KhadashPay V3.5

by Northstrix in Circuits > Microcontrollers

393 Views, 2 Favorites, 0 Comments

KhadashPay V3.5

IMG_20230527_144714.jpg

KhadashPay is an easy-to-use DIY payment system that enables business owners to set up a card payment system in their store without the need to buy an expensive terminal, pay fees for each transaction, and waste time and resources dealing with the bank.

As a customer of the store where KhadashPay is employed, you can know for sure that KhadashPay does not keep any logs and doesn't require a bit of your personal information to create an account.


The name KhadashPay consists of two parts: Khadash (which means "new" in Hebrew) and Pay.


Before you continue reading this instructable, please note that this payment system is not connected to any existing financial institution and operates completely offline. All the "money" kept in it is nothing more than just numbers entered by the operator, encrypted by the 3DES + AES + Blowfish + Serpent encryption algorithm In CBC mode, and stored on an SD card.

You can also read this tutorial on Medium and Hackster.

Supplies

IMG_20230527_172714.jpg
  • ESP32 x1
  • 2.4 Inch TFT LCD with ILI9341 x1
  • Mifare RC522 RFID Reader x1
  • RFID cards x4
  • MH-SD Card Module x1
  • SD Card x1
  • 4x4 Keypad x1
  • Arduino Nano x1
  • 4.7k resistors x2
  • PS/2 Keyboard x1 *optional
  • PS/2 Port x1 *optional
  • 10µF capacitor x1 *optional

How It Came to Be

KhadahPay V3.5 is my attempt to combine the best aspects of KhadashPay V3.0 and KhadashPay V2.0 (Raspberry Pi Pico Version) while also addressing the keypad issue present in the KhadashPay V3.0.

To do this, I've ported the vault capability from the KhadashPay V2.0 (Raspberry Pi Pico Version) and added Arduino to handle the 4x4 keypad.

To make your interaction with the KhadashPay V3.5 more comfortable, you can connect a PS/2 keyboard to it.

3DES + AES + Blowfish + Serpent Encryption Algorithm in CBC Mode

FSCD26DLGUUNKN2.png

The "3DES + AES + Blowfish + Serpent" encryption algorithm in cipher block chaining mode first appeared in the Midbar V2.5. And since then has been utilized by the Midbar (Raspberry Pi Pico Version)Midbar V3.0Midbar V4.0KhadashPay V2.0Midbar (Raspberry Pi Pico Version) V2.0KhadashPay V2.0 (Raspberry Pi Pico Version)Midbar V5.0, Midbar (STM32F401CCU6 Version), KhadashPay V3.0 (STM32F401CCU6 Version), KhadashPay V3.0, and Midbar (STM32F401CCU6 + Arduino Uno Version).

Although the "3DES + AES + Blowfish + Serpent" encryption algorithm ain't exactly what I would call "a cryptographically weak encryption algorithm," operating it in a weird derivation of the ECB mode, the way it was done by the Midbar V2.0 wasn't the best idea that I had. Even though that wouldn't've allowed the attacker to produce the legitimate ciphertext by swapping the blocks within the ciphertext, an attacker could still make a legitimate ciphertext by replacing the nth block of the ciphertext N1 with the nth block of the ciphertext N2. To fix that vulnerability (instead of just notifying the user that the decrypted ciphertext might've been forged), I made the "3DES + AES + Blowfish + Serpent" encryption algorithm work in CBC mode. So, if an attacker replaces a block of ciphertext, they spoil not just that block but also the subsequent one.

I'll be honest with you, the bit-flipping attack "kinda works," but I doubt that it would ever go unnoticed because of the "HMAC-SHA256"-based integrity verification feature

And let's not forget that this encryption algorithm performs the operation called superencryption.

As defined by NIST, superencryption is an encryption operation for which the plaintext input to be transformed is the ciphertext output of a previous encryption operation.

Such organization of the encryption algorithms makes a combined encryption algorithm that is at least as strong as the strongest one in the cascade, has a longer key, might be more resistant to some attacks, and might produce a ciphertext with higher entropy. Anyway. It won't hurt to have an additional layer of security (or several of them).

Integrity Verification

F785CXJLGUUNKN9.jpg

Another cool feature provided to you by KhadashPay is the "HMAC-SHA256"-based integrity verification.

Before encrypting the user data, KhadashPay computes the tag for that data and encrypts it alongside data.

Later on, when KhadashPay decrypts your data, it also decrypts the previously calculated tag and computes a new tag for the newly decrypted data. It then compares both tags. If they don't match - KhadashPay will promptly notify you that the integrity verification has failed.

"Belonging Check"

FX6SGG9LFFES1RI.jpg

Even though KhadashPay can't decrypt user data without the user's card, I still decided to add an additional check, just in case. 

The so-called "Belonging Check" (didn't really know what else to call it) is a feature that allows the KhadashPay to verify whether the record with the balance belongs to the card that is taped on the RFID reader or not.

Install CP210x Driver and Configure Arduino IDE *Optional

If you've never flashed ESP32 before you need to configure Arduino IDE and install CP210x driver to upload the firmware into the board, you can download the CP210x driver for ESP32 here: https://www.silabs.com/developers/usb-to-uart-bridge-vcp-drivers

Configuring IDE isn't a part of this tutorial. You can read about it here: https://randomnerdtutorials.com/installing-the-esp32-board-in-arduino-ide-windows-instructions/

Download Firmware

You can download the firmware for KhadashPay from one of these sources.

SourceForge: https://sourceforge.net/projects/khadashpay/

OSDN: https://osdn.net/projects/khadashpay/

GitHub: https://github.com/Northstrix/KhadashPay

If you just need the firmware for the device alongside the RNG, then I would advise you to download the archive that weighs less than 2Mb either from SourceForge or OSDN.

But if you need the firmware for all versions of KhadashPay alongside the extra code, photos, and diagrams, in that case, I would advise you to download the 146 MB archive from GitHub.

Download and Install the Libraries

TFT_eSPI: https://github.com/Bodmer/TFT_eSPI

rfid: https://github.com/miguelbalboa/rfid

Keypad: https://github.com/Chris--A/Keypad

ps2dev: https://github.com/Harvie/ps2dev

PS2KeyAdvanced: https://github.com/techpaul/PS2KeyAdvanced

PS2KeyMap: https://github.com/techpaul/PS2KeyMap

The process of unpacking libraries is typical. You can unpack the content of the archive into the folder: ...\Arduino\libraries. Or open the Arduino IDE, click to the Sketch -> Include Library -> Add .ZIP Library... and select every archive with libraries.

Other required libraries are already present in one way or another.

Replace the Preset File for the TFT_eSPI Library

F9BLBU5LH80NSMZ.png

TFT_eSPI Library requires the config to be adjusted depending on the display and the board that drives that display. Initially, I wanted to write the mini-guide on adjusting the config for the ILI9341 display to be properly used on the ESP32's HSPI. But then I realized that it would be more convenient to attach the adjusted config to the firmware and tell you where to place it.

Take the "User_Setup.h" file from the "V3.5\ESP32_Version" folder and place it in the "C:\Program Files (x86)\Arduino\libraries\TFT_eSPI-master" folder.

Switch the Partition Scheme to the "Huge APP (3MB No OTA/1MB SPIFFS)"

partscheme.png

You have to switch the partition scheme to the "Huge APP (3MB No OTA/1MB SPIFFS)" before you continue working with ESP32 because the firmware for the vault is too big for the default partition.

Generate Keys

gen_keys.png

To make the unauthorized deciphering of your data computationally infeasible - It is crucial to generate your own keys and never reuse them

It's entirely up to you how to generate the keys. I can only offer you an option to do so.

I've modified one of my previous projects to work as a random number generator, the generated output seems "random enough" for me, but I haven't run any tests. So, I can't guarantee that it's random.

Use it at your own risk!

To generate the keys - launch gen.exe from the "V3.5\ESP32_Version\Untested RNG" folder and click the "Generate keys for KhadashPay V3.5" button. The background turns from dark gray to light gray when you press that button.

Modify the Firmware

mod keys.png

Open the "Firmware.ino" file from the "V3.5\ESP32_Version\Firmware" folder and replace my keys with those you've generated.

Regarding the password vault part of the KhadashPay V3.5, you can change the number of available slots for your logins by modifying the "#define MAX_NUM_OF_RECS" line. You can store as many logins as you want on this device as long as there is enough space available on the SD card.

Flash ESP32

flash.png

Upload the firmware from the "V3.5\ESP32_Version\Firmware_for_ESP32" folder into the ESP32. Don't forget to hold the "BOOT" button when the firmware upload starts.

Some boards will flash without any problems.

Unfortunately, that's not the case for all boards. If you configured IDE correctly, installed drivers, selected the corresponding port, and still keep getting this error: A fatal error occurred: Failed to connect to ESP32: Timed out waiting for packet header. Connect a 10µF capacitor to the board while flashing.

Connect the positive lead of the capacitor to the EN pin of the ESP32;

Connect the negative lead of the capacitor (usually indicated by the gray stripe) to the GND pin of the ESP32.

Don't forget to disconnect the capacitor after the board flashes.

Flash Arduino

flashard.png

Upload the firmware from the "V3.5\ESP32_Version\Firmware_for_Arduino" folder into the Arduino.

Assemble the Device

KhadashPay Circuit Diagram.png

In my opinion, assembling KhadashPay V3.5 is comparable in difficulty to Midbar (STM32F401CCU6 + Arduino Uno Version)

As for the possible component replacements, you can replace 4.7k resistors with 1k - 4.7k resistors.

Power the KhadashPay Up

IMG_20230527_150104_hdr.jpg
IMG_20230527_150235_hdr.jpg
IMG_20230527_150727_hdr.jpg
IMG_20230527_151026_hdr.jpg
IMG_20230527_151404_hdr.jpg
IMG_20230527_151614_hdr.jpg
IMG_20230527_152002_hdr.jpg
IMG_20230527_152204_hdr.jpg
IMG_20230527_152350_hdr.jpg
IMG_20230527_152553.jpg
IMG_20230527_152752_hdr.jpg
IMG_20230527_153036_hdr.jpg

Just like the Midbar V5.0, KhadashPay V3.5 has twelve lock screens. KhadashPay V3.5 randomly chooses the lock screen at startup.

After the KhadashPay has chosen the lock screen, it displays the "חדשפיי" inscription with the shifting background and the "Tap RFID card N1" inscription on the bottom of the lock screen.


*Credit for photos:

Austin:

Photo by MJ Tangonan on Unsplash

Beirut:

Photo by Piotr Chrobot on Unsplash

Bellevue:

Photo by Zac Gudakov on Unsplash

Colorado Springs:

Photo by Kevin Bree on Unsplash

Frankfurt:

Photo by Igor Flek on Unsplash

Gaborone:

Photo by Justice Hubane on Unsplash

Greenwich:

Photo by Fas Khan on Unsplash

London:

Photo by Robert Bye on Unsplash

Miami:

Image by JORGE TAPIA from Pixabay

Minneapolis:

Photo by Daniel McCullough on Unsplash

Montreal:

Photo by Michael Beener on Unsplash

Tel Aviv:

Photo by Shai Pal on Unsplash

Tap Four RFID Cards on the RFID Reader

IMG_20230527_162059_hdr.jpg
IMG_20230527_163242_hdr.jpg
IMG_20230527_163906_hdr.jpg
IMG_20230527_164123.jpg

After you've powered the device up, tap four RFID cards on the RFID reader one after another. The most important thing here is to tap the cards in the same order every time you unlock KhadashPay. Otherwise, it just won't unlock.

If you don't have four cards, you can tap one card four times.

And by the way, the first card you tap on the RFID reader becomes the "operator card" right after you set the master password. You'll need this information later in this tutorial. For now, just remember it.

Set the Master Password

FC1CXF7LGXYKC2H.jpg
F8RH2MHLGUUNLJR.jpg
F0M6VZ4LGUUNLJS.jpg

To use the KhadashPay, you first need to set the master password.

While entering the master password on the 4x4 keypad, note that the '*' key serves as a backspace.

And remember that you can't change the master password without losing the ability to decrypt all user data stored on the SD card!

KhadashPay won't be able to decrypt the user data without the master password because the keys for the encryption algorithms are partially derived from it. Perhaps, it won't even unlock without the correct master password.

When you're done entering the master password, press either the '#" or 'C' key on the keypad to finish the input and set the master password.


After you've unlocked the KhadashPay and got to the menu:

  • Press the "0" key on the 4x4 keypad to go down the menu;
  • Press the "8" key on the 4x4 keypad to go up the menu;
  • Press the "#" key on the 4x4 keypad to perform the selected action;
  • Press the '.' key on the 4x4 keypad to show the random lock screen. After that, press any key to return to the menu.

Create an Account

IMG_20230527_164833.jpg
FONA1WOLGUUNLK4.jpg
F8AF8GJLGUUNLK5.jpg
FSXQFY8LGUUNLK6.jpg
FCC5T4WLGUUNLK7.jpg
F719QYSLGUUNLKI.jpg
FECI1XFLGUUNLKJ.jpg

Ok, let's start with the facts about the KhadashPay account.

  • Each account is bound to the RFID card and PIN;
  • The PIN can have a length from 1 to 8 characters;
  • The PIN can have the following characters: '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '.', 'B', 'D';
  • A client can create several accounts using the same card as long as the pins are different;
  • The maximum amount of money stored in the account is only limited by the double variable type (don't worry about that, the KhadashPay can still store a 15-digit number without any problems);
  • Not even the owner of the KhadashPay can see your balance without your card.


To create an account on KhadashPay V3.5:

Operator:

  • Select the "New Account" line in the menu;
  • Press the '#' key on the 4x4 keypad;
  • Tap the operator RFID card on the RFID reader;
  • Press the '#' key on the 4x4 keypad and give the device to the client.

Client:

  • Tap your RFID card on the RFID reader;
  • Set your PIN;
  • Press the '#' key on the 4x4 keypad;
  • Enter the PIN that you've set again;
  • Press the '#' key on the 4x4 keypad.

Put Money Into the Account

IMG_20230527_164816.jpg
FQEQXTJLGUUNLKZ.jpg
F71GJPOLGUUNLL0.jpg
FV4CCJVLGUUNLL1.jpg
FAZC3X8LGUUNLLH.jpg
F9AQN2CLGUUNLLI.jpg
FCR7KRALGUUNLLJ.jpg

To put money into the account:

Operator:

  • Select the "Put Money In" line in the menu;
  • Press the '#' key on the 4x4 keypad;
  • Tap the operator RFID card on the RFID reader;
  • Enter the amount of money to be put into the client's account;
  • Press the '#' key on the 4x4 keypad;
  • Press the '#' key on the 4x4 keypad and give the device to the client.

Client:

  • Tap your RFID card on the RFID reader;
  • Enter your PIN;
  • Press the '#' key on the 4x4 keypad.

Make a Sale

IMG_20230527_164745.jpg
FRW083NLGUUNLMA.jpg
FDM4L1NLGUUNLMF.jpg
FYOPBBBLGUUNLMG.jpg
F8JZ6DCLGUUNLN2.jpg
FWKNYVCLGUUNLN6.jpg
FT3621JLGUUNLN7.jpg

To make a sale:

Operator:

  • Select the "Make A Sale" line in the menu;
  • Press the '#' key on the 4x4 keypad;
  • Tap the operator RFID card on the RFID reader;
  • Enter the sale amount;
  • Press the '#' key on the 4x4 keypad;
  • Press the '#' key on the 4x4 keypad and give the device to the client.

Client:

  • Tap your RFID card on the RFID reader;
  • Enter your PIN;
  • Press the '#' key on the 4x4 keypad.

View Balance

IMG_20230527_164901.jpg
FSJVPWGLGUUNLO1.jpg
F5QZCPKLGUUNLO2.jpg
F726JGWLGUUNLOT.jpg
FIJUSVHLGUUNLOU.jpg
FF64MS8LGUUNLOV.jpg

To view balance:

Operator:

  • Select the "View Balance" line in the menu;
  • Press the '#' key on the 4x4 keypad;
  • Tap the operator RFID card on the RFID reader;
  • Press the '#' key on the 4x4 keypad and give the device to the client.

Client:

  • Tap your RFID card on the RFID reader;
  • Enter your PIN;
  • Press the '#' key on the 4x4 keypad.

Connect PS/2 Keyboard to KhadashPay

KhadashPay Circuit Diagram with PS2 Keyboard.png

After exploring the payment system capabilities of the KhadashPay V3.5, it's time for you to explore the vault capabilities.

Connect a PS/2 keyboard for a better user experience.

Add Login

IMG_20230527_164937.jpg
FSNL1XYLG0UD8IG.jpg
F878PGRLG0UD8IH.jpg
FA8L5W1LG0UD8II.jpg
FP55SFWLG0UD8IJ.jpg
F3G45CFLG0UD8IK.jpg
F7WQMGILG0UD8IL.jpg
F90AUTYLG0UD8IM.jpg
F2O3SBHLG0UD8IN.jpg
FO6HJCPLG0UD8IO.jpg

To add a login using the PS/2 keyboard:

  1. Select the "Other Options" line in the main menu;
  2. Press "Enter" on the PS/2 keyboard;
  3. Tap the operator RFID card on the RFID reader;
  4. Select the "Logins" line;
  5. Press "Enter" on the PS/2 keyboard;
  6. Select the "Add" line;
  7. Press "Enter" on the PS/2 keyboard;
  8. Choose the slot into which you want to put the login to by pressing the "←" (Leftwards Arrow) and "→" (Rightwards Arrow) keys on the PS/2 keyboard;
  9. Press "Enter" on the PS/2 keyboard;
  10. Select the "PS/2 Keyboard" line;
  11. Press "Enter" on the PS/2 keyboard;
  12. Enter the title;
  13. Press "Enter" on the PS/2 keyboard;
  14. Enter the username;
  15. Press "Enter" on the PS/2 keyboard;
  16. Enter the password;
  17. Press "Enter" on the PS/2 keyboard;
  18. Enter the website;
  19. Press "Enter" on the PS/2 keyboard.


According to the tests I've conducted - ESP32 can encrypt and decrypt a 650-character long string without any problems using the 3DES + AES + Blowfish + Serpent encryption algorithm. So, technically, you can put 650 characters into a field of a record.


*All credentials demonstrated here are entirely fictitious. Any similarity to actual credentials is purely coincidental.

View Login

IMG_20230527_164942.jpg
FFVMWXGLG0UD8MC.jpg
FIWFOXBLG0UD8MD.jpg
FAIOETLLG0UD8ME.jpg
FXC9RGMLG0UD8MF.jpg
F993NJ3LG0UD8MG.jpg
FT6A2T1LFZEZBZC.png

To view a login:

  1. Select the "Other Options" line in the main menu;
  2. Press "Enter" on the PS/2 keyboard;
  3. Tap the operator RFID card on the RFID reader;
  4. Select the "Logins" line;
  5. Press "Enter" on the PS/2 keyboard;
  6. Select the "View" line;
  7. Press "Enter" on the PS/2 keyboard;
  8. Choose the slot from which you want to view the login by pressing the "←" (Leftwards Arrow) and "→" (Rightwards Arrow) keys on the PS/2 keyboard;
  9. Press "Enter" on the PS/2 keyboard;
  10. Press the "Tab" key on the PS/2 keyboard to print the record to the serial terminal.


*All credentials demonstrated here are entirely fictitious. Any similarity to actual credentials is purely coincidental.

Edit Login

IMG_20230527_164957.jpg
FYF5GAJLG0UD8QE.jpg
FSFITD7LG0UD8QF.jpg
FAGW1H7LG0UD8QG.jpg
FJF27THLG0UD8QH.jpg
FI3B6GNLG0UD8QI.jpg
FSOXHOILG0UD8QJ.jpg
F5VNQCYLG0UD8QL.jpg
F6FJ1CCLG0UD8QM.jpg

To edit a login:

  1. Select the "Other Options" line in the main menu;
  2. Press "Enter" on the PS/2 keyboard;
  3. Tap the operator RFID card on the RFID reader;
  4. Select the "Logins" line in the main menu;
  5. Press "Enter" on the PS/2 keyboard;
  6. Select the "Edit" line;
  7. Press "Enter" on the PS/2 keyboard;
  8. Select the login you would like to edit by pressing the "←" (Leftwards Arrow) and "→" (Rightwards Arrow) keys on the PS/2 keyboard;
  9. Press "Enter" on the PS/2 keyboard;
  10. Select the input source;
  11. Press "Enter" on the PS/2 keyboard;
  12. Depending on the chosen input source, either enter the new password on the PS/2 keyboard or paste it to the Serial Terminal;
  13. Depending on the chosen input source, either press "Enter" on the PS/2 keyboard or press the "Send" button in the Serial Terminal.


*All credentials demonstrated here are entirely fictitious. Any similarity to actual credentials is purely coincidental.

Delete Login

IMG_20230527_165003.jpg
FIX4TKPLG0UD8UX.jpg
FKXAO6XLG0UD8UY.jpg
FMZG6EKLG0UD8UZ.jpg
FWDEP5ELG0UD8V0.jpg
FEZB9JMLG0UD8V1.jpg

To delete a login:

  1. Select the "Other Options" line in the main menu;
  2. Press "Enter" on the PS/2 keyboard;
  3. Tap the operator RFID card on the RFID reader;
  4. Select the "Logins" line;
  5. Press "Enter" on the PS/2 keyboard;
  6. Select the "Delete" line;
  7. Press "Enter" on the PS/2 keyboard;
  8. Select the login you would like to delete by pressing the "←" (Leftwards Arrow) and "→" (Rightwards Arrow) keys on the PS/2 keyboard;
  9. Press "Enter" on the PS/2 keyboard.

Find a Good Use for KhadashPay

IMG_20230527_171410_hdr_edit.jpg
FTEJIQ6LFZEZBQ7.jpg
FOA7XVPLFZEZBTU.jpg
FDUJ7FBLFZEZBV2.jpg

After spending a considerable amount of time and effort developing the KhadashPay, I'm thrilled to announce that I have finally created a version of KhadashPay that I believe is good enough to be deployed in your store.

It doesn't have the keypad issue present in the KhadashPay V3.0, and it is the first version of KhadashPay that can work with both the PS/2 keyboard and the 4x4 keypad.

Moreover, KhadashPay V3.5 also utilizes the password vault capability from KhadashPay V2.0 (Raspberry Pi Pico Version). So, you can use it to securely store your logins as well.

It's also worth mentioning that KhadashPay's source code is distributed under the MIT license. That grants you the freedom to customize and modify KhadashPay according to your preferences. The scope of what you can do with KhadashPay, and what you can change in it is vast, so if you want to make your own version of KhadashPay or change something in it, don't wait for anyone else to do it for you. Take the initiative into your own hands and make any necessary changes as you see fit.

If you found this tutorial to be useful, please consider sharing it.

Thank you for reading this tutorial.