Unlock DB by using Challenge-Response authentication #1434
Comments
serrq
changed the title
|
How does TOTP force an internet connection? Precise clocks have been invented before the internet. GNSS builtin into every smartphone works without any mobile or wifi connection, although it can decrease time to get a fix significantly. |
|
I want to make it clear that I am not an IT expert, I just reported news as I compresr read it on the web. As for the TOTP, from what I have read, it seems that between server and client, while sharing the same Unix time, there may be a time lag of a few thousandths of a second every few days, enough for wrong numbers to be generated. In this regard, the TOTP scheme defends itself by accepting so-called "time steps," that is, when both server and client agree to pass values to each other outside of synchronization time (-3,-2,-1, current time, +1,+2,+3) at the expense of security, however. This problem is overcome by the challenge-response scheme because it does not need synchronization to work; it would be better to specify that it works with implicit synchronization that is provide within every challenge proposed. |
https://keepassxc.org/docs/#faq-yubikey-why-hmac-sha1 I signed up for beta through the play store as supposedly the beta version supports this yubikey (challenge response). But so far I don't see the option, or maybe I haven't been able to download the beta version yet. I'll keep checking. |
Initially I had proposed the one-time TOTP authentication system, but in both time-based and counter-based OTP (HOTP) there is a problem called synchronization, which, among other things, forces in case of problems to connect to the Internet to re-sync.
Wandering around the web I found this new authentication scheme called OCRA (One-time Challenge Response Authentication) which responds to RFC 6287.
What makes this new method particularly valuable?
Mainly it keeps security standards high and works without synchronization.
It will need to be equipped with some sort of external calculator (the token generator). If implemented in KeePass unlocking the database would work more or less like this:
The app (KeePassDX) queries the database which responds by proposing a challenge (typically 6 numeric digits).
From an already configured external generator I go to enter the challenge through the built-in button pad.
The generator "chews" and "spits out" another 6 pseudo-random digits.
Those six digits unlock the database. As soon as the session ends you will need to pass a new challenge. And the database will come up with more numbers...
That is all.
Here a conference about it:
https://www.youtube.com/watch?v=kBOhP7Hlvlg
The text was updated successfully, but these errors were encountered: