Support RSA SecurID in TOTP

[philipsd6]

Expected Behavior

Setup TOTP allows using Steam and Default RFC 6238 token settings, and I would like to be able to use my RSA SecurID as well. The modern RSA SecurID algorithm is not very different from TOTP.

Current Behavior

Configuring TOTP with the settings of my RSA SecurID "works" (i.e. doesn't cause an error) but it produces invalid tokens.

Possible Solution

Integrate the stoken code into KeePassXC. The only GUI change necessary would be adding a radio button for RSA SecurID like the Steam one, and a text input for an optional PIN.

Steps to Reproduce (for bugs)

Here's what I'm doing:

1. I've imported the .sdtid file I got from our security manager into stoken and verified that it provides the same tokens as the RSA Windows app.
2. I ran stoken show --seed and set up TOTP using:
   • Decrypted seed (as the Key)
   • Seconds per tokencode (as the Time step)
   • Tokencode digits (as the Code size)
3. Select Show TOTP from the context menu, and see that the tokens it generates do not match the ones produced by the RSA app or stoken

Context

We use RSA SecurID for external VPN and internal 2FA for accessing secure networks. Currently, I can have KeepassXC autotype my personal authentication for the first layer, and then have my static pin prefix autotyped, but then I have to get the output of stoken and paste it, and then do another autotype for the final authentication layer.

Making this seamless would require autotyping the current TOTP token, which I'm not sure is possible either. But it should be!

Debug Info

KeePassXC - Version 2.3.4
Revision: 6fe821c

Libraries:

• Qt 5.11.2
• libgcrypt 1.8.3

Operating system: Solus 3.9999
CPU architecture: x86_64
Kernel: linux 4.18.16-96.current

Enabled extensions:

• Auto-Type
• Browser Integration
• SSH Agent
• YubiKey

[droidmonkey]

Make sure the seed you input into the TOTP setup dialog is Base32 encoded

[philipsd6]

The output of stoken show --seed shows Encrypted seed and Decrypted seed as strings of 16 double hex chars, for example:

Decrypted seed          : d8 d0 30 66 30 73 00 fd 4e d6 7b d6 24 b7 7b 2d
Encrypted seed          : 89 95 40 c3 3e 47 bc 16 79 84 00 4e 79 34 55 67

Is that Base32 or not?

[droidmonkey]

Use this tool with the decrypted seed: https://www.translatorscafe.com/unit-converter/en-us/numbers/4-35/hexadecimal-base-32/

[philipsd6]

Well, I already got a clue and did that myself in python2 like this:

In [21]: from base64 import b32encode
# ** these are not my real bytes of course! **
In [22]: byte_array = 'd8 d0 30 66 30 73 00 fd 4e d6 7b d6 24 b7 7b 2d'.split()
In [23]: byte_string = ''.join(byte_array)
In [24]: unhexed = byte_string.decode('hex')
In [25]: key = b32encode(unhexed)
In [26]: key
Out[26]: '3DIDAZRQOMAP2TWWPPLCJN33FU======'

But using the resulting base32 key in Setup TOTP has the same results -- it produces tokens, but they don't match what I get from stoken

[droidmonkey]

Yah I am not sure about this one. TOTP uses SHA1 hash of the seconds since epoch divided by the step size. RSA uses AES128 of some combination of the date/time.

[droidmonkey]

This would be a good use case for #1016

[asbachb]

I wonder if there's a workaround for now? I struggling with that sceurid/2fa authentication as well which is super annoying.

[caltuntas]

+1 for this feature

[mcrocker]

+1 for this feature

[u9-5]

+1 for this feature
though.. see the top comment here, at least one person thinks it would be difficult https://www.reddit.com/r/KeePass/comments/p7m6t7/implement_proprietary_2faotp_systems_into_keepass/