4

I recently went through the list of available KeePass plug-ins and noticed one that advertises support for HOTP as a means to derive the database key.

Now I trust the developer of this plug-in who is Dominik Reichl, who also signs the KeePass releases, so I doubt this is some sort of KeePass-only feature that won't actually increase file security.

How can we use HOTP to as a factor to derive a key suitable for file encryption?

This is especially puzzling as it claims support for any HOTP client that complies to RFC 4226, which advises to compute the shared-keyed HMAC of a counter and then convert this into a decimal number and I really don't understand how one could leverage this number into a good source for the key.

Community
  • 1
SEJPM
  • 46,697
  • 9
  • 103
  • 214

1 Answers1

3

I had only a quick read through the source, and I am not particularly fluent in C#, so I may have gotten something wrong. That said the process appears to be:

  1. Generate a random encryption key, encrypt the database with it.
  2. Generate (up to six) HOTP tokens, derive a key from those, use that to encrypt the database key.

  3. To read:

    1. Ask for the HOTP tokens, derive the key, check that it matches.
    2. Decrypt the database key, so it can be read.
    3. Generate new HOTP tokens, use those to re-encrypt the database key for next access.

So by hashing several HOTP tokens you get enough entropy for a strong key – up to ~160 bits if you use the full six tokens with eight decimals each. Additional computational entropy may be added by the iterated hashing process.

By always encrypting the key with a new set of tokens you ensure they are only used once.

The HOTP secret is stored in encrypted form, so it can only be used to derive tokens when a set of matching tokens has been received.

otus
  • 32,462
  • 5
  • 75
  • 167