Midbar (ESP8266 Version)

by Northstrix in Circuits > Microcontrollers

1694 Views, 2 Favorites, 0 Comments

Midbar (ESP8266 Version)

IMG_20221126_120541.jpg

A while ago, I made the ESP32 version of Midbar which later evolved into a multi-user Cipherbox. While developing the Cipherbox, I realized that even the Lite version of it might be too expensive and too redundant for some people, so I "resurrected" the single-user Midbar project and made an ESP8266 version of it.

The purpose of Midbar is to significantly increase the cost of unauthorized access to its user's personal data.

ESP8266 version of Midbar utilizes the 3DES + AES + Blowfish + Serpent encryption algorithm alongside the ESP8266's built-in memory to store eight passwords and four credit cards in the encrypted form. It also utilizes the HMAC SHA-256 to verify the integrity of the stored logins, which means that if at least one bit of an encrypted login gets flipped, Midbar will inform you about it by displaying the following alert: "Integrity Verification Failed!!!"

In case you've missed the original Midbar or just want to know why I called it Midbar in the first place - Midbar (מדבר) is a Hebrew word that means "pasture," "uninhabited land," "wilderness," "large tracts of wilderness (around cities)," "desert." I had two reasons for choosing the word Midbar as the name of this project. First - while working on my previous projects, I noticed that the so-called "device that keeps your personal data secure in an encrypted form" market is pretty much a "desert around the oasis of the password manager market." Second - I couldn't find a better word to describe that project. At first, I wanted to call it a "Password Vault," but then I realized that it's more than just a password vault. So, I just called it Midbar!

Supplies

IMG_20221126_133154.jpg
  • ESP8266 x1
  • 0.96 Inch OLED SSD1306 Display x1
  • EC11 Rotary Encoder x1
  • 4.7k resistors x7
  • 22nf capacitors x2
  • 330 Ohm resistor x1
  • Buttons x2

Encryption Algorithms

3DES+AES+Blowfish+Serpent.png

ESP8266 version of Midbar utilizes three encryption algorithms:

  • 3DES + AES + Blowfish + Serpent;
  • Serpent;
  • 3DES.

Let me briefly describe the implementation of each algorithm:

  • 3DES + AES + Blowfish + Serpent is the strongest encryption algorithm utilized by this device. It's a combined encryption algorithm that's composed of four cryptographically strong encryption algorithms. It splits its input into 80-bit long blocks and then separately encrypts each block, infusing 48 random bits into each block. It produces the 128-bit (16 bytes) long output. That encryption algorithm performs superencryption;
  • The serpent is an encryption algorithm that was competing in the Advanced Encryption Standard contest against Rijndael (now AES) and other algorithms. It takes a 64-bit long input, adds 64 random bits, and produces the 128-bit long output;
  • 3DES is an outdated encryption algorithm. You can still use it to encrypt your data, but if I were you, I wouldn't be using it for anything important. It takes a 32-bit long input, adds 32 random bits, and produces the 64-bit long output.

Integrity Verification

IMG_20221126_125022.jpg

Integrity verification is an essential feature absent in the previous version of Midbar, leaving it vulnerable to the block-swapping attack.


Before I get to the description of the integrity verification feature, I would like to clarify where it's present and where it's absent.

It's present in:

  • Logins;
  • 3DES + AES + Blowfish + Serpent encryption algorithm;
  • Serpent encryption algorithm.

It's absent in:

  • Credit Cards;
  • 3DES encryption algorithm.


The backbone of the integrity verification feature is the Hash-based Message Authentication Code constructed from the SHA-256.

For the sake of convenience, I've truncated the output of the HMAC SHA-256 for the 3DES + AES + Blowfish + Serpent encryption algorithm to 240 bits because that algorithm takes 80-bit long blocks as input.

As for logins, HMAC SHA-256 takes a concatenation of title, login, password, and website alongside the key as an input and produces a 256-bit output. That 256-bit long output of HMAC is then truncated to 240 bits and encrypted with 3DES + AES + Blowfish + Serpent.

