So I have setup my password list for my Apex Flex but now when I go to use it on pc with KeePassXC it says it is corrupt this is where it gets weird. If i make a database on pc with KeePassXC and use it with KeePassDX it will not work on my android both applications are on their latest update I really cant figure out what I’m doing wrong or a solution and I have looked all over any help is greatly appreciated thanks! I am trying to use only Challenge and Response to open the vault and android works fine but Id like to use that list on my pc as well as my reader came in today the reader is a ACR1252U-M1
If anyone has this issue I managed to solve it for some reason my database was on KDBX 3 so I turned challenge response off on android used a simple password ported the list over then updated the database to KDBX 4 and then rescanned my Apex Flex for challenge response and now it all appears to be working successfully.
3 Likes
Late to the conversation, but glad it is working. I had similar issues with the database format. Definitely need to use v4, but even then interoperability is not guaranteed when securing the database with HMAC-SHA1 2FA.
The issue comes down to the way that KeePassXC implemented support for Yubikey. Their version of that implementation is different from, and incompatible with, the Yubikey support that was part of the original KeePass.
One of the changes that KeePassXC made was the inclusion of variable information (the hash of the database file) in the challenge being sent to the applet. This partially helps against replay attacks, where an attacker intercepting the communication between your Apex (or Yubikey) and password database, could then reuse that sequence on older or newer databases. To combat this, KeePassXC incorporates the response from the HMAC applet into the master encryption key, then immediately generates and stores a new challenge. That is why you have to present your Apex and save your database for any change that is made.
The benefit is that someone who sniffs the secret response coming back from your Apex can only use that on the specific version of the database that issued the challenge. As soon as you make a change to your database and re-save it, that response will no longer work for any future versions.
Too much explication, sorry. The tl;dr is that any KeePassXC clones must implement Yubikey support in the exact same way as KeepPassXC for desktop. On Android, I know (and recommend) KeePass2Android does this, but when I checked a couple years ago, KeePassDX was not doing this.
If it is working for you, then it sounds like they implemented that feature. Their FAQ says it was added in v3.5.0, and an issue on their GitHub confirms they are using KeePassXC’s algorithm.
I love KeePass2Android, but I’ll definitely check out KeePassDX now that it is compatible.
5 Likes
Yea I really like KeePassDX over the keepass2android it just seems like a cleaner experience but time will tell so far it is really decent.
1 Like