Cipherbox

by Northstrix in Circuits > Microcontrollers

2553 Views, 12 Favorites, 0 Comments

Cipherbox

IMG_20220705_155520_hdr.jpg

With the development of cryptanalysis and new hacking techniques, the cost of accessing your data without your authorization continues to decline, making it easier and more attractive for different sides to get it.

I'm not going to get into details about the motivation of each side and the goals they're trying to achieve by obtaining your data. Instead, I would like to focus on the solution to that problem.

In my opinion, the only way to keep your data private is to raise the costs of unauthorized access to it as high as possible, ideally higher than any reward that a third side can get by obtaining your data. Doing so puts away the incentives to access your data without your permission.

To raise the cost of unauthorized access to your data, I've developed cipherbox.

Cipherbox is what I consider to be a cryptographic swiss knife.

It utilizes six encryption algorithms, and it's also a vault that's locked with four RFID cards, your username, and password. Not to mention that several people can use it without interfering with one another (I guess you can also turn it into service).

Cipherbox consists of three microcontrollers: ESP32, Arduino Uno, and ESP8266.

ESP32 is the device's core. All encryption algorithms and SQLite run on it.

Arduino Uno - serves as a keyboard driver and an intermediary between the ESP32 and RFID reader.

ESP8266 is the receiver that only runs the AES + Serpent encryption algorithm in the decryption mode.

Supplies

IMG_20220705_171225.jpg

Supplies for the vault:

  • ESP32 x1
  • Arduino Uno x1
  • 2.4 Inch TFT LCD with ILI9341 x1
  • Mifare RC522 x1
  • RFID cards x4
  • PS/2 Keyboard x1
  • PS/2 Port x1
  • 580 ohm resistors x2
  • LED x1
  • 10µF capacitor x1 *optional


Supplies for the receiver:

  • ESP8266 x1
  • Nokia 5110 display x1

Encryption Algorithms

BASA.png
ASA.png
AS.png
BS.png
S.png
A.png

Out of 6 encryption algorithms utilized by this device, 4 perform something called superencryption.

As defined by NIST, superencryption is an encryption operation for which the plaintext input to be transformed is the ciphertext output of a previous encryption operation.

Organizing encryption algorithms in that way allows to easily build a combined encryption algorithm that is at least as strong as the strongest one in the cascade, has a longer key, might be more resistant to some attacks, and might produce a ciphertext with higher entropy. Anyway, it won't hurt to have an additional layer of security (or several of them).

Now, let's get to the description part.

I would like to begin with the fact that all encryption algorithms utilized by this device are symmetric (the same key is used to both - encrypt and decrypt data).

The first four algorithms on the list perform superencryption. And the first five make use of the initialization vectors and random numbers during the encryption process to prevent the chosen-plaintext attack and increase the entropy of the ciphertext.

  • Blowfish + AES + Serpent + AES is the strongest encryption algorithm utilized by this device. It takes 8 characters as input and produces 64 characters long output. (I bet it can also be classified as quantum-resistant).
  • AES + Serpent + AES is almost the same as Blowfish + AES + Serpent + AES, except for the Blowfish part.
  • AES + Serpent is a bit weaker than the previous two but still strong enough to keep your data secure.
  • Blowfish + Serpent is an encryption algorithm that takes 8 characters as input and produces 32 characters long output.
  • Serpent is a bare minimum for keeping your data secure. It takes 8 characters as input and produces 32 characters long output.
  • AES. If I were you - I would pay attention to that one. The implementation of AES utilized by this device is not exactly what I would call secure. It still works, and it's still able to encrypt your data, but it doesn't utilize the advantages of IV and random numbers during the encryption process. It produces the same ciphertext each time you encrypt the same message which makes it vulnerable to the chosen plaintext attack, and especially vulnerable to cryptanalysis. The only reason why I even put it there - is because I wanted to give you an option to play with the "bare AES."

Install Drivers and Configure Arduino IDE *Optional

If you've never flashed ESP32 or ESP8266 before you'll need to configure Arduino IDE and install drivers to upload the firmware to the boards, you can find drivers here:

CP210x driver for ESP32: https://www.silabs.com/developers/usb-to-uart-brid...

CH340 driver for ESP8266: https://sparks.gogo.co.nz/ch340.html

In case you don't have Arduino IDE, you can download it here: https://www.arduino.cc/en/software

Configuring IDE isn't a part of this tutorial, you can read about it here:

ESP32: https://randomnerdtutorials.com/installing-the-esp...

ESP8266: https://randomnerdtutorials.com/how-to-install-esp...

Download Firmware From GitHub

g.png

You can download firmware here https://github.com/Northstrix/Cipherbox


Download and Install the Libraries

Adafruit-GFX-Library: https://github.com/adafruit/Adafruit-GFX-Library

Adafruit_ILI9341: https://github.com/adafruit/Adafruit_ILI9341

Adafruit_BusIO: https://github.com/adafruit/Adafruit_BusIO

PS2Keyboard: https://github.com/PaulStoffregen/PS2Keyboard

esp32_arduino_sqlite3_lib: https://github.com/siara-cc/esp32_arduino_sqlite3_lib

espsoftwareserial: https://github.com/plerup/espsoftwareserial/

rfid: https://github.com/miguelbalboa/rfid

nokia-5110-lcd-library: https://github.com/platisd/nokia-5110-lcd-library

The process of unpacking libraries is typical. You can unpack the content of the archive into the folder: ...\Arduino\libraries. Or open the Arduino IDE, click to the Sketch -> Include Library -> Add .ZIP Library... and select every archive with libraries.

Other required libraries are already present in one way or another.

Install ESP32 Filesystem Uploader

FJJAKACL2LVL965.png

The primary purpose of the ESP32 Filesystem Uploader is to let you upload files into ESP's filesystem. In this tutorial, the purpose of this tool is to upload an empty SPIFFS image into ESP.

Download the file called ESP32FS-1.0.zip from here: https://github.com/me-no-dev/arduino-esp32fs-plugin/releases/

then extract the content of the archive into the folder: ...\Arduino\Tools\

After that, restart the Arduino IDE.

Format ESP32'S Built-In Flash Memory

f.png

Click Tools -> ESP32 Sketch Data Upload. Then click Yes in the pop-up window. The program is going format the built-in flash memory.

Some boards will flash without any problems.

Unfortunately, that's not the case for all boards. If you configured IDE correctly, installed drivers, selected the corresponding port, and still keep getting this error: A fatal error occurred: Failed to connect to ESP32: Timed out waiting for packet header. Connect a 10µF capacitor to the board while flashing.

Connect the positive lead of the capacitor to the EN pin of the ESP32;

Connect the negative lead of the capacitor (usually indicated by the gray stripe) to the GND pin of the ESP32.

Don't forget to disconnect the capacitor after the board flashes.

Generate Keys

keygen.png

To make the unauthorized deciphering of your data computationally infeasible - It is crucial to generate your own keys and never reuse them.

The best way to generate the keys is to throw 20-sided dice.

If you get a number from 1 to 9, write it down.

If you get a number from 10 to 15, write down a letter corresponding to that number.

10 = A;

11 = B;

12 = C;

13 = D;

14 = E;

15 = F.

If you get 20, write down 0.

If you get something else, don't write anything and throw the dice again.


There's also the easiest option.

I modified one of my previous projects to work as a random number generator, the generated output seems "random enough" for me, but I haven't run any tests. So, I can't guarantee that it's random.

Use it at your own risk.

To generate the keys - launch gen.exe from the Untested RNG folder, and then click the "Generate keys for Cipherbox" button. The background turns from black to blue when you press that button.

Get the Receiver's MAC Address

FYUIT9GL2LVL9RZ.png

To get the receiver's MAC address, upload this code into the ESP8266.

#include <ESP8266WiFi.h>

void setup(){
Serial.begin(115200);
Serial.println();
Serial.println(WiFi.macAddress());
}

void loop(){

}

Then open the Serial Monitor, and reboot the board.

If done correctly, you should see the MAC address in the console.

The MAC address of this board is 5C:CF:7F:FD:85:1D

Modify the Firmware

k.png

Open the files "Firmware_for_ESP32.ino" and "Firmware_for_ESP8266.ino" from the folders "Cipherbox-main\V1.0\Firmware_for_ESP32" and "Cipherbox-main\V1.0\Firmware_for_ESP8266" and then replace my keys with those you've generated.

The vault requires six keys, while the receiver only needs two. Make sure that projection_key and proj_serp_key are the same on both devices.

Don't forget to replace the receiver's MAC address in the line

uint8_t broadcastAddress[] = {0x5C, 0xCF, 0x7F, 0xFD, 0x85, 0x1D}; // Receiver's MAC address

in the file Firmware_for_ESP32.ino


Flash the Arduino

ard.png

Upload the firmware from the folder "Cipherbox-main\V1.0\Firmware_for_Arduino" into the Arduino.

Flash the ESP32

32.png

Upload the firmware from the folder "Cipherbox-main\V1.0\Firmware_for_ESP32" into the ESP32.

Flash the ESP8266

8266.png

Upload the firmware from the folder "Cipherbox-main\V1.0\Firmware_for_ESP8266" into the ESP8266.

Assemble the Vault

IMG_20220705_155400_hdr.jpg

Assembling the vault shouldn't be hard. In my opinion, the most tangled part of it is to connect the PS/2 port in the right way.

Circuit Diagram for the Vault

Circuit diagram of the vault.png

Assemble the Receiver

IMG_20220705_151344_hdr - Copy.jpg

The receiver is even easier to assemble. Just connect the display to the ESP8266.

Circuit Diagram for the Receiver

Circuit diagram of the receiver.jpg

Power Up the Vault and Approximate Four RFID Cards

ezgif-1-7e61bcc23d.gif

Ok, it's time to unlock the vault. Power the vault up and consequently approximate four RFID cards to it. You need to approximate cards in exactly the same order every time you unlock the vault, or you won't be able to decrypt your stuff.


Important thing: If you want to reboot ESP32, reboot all boards. And if the keyboard suddenly stops working as intended, only reboot the Arduino Uno.

Log in to the Vault

IMG_20220705_132446.jpg
IMG_20220705_133324.jpg
IMG_20220705_134128.jpg

Well, it's more like "sign up and immediately log in" the first time you're entering a new username and password. Every other time, it's just "log in."

You can enter any username and password you want, just make sure to keep them both secret. Let me explain why. The username determines the name of the database that will be used to store your notes, while the password is used in the key derivation process.

If an attacker discovers your username, an attacker will be able to delete all your logins and notes. If an attacker discovers your username and password, an attacker will be able to decrypt all your stuff.

Although if you don't need the vault capabilities and only want to use ciphers, you can log in under any username or leave the username field empty. Just make sure to always enter the same password, or you won't be able to decrypt your ciphertexts.

Press "Tab" () to move between fields. The current field is indicated by the inscription below. When you're done, press "Enter" to log into the vault.

I got the verification number 6117 for the password "1234567890-=qwertyuiop[]asdfghjkl;'zxcvbnm,./LKJHGFDSA?><MNBVCXZ+_(*&^%$#@!"


After logging in and getting to the main menu.

Press  (Down Arrow) to go down the menu.

Press  (Up Arrow) to go up the menu.

Press ← (Left Arrow) or → (Right Arrow) to change the AES mode.

Encrypt Text

IMG_20220705_144723_hdr.jpg
IMG_20220705_135350_hdr.jpg
IMG_20220705_142917_hdr.jpg

Open the Serial Monitor and set the baud rate to "115200" because the ciphertext will be printed into the Serial Monitor.

To encrypt text. Select the desired encryption algorithm in the menu and press "1" on the keyboard. After that, enter the text that you want to encrypt and press "Enter" to encrypt it.


Eventually, I came up with these results:


Plaintext:

Cipherbox is what I consider to be a cryptographic swiss knife. The existence of this device wouldn't've been possible without a lot of open source code that I've found on the Internet and put together.

Ciphertext:

4c31cfb14b75d0ba0902f1c5fc243471dab7dca6e94fd89d07936b969bff63980311223bd62d9cf4d012235cf308e41c3c431f2e1ca78e3778341cc7ed21d2dd0f878187ff15d34fa42f8ede7c490ee3a18d81beed0599df1d4ad8619abef667ae5ba9cec776dc348e532e61f448c74883a2cd54c6f583ca3d10d01d2a2dd7bb682c8c2b579fec10a93772324e39db0afa09667b0b4b3631d033690b9868a32ccce7592bafb4280d46b3aa6ad44c0f51749fd7d7698944286342c9107690f90b0021d0d87ae831298f9f89dfc486b8f2d4ed36d901fa602a13fb7f9f7086fcd0f2da1ab23d65dc1cf87dd3eecff73a97d90ea16528d1a42f9d74bc7e2f742c80c2ba820f0195318eb680ffa7e69ca00a0c142f4edc05815412f58a9a5056a8620fc79e521c658d3865411baf1f41bfa88370124a400f36b4ae1dfa5e09036d22c9696c42faa7ec0020f9a9f417de42c04d60d92c941e7aa3f8f5aa305840de88a9b866e3b99966f556b45482c3c7b889db214fa642b395f61d64ddae03142742dc1e4c5300559bf9157af0c4ce3922d0f3843398a6ecbb2cb5eafd679f4ee814bfb7e3d675e16bc1c27cf8f97438454836a1ce806243da42292428f9e82e73eb5bcb55c45f55550cb0bce6b909bbd2f47fe2946c82148a12a4a28ed6d4fa435c6f6bd1cfa0961fd76ac3a23d7bfcfe3aad723e5898821ad4f6fb6a966b37e5343e028ceac0d562954ad7346d1d4ea04ed573feeeb3e4707e06f41777e7e77172caef4039b2c8a6f08e87f93a528d3591d3e90406a3bbf5ce4da651a129529c92c99da7c63d41b6ee645ebaa664950259f02f9e102a563d676cfc091371dd87321f3f99033399edb02631ddeb973801f1e310bbf4ca9a1aaec375a104baaddb3e0f0992b306a34db3505feb199c2e823f9e7f32cf42ea43d24dc494bd66e6bb9eca4f956a63195c17c7b6d1f345e4a0bcc50373d1d610fe143fa96046234832c62f58438242ac845fcbc00dccc121da6a902f53e467b7df936d3eed47da7548c92df0498d143db4a2a00cb1e8390b64a95f6f38c593b9e3e8587e88d1696ab52b71caa14d2d20fc7829b329c098ce87b576efdd761dd9e4a5d8fb0f1a6f9dab0bb28c5595fcb928215bc3e67695096de5c2107da3de17d49c436abc600eb58341

Decrypt Text

IMG_20220705_143106_hdr.jpg

Open the Serial Monitor and set the baud rate to "115200" because you'll need to paste the ciphertext into the Serial Monitor.

To decrypt text. Select the encryption algorithm that was used to encrypt the text in the menu and press "2" on the keyboard. After that, paste the ciphertext into the Serial Monitor and press "Send."


Eventually, I came up with these results:


Ciphertext:

4c31cfb14b75d0ba0902f1c5fc243471dab7dca6e94fd89d07936b969bff63980311223bd62d9cf4d012235cf308e41c3c431f2e1ca78e3778341cc7ed21d2dd0f878187ff15d34fa42f8ede7c490ee3a18d81beed0599df1d4ad8619abef667ae5ba9cec776dc348e532e61f448c74883a2cd54c6f583ca3d10d01d2a2dd7bb682c8c2b579fec10a93772324e39db0afa09667b0b4b3631d033690b9868a32ccce7592bafb4280d46b3aa6ad44c0f51749fd7d7698944286342c9107690f90b0021d0d87ae831298f9f89dfc486b8f2d4ed36d901fa602a13fb7f9f7086fcd0f2da1ab23d65dc1cf87dd3eecff73a97d90ea16528d1a42f9d74bc7e2f742c80c2ba820f0195318eb680ffa7e69ca00a0c142f4edc05815412f58a9a5056a8620fc79e521c658d3865411baf1f41bfa88370124a400f36b4ae1dfa5e09036d22c9696c42faa7ec0020f9a9f417de42c04d60d92c941e7aa3f8f5aa305840de88a9b866e3b99966f556b45482c3c7b889db214fa642b395f61d64ddae03142742dc1e4c5300559bf9157af0c4ce3922d0f3843398a6ecbb2cb5eafd679f4ee814bfb7e3d675e16bc1c27cf8f97438454836a1ce806243da42292428f9e82e73eb5bcb55c45f55550cb0bce6b909bbd2f47fe2946c82148a12a4a28ed6d4fa435c6f6bd1cfa0961fd76ac3a23d7bfcfe3aad723e5898821ad4f6fb6a966b37e5343e028ceac0d562954ad7346d1d4ea04ed573feeeb3e4707e06f41777e7e77172caef4039b2c8a6f08e87f93a528d3591d3e90406a3bbf5ce4da651a129529c92c99da7c63d41b6ee645ebaa664950259f02f9e102a563d676cfc091371dd87321f3f99033399edb02631ddeb973801f1e310bbf4ca9a1aaec375a104baaddb3e0f0992b306a34db3505feb199c2e823f9e7f32cf42ea43d24dc494bd66e6bb9eca4f956a63195c17c7b6d1f345e4a0bcc50373d1d610fe143fa96046234832c62f58438242ac845fcbc00dccc121da6a902f53e467b7df936d3eed47da7548c92df0498d143db4a2a00cb1e8390b64a95f6f38c593b9e3e8587e88d1696ab52b71caa14d2d20fc7829b329c098ce87b576efdd761dd9e4a5d8fb0f1a6f9dab0bb28c5595fcb928215bc3e67695096de5c2107da3de17d49c436abc600eb58341

Plaintext:

Cipherbox is what I consider to be a cryptographic swiss knife. The existence of this device wouldn't've been possible without a lot of open source code that I've found on the Internet and put together.

Add Login

IMG_20220705_144333_hdr.jpg
IMG_20220705_145716_hdr.jpg
IMG_20220705_145744_hdr.jpg
IMG_20220705_145900_hdr.jpg
IMG_20220705_145946_hdr.jpg
IMG_20220705_150033_hdr.jpg

To add login. Select the "Login" in the menu and press "1" on the keyboard. After that, enter the title, username, password, and website. Press "Enter" when you've finished entering the data to move to the next window.

According to the tests that I've conducted during the development of my previous projects - ESP32 is able to encrypt and decrypt a record with a length of 700-characters without any problems. So, technically, you can put 700 characters into each field in every category.

All credentials are fictional (just in case).

View List of All Logins

IMG_20220705_150654_hdr.jpg

To show all logins. Select the "Login" in the menu and press "5" on the keyboard. You will see all titles with usernames. If all logins don't fit on the screen, you can always open the Serial Monitor and see the complete list there.

I've added another record to fill the list.

All credentials are fictional (just in case).

View Login

IMG_20220705_150721_hdr.jpg
IMG_20220705_150811_hdr.jpg

To view login. Select the "Login" in the menu and press "4" on the keyboard. You will see all titles with their corresponding numbers on the left. To view a record, enter the number of the record on the keyboard and press "Enter."

The "Remove" option works exactly the same as the view option with only one exception. It's called by pressing "2."

All credentials are fictional (just in case).

Edit Login

IMG_20220705_150945_hdr.jpg
IMG_20220705_151052_hdr.jpg
IMG_20220705_151114_hdr.jpg

To edit login. Select the "Login" in the menu and press "2" on the keyboard. You will see all titles with their corresponding numbers on the left. To edit a record, enter the number of the record on the keyboard and press "Enter." After that, enter the new password for the record and press "Enter" to save the changes. Press "Esc" to cancel.

 

All credentials are fictional (just in case).

Send Text to Receiver

IMG_20220705_153103_hdr.jpg
IMG_20220705_153312_hdr.jpg

Cipherbox gives you the ability to securely send a text to a distance of up to 650 feet (200 meters).

To send the text to the receiver: Press the "Tab" button on the keyboard, enter the text you want to send, and press "Enter" to send it. I was able to send an 84-character text without any problems. The received text is also shown in the Serial Monitor.

Attention!!! The receiver is vulnerable to the replay attack (it's when the attacker resends the packages captured earlier). So, either make sure to keep the firmware and both ESPs away from anyone who's not authorized to work with it, or don't send extremely sensitive information over the air.

I identify this as the weakest point of this device. Beware of it!!!

Find a Good Use for Cipherbox

IMG_20220705_153506_hdr.jpg
IMG_20220705_143957_hdr.jpg
IMG_20220705_144126_hdr.jpg
IMG_20220705_144252.jpg
IMG_20220705_144723_hdr.jpg
IMG_20220705_153755_hdr.jpg
IMG_20220705_154006_hdr.jpg
IMG_20220705_154109_hdr.jpg
IMG_20220705_154343_hdr.jpg
IMG_20220705_154448_hdr.jpg
IMG_20220705_154739_hdr.jpg

I did my best to make the Cipherbox as secure and useful as possible.

It has 6 encryption algorithms (it's actually 14 if you count 3 AES modes in 4 algorithms). It has capabilities of the vault locked by a password and four RFID cards. And it has a "not-so-terrible" graphical user interface. Now, it's up to you what to do with it.

I hope you will find a good use for this device.

If you like this tutorial, please share it.

Thank you for reading this tutorial.