Hash Latch

Hash functions are used for lots of things. Like, verifying the data integrity, mining various cryptocurrencies, etc. I've found another application for them - serving as an integral part of the digital lock.

The hash latch generates keys in a manner similar to how some cryptocurrencies are mined. It takes a string and brute-forces a prefix for it so that the hash of the string with the prefix has a certain number of leading zeroes.

But that alone would've been too easy to hack.

To prevent an attacker from forging the keys by generating a new prefix: the hash latch doesn't output the keys in the plaintext. Instead, it encrypts the key and outputs the ciphertext. That means that instead of giving you the actual key, it gives you a safe containing the key. This approach allows the hash latch to protect itself from forged keys and also enables you to put the same key into multiple safes without the recipients of these safes knowing they have the same key (even if they compare their ciphertexts).

Moreover, the hash latch verifies the integrity of a key after decrypting it (just in case).

• Teensy 4.1 x1
• 4.7k resistors x4
• 2.7k resistors x2
• 1k resistors x2
• 10k resistor x1
• Push buttons x2
• Green LED x1
• Red LED x1
• Servo motor x1
• USB port x1
• PS/2 port x1
• Either a USB keyboard, PS/2 keyboard, or an emulator of any of them x1

Instead of developing a new encryption algorithm for every project or relying solely on plain AES or Serpent, I've decided to reuse the encryption algorithm from my previous projects. In other words, there's nothing new here. The "3DES + AES + Blowfish + Serpent" encryption algorithm in cipher block chaining mode has already been utilized by: Midbar V2.5, Midbar (Raspberry Pi Pico Version), Midbar V3.0, Midbar V4.0, KhadashPay V2.0, Midbar (Raspberry Pi Pico Version) V2.0, KhadashPay V2.0 (Raspberry Pi Pico Version), Midbar V5.0, Midbar (STM32F401CCU6 Version), KhadashPay V3.0 (STM32F401CCU6 Version), KhadashPay V3.0, Midbar (STM32F401CCU6 + Arduino Uno Version), KhadashPay V3.5, Black Swan V2.0, and Midbar (Teensy 4.1 Version).

If you're interested, refer to any of these tutorials for more information about the "3DES + AES + Blowfish + Serpent" encryption algorithm in cipher block chaining mode.

In very simple terms:

To ensure the integrity of the key (I denoted it as plaintext), the key is given to the HMAC-SHA256. The HMAC-SHA256 produces a tag that's passed to the encryption algorithm alongside the key. When the key is decrypted - the tag is also decrypted. The device then generates a new tag for the decrypted key and compares it to the original tag. If the tags do not match, the device notifies you about it by typing the "Failed to open the lock with the broken key" line.

To avoid confusion, in that specific context, I used the word key exclusively in reference to the key that opens the lock. I also didn't include the HMAC key and the keys utilized by the various parts of the encryption algorithm on the diagram.

You need to install the Arduino IDE and Teensyduino to flash Teensy 4.1.

For more information on that, please refer to: https://www.pjrc.com/teensy/td_download.html

You can download the Hash Latch firmware from either the SourceForge or the GitHub repository.

• https://sourceforge.net/projects/hash-latch/
• https://github.com/Northstrix/Hash_Latch

Download the library here: https://github.com/techpaul/PS2KeyAdvanced

And then unpack the content of the archive into the folder: ...\Arduino\libraries\

Every other required library is already installed in one way or another.

That shouldn't be hard. The hardest part of the process (in my opinion) is to map the PS/2 port and connect it the right way (assuming you would even connect it).

As for the possible component replacements: you can replace the resistors connected to buttons with 2.2k - 10k resistors.

According to the PJRC official website, the digital pins of Teensy 4.1 are not 5V tolerant. Because of that, I would strongly advise you to double-check that you've assembled the circuit correctly.

You need to clear the board's EEPROM and write the vectors for key generation to it before you can use the latch.

To do so, upload the firmware from the "Teensy 4.1 Edition\V1.0\Prepare_EEPROM" folder into Teensy. You can move to the next step when the green LED lights up.

To make the unauthorized deciphering of the encrypted keys (that open the lock) computationally infeasible - It is crucial to generate your own encryption keys and never reuse them.

It's entirely up to you how to generate the keys. I can only offer you an option to do so.

I've modified one of my previous projects to work as a random number generator, the generated output seems "random enough" for me, but I haven't run any tests. So, I can't guarantee that it's random.

Use it at your own risk!

To generate the keys - launch gen.exe from the "Teensy 4.1 Edition\V1.0\Untested RNG" folder and click the "Generate keys for Hash Latch" button. The background turns from dark gray to light gray when you press that button.

Open the "Firmware.ino" file from the "Teensy 4.1 Edition\V1.0\Firmware" folder, and then replace my keys with those you've generated.

You can also change the number of available slots for the blacklisted keys by modifying the

"#define NUMBER_OF_SLOTS_FOR_BLACKLIST 100" line.

The Teensy 4.1 should be able to store 427 blacklisted keys.

Upload the firmware from the "Teensy 4.1 Edition\V1.0\Firmware" folder into the Teensy. Don't forget to set the value of the "USB Type" line to the "Serial + Keyboard + Mouse + Joystick."

Hold the "Mode" button and connect the Teensy 4.1 to your computer.

Both LEDs light up to indicate that the hash latch is in service mode.

To generate the keys for the lock: open the Serial Terminal, Enter "1" to the text field, and then press "Send" button.

The key generation process might take a while

Press the "Mode" button to stop the key generation process.

Even though this device can generate a lot of keys, the maximum number of available keys is limited.

After the device tries all of the 95^10 combinations, it will stop the key generation process and show you the "No more combinations to try!" message.

I left the device for five minutes and obtained these ciphertexts (encrypted keys).

350e931625016fa58ed6a5f3c62d95a4a4ad2c7493f29d6d91eec013d6e8d1c3455e37e2aae12e716b83d41443c32b0cfbeb5f56c901139803ab96d29343c7fb8ebba3d1f4165ec178a795464877ec2021dc1729ba405bd062c066e8977976de7bc1cf990dd1f98caaea170492ab04af82a153c32f553266ca2909eb4b22c40d56654e0e949b542b0b84ec1ea85bd242

09c3022f88e2b9ed1269fdc7f29b02631d8b63fadb4ef7b87597139b3a18a94067b87d6f9fe90155ab74e1964eb407045eef26578048d97a36e55a257fd8a04a40ca76ac8246e1385999617638d4637e43ed10a3c207091ba536b468a4a69b43b5bc6b98c490b92f1a0e46045b3bb242949600f274eac9e63336b75d6ee0a05c9c37fc523914fa491f8d346327282ef8

55496ae2762d6f75433230798453802a1dc41c7c593b0f97bf0e9309e069b1c94006090e4f05b3906e78258706723d5732cea64e691257d3a12952db7cbedd51b313b0c2464fa9c562ec75990c8f581165b4670a8f59630a7c4e1facda56922a818baae51cfa78283886996207d710bdda1113b5172d1fb5901cdf7c5d6a3c04af76760fd4f0fb79d273ba2dbea560af

79af79e221daf27941b57529a208b205ae7c5228a07130eff67a3cc32506ce4dba0cc329687488ca57f36f3be66666bbca1a61cef3047d742300cfa0010aec7498bcc50f0d82c74fda0d07e5e980a3495953a9fde5421d17c08c092d3133289b22b9478061fbcf5ac21000d642d5c968630324e56b5b13837d2353f0eb98d01943ae24088afdee41a914ed4c964b5bcd

I also decrypted them (for the demonstrational purposes only):

)YTR45XQHo6H73SlFy0803XQg72I2eVPU

Pg R45XQHo6H73SlFy0803XQg72I2eVPU

8C[!R45XQHo6H73SlFy0803XQg72I2eVPU

j3<#R45XQHo6H73SlFy0803XQg72I2eVPU

Hash any of them using the SHA512 hash function, and you get the hash with the five leading zeroes.

Keeping in mind that not all users treat their keys responsibly, I've added the blacklist feature, allowing you to blacklist the key. The reason why I wrote that seemingly obvious statement - is because the hash latch blacklists the key itself, instead of blacklisting the safe with the key. That means that if you've put a single key in multiple safes and then added it to the blacklist, all safes with that particular key won't be able to unlock the lock (latch).

To blacklist a key: open the Serial Terminal, Enter "2" to the text field, press the "Send" button, paste the encrypted key that you want to blacklist to the text field, press the "Send" button, enter the number of the slot you'd like to put the key into to the text field, press the "Send" button.

Unlike its predecessor, the hash latch can act as a USB keyboard. That enables you to keep logs. To keep the logs, first and foremost, ensure that the keyboard layout is set to English (in case you have several of them). Then create an empty Word document, and click into the textbox area.

To power up the device in the lock mode - put the power to the Teensy 4.1 without holding any buttons.

That's the tricky part. The blunt way of doing it is to connect a USB or PS/2 keyboard to the device, press the "Backspace" button to clear the key buffer, enter the encrypted key on the keyboard, and then press the "Enter" button.

I did my best to make the electronic part of the lock as secure as possible, but at the end of the day, the "security" of the lock depends not only on the electronic part but also on the mechanical lock to which the elctronic is attached.

It's also worth mentioning that Hash Latch's source code is distributed under the MIT license. That grants you the freedom to customize and modify it according to your preferences.

If you found this tutorial to be useful, please consider sharing it.

Thank you for reading this tutorial.