This project has moved. For the latest updates, please go here.

TOTP based 2 factor authentication

Topics: Feature Requests
Mar 12, 2015 at 5:39 PM
Is there a way 2 factor authentication be enabled using standard authentication protocols such as TOTP.

I understand that the secret may not be very secure since it is not on a server.

But I may not be an expert on this subject.

I very much would like to have a secure implementation of 2 factor authentications for my encrypted files.
Coordinator
Mar 13, 2015 at 8:56 PM
Encryption requires the use a static key: the same key must be used every time you want to access the data.

OTP mechanisms (including TOTP) are targeted towards authentication and for that they generate a different value each time (a token) so that an attacker who may intercept this value won't be able to use it later.

As you can see, OTP mechanisms don't offer the static output requirement needed by encryption.

We can imagine implementing an OTP mechanism inside VeraCrypt binary so that a user would be authenticated before using a volume (for example, the volume would contain a unique ID identifying the user) but it has no security value: VeraCrypt is open source and anyone can compile a version without the authentication feature in order to bypass this step.

Encryption and Authentication are two different things. They are complementary and one of then can't replace the other.
Mar 13, 2015 at 9:16 PM
idrassi wrote:
We can imagine implementing an OTP mechanism inside VeraCrypt binary so that a user would be authenticated before using a volume (for example, the volume would contain a unique ID identifying the user) but it has no security value: VeraCrypt is open source and anyone can compile a version without the authentication feature in order to bypass this step.
Makes sense. Thanks.
Mar 17, 2015 at 8:06 PM
You could however use a yubikey like I used here.
https://github.com/cornelinux/yubikey-luks

Use a yubikey in challenge response mode.
Entering a Passphrase that is sent to the yubikey as a challenge having respond the yubikey to this password.
The response is used to decrypt the encryption key.

Then you can unlock the data with the knowledge of the password and the possession of the yubikey.

Drawback: You can record the response and use it as a single long password to unlock the data.
May 23, 2015 at 6:03 AM
Check out chapter 4 of this PDF: https://www.yubico.com/wp-content/uploads/2012/10/YubiKey-Integration-for-Full-Disk-Encryption-with-Pre-Boot-Authentication-v1.2.pdf

Are they very much off base or make too many assumptions that are not true for the VC achitecture? Or is the outlined approach just not possible in the tiny, restricted environment available in the PBA period?
May 23, 2015 at 6:26 AM
If you are in control over the PBA (which veracrypt is) this is possible. They also describe using the challenge response mode in the paper, but they rewrite the challenge each time, so that you can not use a simple replay attack. I think veracrypt would be a real cool project, implementing the yubikey ;-)
Coordinator
May 24, 2015 at 9:07 AM
The Yubikey LUKS project posted above doesn't use the real Challenge-Response mode since it doesn't update the challenge after each authentication. Thus, it is like using a static password. The Yubikey FDE document clearly insists on the need of updating the challenge each time.

As for VeraCrypt, their are currently bootloader size constraints that makes it difficult to include the Yubikey API in the code. Moreover, as I previously explained, VeraCrypt only implements standard mechanisms that are not specific to any manufacturer or provider. Yubikey is not the only solution out there (there is also for example Nitrokey) and its support can be implemented if there is a sponsoring or a funding from the community.
Nov 19, 2015 at 7:55 AM
Hi everyone. I would strongly propose adding challenge-response (if possible, with the challenge updated every time), instead of storing static data in pkcs11.
The way VeraCrypt uses tokens today is like a PIN-protected USB key – users that have the PIN can copy the token keyfile anywhere for later use.