Compatibility Issues with .kdbx database files created with KeePass 2.40

[Nate2003od]

Hello,
Wanted to pass along some issues I've noticed in getting ykDroid to work with Keepass2Android app on my device running Android 9 using a YubiKey 5 NFC.

I originally tried to set up the challenge response function via the KeePass 2.40 desktop application. While everything worked seamlessly on the desktop, I couldn't even get the database to start unlocking on Keepass2Android. My initial setting for the Master Key was: "Password + Challenge Response." Then when I set the Master Key setting to "Password + Challenge-Response for KeePass XC", I was able to start unlocking the database and ykDroid was invoked allowing me to scan my YubiKey via NFC. However, in spite of both the password and Challenge-Response key being correct, I received an error message about the composite key being always being incorrect.

I then read a review on Google Play by another user saying that ykDroid worked well with a KeePassXC created database. With a little trial and error, I noted the following:

• I opened my database in KeePassXC and made the following changes to the database settings:
  1. Set "Encryption Algorithm" to AES-256
  2. Set "Key Derivation Function" AES-KDF (KDBX 4) after having this set to Argon 2 (KDBX 4)
  3. Used KeePassXC to Change Master Key and configure YubiKey Challenge-Response. I didn't think
     this would make a difference, but IT DOES!) One cannot use the same challenge response setting to
     open the same database on KeePassXC and KeePass 2.40. The setting and encryption are application
     dependent.

I realize the above is not an a issue that can be addressed with an update to ykDroid alone, but wondered why nothing works when the "Password Challenge-Response" option for Keepass2Android is selected for sign-in. But, when the MasterKey setting is changed to "Password + Challenge-Response for KeePass XC" AND KeePassXC is used to change the Master Key and configure the challenge response option for sign-in, everything works fine.

Just wanted to pass along these observations to potentially help others out there make this app, Keepass2Android and their YubiKey work as intended.

[PhilippC]

this is not related to Keepass2Android nor ykDroid. It's because KeepassXC has developed their own challenge-response implementation. Keepass 2.40 doesn't have any Challenge-Response. If you have use KeeChallenge - that has a different implemtentation than KeepassXC.
Keepass2Android (and ykDroid) support both types.

[deisi]

I must admit I cant really follow. I currently try to use the yubikey 5 nfc with callenge resonse on a keepassxc crated database, but it fails. Its basically not picking up anything from the key.

[x86dev]

Hello,
Wanted to pass along some issues I've noticed in getting ykDroid to work with Keepass2Android app on my device running Android 9 using a YubiKey 5 NFC.

I originally tried to set up the challenge response function via the KeePass 2.40 desktop application. While everything worked seamlessly on the desktop, I couldn't even get the database to start unlocking on Keepass2Android. My initial setting for the Master Key was: "Password + Challenge Response." Then when I set the Master Key setting to "Password + Challenge-Response for KeePass XC", I was able to start unlocking the database and ykDroid was invoked allowing me to scan my YubiKey via NFC. However, in spite of both the password and Challenge-Response key being correct, I received an error message about the composite key being always being incorrect.

I then read a review on Google Play by another user saying that ykDroid worked well with a KeePassXC created database. With a little trial and error, I noted the following:

* I opened my database in KeePassXC and made the following changes to the database settings:
  
  1. Set "Encryption Algorithm" to AES-256
  2. Set "Key Derivation Function" AES-KDF (KDBX 4) after having this set to Argon 2 (KDBX 4)
  3. Used KeePassXC to Change Master Key and configure YubiKey Challenge-Response.  I didn't think
     this would make a difference, but IT DOES!)  One cannot use the same challenge response setting to
     open the same database on KeePassXC and KeePass 2.40.  The setting and encryption are application
     dependent.

I realize the above is not an a issue that can be addressed with an update to ykDroid alone, but wondered why nothing works when the "Password Challenge-Response" option for Keepass2Android is selected for sign-in. But, when the MasterKey setting is changed to "Password + Challenge-Response for KeePass XC" AND KeePassXC is used to change the Master Key and configure the challenge response option for sign-in, everything works fine.

Just wanted to pass along these observations to potentially help others out there make this app, Keepass2Android and their YubiKey work as intended.

Thanks for the pointer! This indeed did make my KDBX v4 database work with Keepass2Android again!

[ryan-gore]

I had used KeepassXC to set up Yubikey challenge-response in the first place, but I was getting the "invalid composite key" error in Keepass2Android until I followed your first two steps. Thanks!

1. Set "Encryption Algorithm" to AES-256
2. Set "Key Derivation Function" AES-KDF (KDBX 4) after having this set to Argon 2 (KDBX 4)

At first I didn't notice the checkbox in KeepassXC for Advanced Settings in the bottom left, which makes these options available.