When Midbar decrypts the record, it also decrypts the tag. It then computes a new tag for the decrypted credentials and compares the new tag with the decrypted tag. If these two don't match, Midbar displays the following alert: "Integrity Verification Failed!!!"

Cell Mapping (Memory Allocation)

malloc1.png
malloc2.png
malloc3.png

Since ESP8266 only has 4 KB of memory available for the user data, I had to remap it several times to fit as many records as possible.

Eventually, I came up with these results:

  • The value stored in the first cell indicates whether the master password is set or not;
  • Cells 1 - 48 store the encrypted hash of the master password;
  • Cells 49 - 3952 store the encrypted logins and credit cards.

Install Drivers and Configure Arduino IDE *Optional

If you've never flashed ESP8266 before you'll need to configure Arduino IDE and install drivers to upload the firmware to the boards, you can find drivers here:

CH340 driver: https://sparks.gogo.co.nz/ch340.html

CP210x driver: https://www.silabs.com/developers/usb-to-uart-brid...

In case you don't have Arduino IDE, you can download it here:

https://www.arduino.cc/en/software/

Configuring IDE isn't a part of this tutorial, you can read about it here:

https://randomnerdtutorials.com/how-to-install-esp...

Download Firmware

FCSQU26LAWIKQR4.png

You can download the firmware for Midbar from one of these sources.

SourceForge: https://sourceforge.net/projects/midbar/

OSDN: https://osdn.net/projects/midbar/

GitHub: https://github.com/Northstrix/Midbar

If you just need the firmware for the device alongside the RNG, then I would advise you to download a 0.15 MB archive either from SourceForge or OSDN.

But if you need the firmware for all versions of Midbar alongside the extra code, photos, and diagrams, in that case, I would advise you to download the 34.9 MB archive from GitHub.

Download and Install the Libraries

Adafruit-GFX-Library: https://github.com/adafruit/Adafruit-GFX-Library

Adafruit_SSD1306: https://github.com/adafruit/Adafruit_SSD1306

Adafruit_BusIO: https://github.com/adafruit/Adafruit_BusIO

EncButton: https://github.com/GyverLibs/EncButton

The process of unpacking libraries is typical. You can unpack the content of the archive into the folder: ...\Arduino\libraries. Or open the Arduino IDE, click Sketch -> Include Library -> Add .ZIP Library... and select every archive with the library.

Clear EEPROM

ceeprom.png

To ensure that Midbar will work as intended, you must clear the EEPROM before uploading the firmware.

To clear the EEPROM upload the sketch from the "Clear_EEPROM" folder into the ESP8266, and then reboot the board.

Generate Keys

gen.png

To make the unauthorized deciphering of your data computationally infeasible - It is crucial to generate your own keys and never reuse them.

The best way to generate the keys is to throw 20-sided dice.

If you get a number from 1 to 9, write it down.

If you get a number from 10 to 15, write down a letter corresponding to that number.

10 = A;

11 = B;

12 = C;

13 = D;

14 = E;

15 = F.

If you get 20, write down 0.

If you get something else, don't write anything and throw the dice again.


There's also an easier option.

I modified one of my previous projects to work as a random number generator, the generated output seems "random enough" for me, but I haven't run any tests. So, I can't guarantee that it's random.

Use it at your own risk.

To generate the keys - launch gen.exe from the "Untested RNG" folder and then click the "Generate keys for Midbar" button. The background turns blue when you press that button.

Modify the Firmware

mf.png

Open the file "Firmware.ino", scroll down a bit, and then replace my values of the kderalgs, numofkincr, hmackey, des_key, AES_key, Blwfsh_key, serp_key with yours.

Flash the ESP8266

uf.png

Upload the firmware from the "Firmware" folder into the ESP8266.

