashing and transforming it together with your password and (optionally) your key file. KeePassXC presents a (pseudo-)random challenge (the database's master seed, which changes every time you re-encrypt, i.e., save your database) to the YubiKey and gets a unique response in return. The YubiKey is used in a mode which is slightly different from what it was designed for. The answer by Jeffrey from 1Password is technically accurate. KeePassXC developer here, I got directed to this thread and want to add some remarks. So, is it reasonable to use a hardware security key for KeePassXC if you already use a strong master password? However, change every time you save your database.Īssuming an attacker has access to my KeePassXC database and perhaps even installed a keylogger on my system, the additional YubiKey is useless in this case, am I right here? Qualify as a separate second factor, since the expected responseĭoesn't change every time you try to decrypt your database. Sense, it makes your password stronger, but technically it doesn't Generates a challenge and uses the YubiKey's response to thisĬhallenge to enhance the encryption key of your database. Strictly speaking, it's not two-factor authentication. KeePassXC supports YubiKeys for securing a database, but KeePassXC supports the so called "HMAC-SHA1 Challenge Response mode".ĭoes KeePassXC support two-factor authentication (2FA) with YubiKeys? To further improve security, I thought about buying a YubiKey to have 2-Factor-Authentication. At the moment, I am using KeePassXC with a relatively strong master password.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |