Using Challenge-Response (HMACSHA1) with the same Secret on a Nitrokey 3 and on a Onlykey to unlock a KeepassXC Database

Using Challenge-Response (HMACSHA1) with the same Secret on a Nitrokey 3 and on a Onlykey to unlock a KeepassXC Database

I just wanted to share my experience regarding the Nitrokey 3 and an Onlykey to use the same HMAC Secret to unlock a KeypassXC Database with Challenge Response with either one of these two Security Keys.

So I have a Onlykey with a current up-to-date Firmware (v3.0.4-prodc), the onlykey-cli (v1.2.10) and the Onlykey App (v5.5.0), and a Nitrokey 3A NFC with firmware v1.5.0, and nitropy (0.4.43).

For one or the other reason I was not able to set the HMAC on the Onlykey with the onlykey-cli. Even that it should be working because its “documented”, it simply does not work. However:

  1. Generate a secure random string of 20 character. I’ve used pwgen --capitalize --numerals --secure 20 1 to get at least a “sane” set of ASCII characters.
  2. Backup this secret!
  3. As Onlykey will only take the Secret hex-encoded, it needs to be converted: printf "%s" "${SECRET}" | xxd --plain. Be aware that if the string contains " (double-quotes), they should be escaped…
  4. With the Onlykey App started, insert the Onlykey, and unlock it. Set it into the “configure mode” by pressing Button 6 for 5+ seconds. Unlock the Onlykey again. It should now blinking red.
  5. Under the “Advanced” Tab; select Type HMACSHA1; Slot: HMAC1; Copy the Hex String into the Key field. Fill up with 0. In the end this string should be 64 characters long. Save to Onlykey.
  6. For the Nitrokey 3: Convert the (generated) String with base32: printf "%s" "${SECRET}" | base32
  7. Write it: nitropy nk3 secrets add-challenge-response 1 ${base32}

(The Secret is now writen to the 1st Slot of each device.)

You can now configure i.e. KeepassXC to use Challenge-Response, and set either the Onlykey or the Nitrokey as your to be used Security Key. Both will work to unlock the Database.
(I have no explanation, but if the Nitrokey is configured as the Security Key, then the first attempt to unlock the Database with the Onlykey will fail because of a HMAC mismatch and that a device with that serial could not be found. But after that, both Security Keys will just work fine.)

But I have found the following issues:

  • It is (yet) not possible to configure the Nitrokey 3 to request User Presents by confirming via touch when using Challenge-Response? Not a deal breaker, but somehow I’m unsure what to think about.
  • Using keepassxc-cli, I’m unable to use the Nitrokey 3 to unlock the Database:
# Having only the Nitrokey 3 plugged in, because I don't know how to address these keys directly
$ keepassxc-cli open -y 1 /tmp/test.kdbx
Enter password to unlock /tmp/test.kdbx:
Please present or touch your YubiKey to continue.

Failed to issue challenge:  "PCSC: Could not find or access hardware key with serial number 0. Please present it to continue. "
Error while reading the database: Unable to calculate database key: PCSC: Could not find or access hardware key with serial number 0. Please present it to continue.

# Now having only the Onlykey plugged in
$ keepassxc-cli open -y 1 /tmp/test.kdbx
Enter password to unlock /tmp/test.kdbx:
Please present or touch your YubiKey to continue.

TEST DB>
  • I’m unable to use the Nitrokey 3A NFC neither with NFC nor with an OTG on an Nokia 5, Android 12 and KeepassDX. The Onlykey “just works fine” with the OTG however.
1 Like