0

How secure is KeePass in addition with a Yubikey with OATH-HOTP?

I read in Yubikey with KeePass using challenge-response vs OATH-HOTP that with OATH-HOTP there isn´t added a real second factor.

But what I don´t understand is that without the plugin and only with the master password I can´t open the database. The only way I see is to open the database with the "recovery" key.

So I think with OATH-HOTP you can use longer password (master password + OTPs) because you have to memorize a shorter master password. Thereby the security is increased if you use a long "recovery" key for OATH-HOTP.

Is that right?

mucki
  • 1
  • 3

1 Answers1

1

You can not use HOTP for encrypting data. HOTP is a symmetric algorithm that relies on an authenticating party to verify the OTP value, which the user enters.

The OTP value is calculated based on a shared symmetric key and a counter.

shared means, that the user (in his device) and the authenticating party (usually the server) both have the very same key to calculate the same value. The security lies in protecting this key! Everybody who has the key (well, an the counter, but this is no problem) can calculate the OTP values.

In the keepass scenario the authenticating party is the program or better the vault-file. But you encrypt the vault file, since you want to avoid compormizing the data in case the file is stolen.

Now there is no easy way to protect/encrypt the secret shared key, if this is what you want to use to encrypt the data. You somehow encrypt the data with the data itself.

You could however try to initially encrypt the secret key and the data encryption key with the next OTP value. When the user enters the next OTP value which he can calculate with his OTP token, the secret key and the data encryption key could be decrypted. Then keepass could calculate the next (n+2) OTP value with the decrypted secret key and re-encrypt the secret key and the data encryption key.

But honestly there are so many possible flaws in such a setup, that it is much likely that you will loose your data rather quickly. Simples thing is that you push the button of your OTP token twice... or ten times. keepass would not have ten versions of the encrypted secret key and data encryption key...

So you might end up encrypting the secret shared key with the static password. Hm. Then all your security only depends on the strength of this static password and you end up with... ...guess what: one factor.

cornelinux
  • 1,993
  • 8
  • 11