Assemble Midbar

Circuit Diagram.png

Assembling the Midbar shouldn't be hard. In my opinion, the hardest part of the process is to connect the encoder.

As for the possible component replacements:

  • You can replace the 330-Ohm resistor with a 220-Ohm - 1k resistor;
  • You can replace 4.7k resistors with 4.7k - 10k resistors;
  • And you can replace the capacitors with 22nf - 100nf capacitors.

Set Your Password

F60FVB8LAWIKOL2.jpg
IMG_20221126_121830.jpg
IMG_20221126_121837.jpg
IMG_20221126_121950.jpg

To use the Midbar, you first need to set the password (or should I call it the "Master Password"?).

To do so:

  • Power up Midbar;
  • Quad-click the encoder button;
  • Enter the password that you would like to use to unlock the Midbar. You can't change your password. And Midbar won't be able to decrypt your data without your password because the keys for the encryption algorithms are partially derived from your password. Perhaps, it won't even unlock without the correct password. Beware of it;
  • Quad-click the encoder button.


After you've unlocked the Midbar and got the main menu:

  • Turn the rotary encoder to the right to go down the menu.
  • Turn the rotary encoder to the left to go up the menu.
  • Press the "A" button to open the selected menu.
  • While in the submenu, press the "B" button to return to the main menu.


While entering a text in a tab:

  • Click the encoder button four times to continue;
  • Click the encoder button five times to cancel the current operation.


*If the hex value decreases when you rotate the encoder to the right, I would advise you to swap the wires connected to the D5 and D6 pins.

Add Login

IMG_20221126_122431.jpg
IMG_20221126_122544.jpg
IMG_20221126_122620.jpg
IMG_20221126_122849.jpg
IMG_20221126_123324.jpg
IMG_20221126_123629.jpg
IMG_20221126_124112.jpg
IMG_20221126_124149.jpg

As I've mentioned In the introduction, this version of Midbar can store eight passwords and four credit cards in encrypted form.

To add a login:

  1. Select the "Logins" line in the main menu;
  2. Press the "A" button;
  3. Select the "Add" line;
  4. Press the "A" button;
  5. Choose the slot you want to put the login to by rotating the encoder;
  6. Press the "A" button;
  7. Enter title;
  8. Quad-Click the encoder button;
  9. Enter login;
  10. Quad-Click the encoder button;
  11. Enter password;
  12. Quad-Click the encoder button;
  13. Enter website;
  14. Quad-Click the encoder button.

View Login

IMG_20221126_124321.jpg
IMG_20221126_124341.jpg
IMG_20221126_124354.jpg
IMG_20221126_124408.jpg
IMG_20221126_124434.jpg
IMG_20221126_124529.jpg
IMG_20221126_124535.jpg
IMG_20221126_124629.jpg

To view a login:

  1. Select the "Logins" line in the main menu;
  2. Press the "A" button;
  3. Select the "View" line;
  4. Press the "A" button;
  5. Choose the login you want to view by rotating the encoder;
  6. Press the "A" button;
  7. Press any button to view the next field.

Delete Login

FIWCHO0LAWIKP18.jpg
IMG_20221126_124552.jpg
IMG_20221126_124602.jpg

To delete a login:

  1. Select the "Logins" line in the main menu;
  2. Press the "A" button;
  3. Select the "Delete" line;
  4. Press the "A" button;
  5. Choose the login you want to delete by rotating the encoder;
  6. Press the "A" button.

Encrypt String

IMG_20221126_125309.jpg
IMG_20221126_125330.jpg
IMG_20221126_125405.jpg
IMG_20221126_125717.jpg

As I've mentioned earlier, the Midbar utilizes three encryption algorithms.

You can use any of them to encrypt a string.

To encrypt a string:

  1. Open the Serial Monitor because the ciphertext printed to it;
  2. Select the "Encryption Algs" line in the main menu;
  3. Press the "A" button;
  4. Select the encryption algorithm you would like to use;
  5. Press the "A" button;
  6. Select the "Encrypt" line;
  7. Press the "A" button;
  8. Enter the string you would like to encrypt;
  9. Quad-Click the encoder button.


Plaintext:

Midbar is more than just a password vault


Ciphertext:

4a1e1bb3212cc224c201a6a335385db79cadb2b8691972b138b20e76144226b7c1b517f57fd224dc9d5df9367275e2131a240e7619bf9e8a1f738f8d57577807da047dd18c1af7dca6155cb0bb1729444d9468799ef4b96664bb1ccd29723b31d3c1db139d0cdb7756fc9af9e66ed36b987e7a675217b342e122b15ee573ad16

Decrypt String

FMHWL0PLAWIKP6J.jpg
IMG_20221126_125843.jpg
IMG_20221126_125906.jpg
IMG_20221126_130001.jpg

To decrypt a string:

  1. Open the Serial Monitor because you'll need to paste the ciphertext to it;
  2. Select the "Encryption Algs" line in the main menu;
  3. Press the "A" button;
  4. Select the line with the name of the encryption algorithm you've used to encrypt the string;
  5. Press the "A" button;
  6. Select the "Decrypt" line;
  7. Press the "A" button;
  8. Paste the ciphertext to the Serial Monitor;
  9. Press the "Send" button on the Serial monitor.


Ciphertext:

4a1e1bb3212cc224c201a6a335385db79cadb2b8691972b138b20e76144226b7c1b517f57fd224dc9d5df9367275e2131a240e7619bf9e8a1f738f8d57577807da047dd18c1af7dca6155cb0bb1729444d9468799ef4b96664bb1ccd29723b31d3c1db139d0cdb7756fc9af9e66ed36b987e7a675217b342e122b15ee573ad16


Plaintext:

Midbar is more than just a password vault

Hash String

IMG_20221126_131023.jpg
IMG_20221126_131109.jpg
IMG_20221126_131236.jpg
IMG_20221126_131406.jpg

Midbar can hash your data using either SHA-256 or SHA-512.

If you're not familiar with the hash functions, let me give you a simple explanation of what the hash function is.

The hash function is an algorithm that takes your input (in that case, it's a string) and gives you a fixed-length output derived from that input. One of the most important properties of the hash function is that it always produces the same output for the same input. That allows you to use the hash function to verify the data integrity.

To hash a string:

  1. Select the "Hash Functions" line in the main menu;
  2. Press the "A" button;
  3. Select the hash function you would like to use;
  4. Press the "A" button;
  5. Enter the string you would like to hash;
  6. Quad-Click the encoder button;
  7. Press any button to return to the main menu.



String:

Midbar


Hash:

0415af21a07eb50be9ce02417f73c1d6b8c30631a5a4240b662ff89e3531fcfa02dfe06a808acacf81b523066f81495dc3004e375f08e71943cad0589807b160

Find a Good Use for Midbar

IMG_20221126_130345.jpg
IMG_20221126_130744.jpg
IMG_20221126_130757.jpg
IMG_20221126_130812.jpg

I put a lot of effort into making this version of Midbar as secure, easy-to-use, and as affordable as I could. From the technical point of view, it utilizes an unnecessarily strong encryption algorithm alongside the fairly sophisticated Hash-based Message Authentication Code constructed from the SHA-256.

Even though Midbar is "somewhat resembling" a cryptographic fortress, that "fortress" can't and won't give you a 100% guarantee that your personal data would stay untouchable to everyone. And it's not about giving you a 100% guarantee. It's about raising the cost of unauthorized access to your data as high as possible.

And by the way, if you want to make your own version of the Midbar, please do so! It would be interesting to observe how many forks will be available on GitHub and how each fork will evolve. Don't forget that there's always room for improvement, even if it seems that there's none. And you can be the one who makes that improvement.

That's it for this tutorial.

If you like this tutorial, please share it.

Thank you for reading this tutorial.