Make implementation of Challenge-Response more compatible to Keepass 2

[PhilippC]

As the author of Keepass2Android I was looking into implementing the Challenge-Response functionality as in KeepassXC. While I like the idea of using the Master seed as "challenge", I am not so happy with the implementation of Challenge-Response. To explain why, here is a short overview of the key generation in Keepass 2 (by Dominik Reichl) which is used by Keepass2Android as well:

Keepass2:

pbPassword = CryptoUtil.HashSha256(StrUtil.Utf8.GetBytes(strPassword))
pbKeyFile = LoadKeyFile(...)
pbCustomKey = challengeResponse //for example when using KeeChallenge Plugin in keepass 2
//CompositeKey concatenates the data of ALL IUserKey objects
pbAllData = pbPassword + pbKeyfile + pbCustomKey
pbRaw32 = CryptoUtil.HashSha256(pbAllData)
pUserKey32 = kdf.Transform(pbRaw32)
pbCmp = MasterSeed + pUserKey32
pbHmacKey64 = h.ComputeHash(pbCmp);

KeepassXC, with the naming conventions from Keepass 2

pbPassword = CryptoUtil.HashSha256(StrUtil.Utf8.GetBytes(strPassword))
pbKeyFile = LoadKeyFile(...)
//CompositeKey only concatenates password + keyfile but not challengeResponse
pbAllData = pbPassword + pbKeyFile
pUserKey32 = kdf.Transform(pbRaw32)
pbRaw32 = CryptoUtil.HashSha256(pbAllData)
//challengeResponse is added later, where no plugin can modify the computation in Keepass2
pbCmp = MasterSeed + challengeResponse + pUserKey32
pbHmacKey64 = h.ComputeHash(pbCmp);

In Keepass 2, it is very common for Plugins to add elements to the Composite Key. These elements are objects of KcpCustomKey or custom classes implementing the IUserKey interface. The data of all these elements are concatenated and transformed. When I added support for KeeOtp or KeeChallenge in Keepass2Android, I did exactly this, which was very simple.

In KeepassXC, the challengeRespose is not concatenated with password and (potentially) key file. Instead, it is prepended to the hashed and transformed key. This cannot be implemented for Keepass2 by a plugin, so the current KeepassXC implementation will not be usable for Keepass 2 users, and nobody can change this by developing a plugin. It also requires some pretty intrusive code changes if I want to implement this in Keepass2Android which I believe are not necessary if KeepassXC would offer (at least as an option or better as the default) to concat the challengeResponse to the pbAllData.

If I didn't miss any important reason to integrate the challengeResponse at this point in the processing, I suggest you make the key computation more compatible to other Keepass implementations. Please let me know what you think so I can plan further development on the feature for keepass2android.

[droidmonkey]

Yikes, this is not good. Fixing this will also require backwards compat for users who are currently using KeePassXC with Yubikey with an option to "fix" their encryption for portability.

[droidmonkey]

For the record, the offending code is located here down to line 125.

The main issue is challenge response keys are treated separately from normal keys in the CompositeKey::rawKey() function which is called right before the key transformation occurs. We should also be performing the challenge-response and adding that data to the rawKey() return value for use in KeePass2Reader.

The best way to clean this up is to "initialize" the composite key first by issuing a challenge-response with the master seed, then using that stored result to compute the rawKey later. This has the added benefit of not having to re-issue a challenge response every time you save the database.

We need to maintain the old way the final key is computed to allow existing users to open their databases. This should be tried first, if it succeeds we issue a stern warning to the user with a "YES"|"NO" choice to convert their composite key to the new format. If it fails, we use the KeePass2 method as described above.

Alternatively, we can leave this broken in the current KeePassReader2 and fix this when we implement KDBX4 format. @PhilippC do you support kdbx4?

[phoerious]

We do need to re-issue a challenge every time we save the database, no matter how we calculate the final key. Otherwise we lose any benefit we have from our implementation over the KeeChallenge implementation. The master seed changes every time, so does the challenge response.

I also don't like trying the old way first. There is really no way of knowing how the key was computed and trying several methods multiplies the time it takes to decrypt a database. My database takes about a second on my fastest computer, and on my slowest (my phone) about 5-10. Trying a different method first, would make it two seconds (and 10-20) for absolutely no security gain.

I'd rather suggest going the way VeraCrypt did. They have a checkbox "TrueCrypt mode" which allows me to open legacy TrueCrypt containers. We only need to do a better job at letting users know they have to check this box and not forget it every time or come here and complain their databases won't open anymore.

[phoerious]

Thinking about it, we could do it like that:

1. We add a tiny checkbox somewhere for activating legacy mode. When the user tries to open a database with their YubiKey, we show a dialog asking them if they want to enable legacy mode with an additional checkbox "don't bother me again". If the user chooses "yes", we check the box for them.

2. When saving a legacy database, we show another message, asking the user if they want to convert the database and informing them that the old format will be removed in the future.

3. A few versions down the road we remove support for the legacy format and add an FAQ entry telling users to temporarily use an older version for conversion if they habe a legacy database.

[TheZ3ro]

I think that's the best thing to do, but I will also consider fixing this for the KDBX4 format so every new (converted) database will use the new mode and not the legacy one

[phoerious]

KDBX4 is a completely new format, so there is no reason to implement legacy support for KDBX4 databases (although it would probably not even be much extra code).

[droidmonkey]

its a natural and easy way to fix this issue to only support the keepass2 method of key transform in kdbx4.