TOTP as mastery password challenge

[leonyu]

Would it be possible to support TOTP as a mastery password challenge? Not sure if Keepass 2 file format supports such thing.

I would think this could potentially make the Keepass file more resilient against attacks on partially compromised environments.

[phoerious]

No, this is not possible because of how TOTP works.
The only thing we could implement is HOTP, but that would require an additional file with pre-computed OTPs which we would like to avoid.

Using a YubiKey is the preferred way for strengthening your master key.

[purplehat7]

@phoerious Can you elaborate on why TOTP is not compatible with offline databases like KeyPass, but HOTP is?

(Also posted this question to #1041, forgive the duplication)

[leonyu]

I can probably answer this myself now that I understand both better.

TOTP and HOTP operate with a "secret" and "timestamp/counter" as input. None of those data points offer any extra security for entirely offline operation than what's already there -- Key File & AES Transform.

Since KeepassXC is open source, hacker can defeat the "timestamp/counter" by compiling their own KeepassXC that ignores OS clock or counter (i.e. assume they are 0). Once that part is defeated, the "secret" would basically behave like a "key file" (or behave like password if the secret is low entropy)

[phoerious]

No, you cannot ignore it. It is simply part of the key. That's why TOTP cannot be used, because you have to know the counter value.

[purplehat7]

@phoerious I'm still not sure I get it, could you help me fill in these blanks?

Using TOTP to secure a KeyPass database file provides no extra security because....

...but using HOTP on the other hand does provide extra security because...

[droidmonkey]

@acannon828 In order for KeePassXC to calculate the TOTP value to compare against, the counter state must be known. This counter state must obviously be readable by KeePassXC in order to do this. Thus, you get into a situation where the counter state is not providing additional protection because it is stored with the database itself. Typical TOTP implementation is in a client-server architecture where both the client and server separately store the counter state.

HOTP, on the other hand, is a hashed representation of a supplied secret. The input to the hash is the secret + a nonce (aka moving factor). The nonce is public information, but must be combined with the secret to derive the hash again. Thus HOTP adds additional protection because the derivation secret itself is NOT stored with the database.

Read up on this some more: https://www.microcosm.com/blog/hotp-totp-what-is-the-difference

[purplehat7]

In order for KeePassXC to calculate the TOTP value to compare against, the counter state must be known

Isn't this HOTP? HOTP uses counters, TOTP uses time

The nonce is public information, but must be combined with the secret to derive the hash again. Thus HOTP adds additional protection because the derivation secret itself is NOT stored with the database.

How does the server or database file know when a code is "correct" then if it is not able to itself derive the code (because it doesn't have access to the secret)?

Thanks!

[droidmonkey]

A computer doesn't have any clue what you mean by time. It is always just counting from a set point, also known as an epoch. That counter can be converted to what we refer to as time.

I strongly recommend that you learn some basics about programming and cryptography before you go further in your quest.

[purplehat7]

@droidmonkey

Time does make a difference though in the context of TOTP vs HOTP no? Per that link you shared there are differences between the two apart from just that in TOTP the counter happens to be time based.

Perhaps this is splitting hairs, but it was a little confusing to someone new to TOTP vs HOTP. As you pointed out the important distinction in our case is that the latter is a hashed representation. In this case though how are HOTP codes validated? If the server or in our case KeyPass database doesn't have access to the secret how can it derive the hash? Does it somehow not need to, in order to know that a given HOTP code is correct?