Password Vault V2.0

A while ago, I made the first version of the password vault. Its security relied on four RFID cards and my modification of a relatively old encryption algorithm. This time I improved the encryption algorithm even further and also made the device cheaper.

• ESP8266 x1
• 1.77 Inch TFT LCD with ST7735 x1

I took 3DES, added IVs and Rijndael S-boxes to this cipher, then cascaded all this "mess", and fed the output to the Serpent cipher. I'm well aware that concatenating IV4 to the ciphertext XORed with the IV4 isn't the best decision I could make, but the device is already "unstable enough" to properly handle another 3DES round. The introduction of the Initialization Vectors prevents the attacker from learning about the content of the captured packets by implementing the chosen-plaintext attack. One of the most useful features of this encryption algorithm is that it produces different ciphertexts for the same plaintext each time it's encrypted. In other words, if you give the algorithm the same input more than once, the output will be different every time.

The first forty-eight characters are the encrypted IVs. The last thirty-two characters are encrypted (IV4+plaintext).

If you've never flashed ESP8266 before, you need to configure Arduino IDE and install drivers to upload the firmware to the boards. You can find drivers here:

CH340 driver: https://sparks.gogo.co.nz/ch340.html

CP210x driver: https://www.silabs.com/developers/usb-to-uart-brid...

In case you don't have Arduino IDE, you can download it here:

https://www.arduino.cc/en/software

Configuring IDE isn't a part of this tutorial, you can read about it here:

https://randomnerdtutorials.com/how-to-install-esp...

You can download firmware here https://github.com/Northstrix/Password_Vault_V2.0

DES_Library: https://github.com/fcgdam/DES_Library

Serpent: https://github.com/peterferrie/serpent

ESP8266TrueRandom: https://github.com/marvinroger/ESP8266TrueRandom

Adafruit-ST7735-Library: https://github.com/adafruit/Adafruit-ST7735-Librar...

Adafruit-GFX-Library: https://github.com/adafruit/Adafruit-GFX-Library

Adafruit_BusIO: https://github.com/adafruit/Adafruit_BusIO

The process of unpacking libraries besides Serpent is typical. You can unpack the content of the archive into the folder: ...\Arduino\libraries. Or open the Arduino IDE, click to the Sketch -> Include Library -> Add .ZIP Library... and select every archive with libraries.

Serpent library has to be extracted into the folder with the sketch.

You can do it by any means possible.

The best way to do it is to throw 20-sided dice.

If you get a number from 1 to 9, write it down. If you get a number from 10 to 15, write down a letter corresponding to that number.

10 = A;

11 = B;

12 = C;

13 = D;

14 = E;

15 = F.

If you get 20, write down 0.

If you get something else, don't write anything and throw the dice again.

Since I'm going to expose the keys to the whole world, I've used a weak RNG to generate the keys, don't ever do that! That will compromise the security of the device.

Open the file Password_vault_two.ino and replace the existing keys with those you've generated.

By the way, If you want to create your color scheme you can find the color converter here https://chrishewett.com/blog/true-rgb565-colour-pi...

Upload the modified firmware from the folder Password_vault_two into the ESP8266.

The circuit is so simple that I've decided not to include the schematic diagram.

Ignore the protruding gray wire. It's +5V.

Power up the device, open the Serial Monitor and set the baud rate to 115200.

Enter 1 to the Serial Monitor and press Send to Add new record.
Enter 2 to the Serial Monitor and press Send to Decrypt the existing record.

It's time to encrypt something. Enter 1 to the Serial Monitor and press Send.

Now, you'll see the instructions in both the Serial Monitor and the display. Start entering the login and password one after another. In new versions of Arduino IDE, make sure that the first combo box is set to No line ending. Press Send after you've finished entering the plaintext. Technically, the length of the plaintext is unlimited. Practically, this device can encrypt 1000-characters long plaintext, but it can only decrypt 152-characters long ciphertext without suddenly rebooting. That's where the crappy implementation of the algorithm is limiting the potential of the MCU. The encryption algorithm is cryptographically strong, but the device can't decrypt long strings, although 152 characters should be enough even for the longest logins and passwords.

I've encrypted these plaintexts and obtained these results.

Login:

Let's suppose that this is login Some_hella long email.@hlongmail.com

Password:

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890-=!@#$%^&*()_+<>?"}{:

Ciphertexts

Login:

6C64A95011F350DC93B3DFD2D3AD0611AD4F48882107A93A8C257E1F75217EE4586769BF096571945841A7B782CE5B0A92AADB2CBAAB5F75CBC9DC01D9E75080455105AC11AE93A4B33DAD082F0EA4B8862F9BEB7508A1DB6BCE7AF51472B8107E11A508691CEF84ED1BD91DBA8B02EB1197603AFD0D729ADB17ED0786D8D3AF6CBC4AC6A7CD662E40F2DBAA249CB01A98A279439B75C601E1AD6F29A22C45D1306A43EB23E0A84457CCD4AC91BB4032A0820E4FDDEC0D11B2A88BFEA603B810BAB32D2DF0A2122AC47D8EE87F7B68D8E00908260C47685065ECC9F6A91DF3D7DFED56C69D57AA630FC4EF4CCB93D3922157DE94298B2A134FF973722743051E15DDDCAC50843706B4406E422A21AC56A69E1DCB21C88FFF27BFB7A284A863240604293142F7D42A3C21502E042A507DF8139092407E076EEE2A5B9B12539B55B3ABD220F633419198CA4CA434C42379C49F7EC55D08226DA51DD0D58C5C906BA4AFE0FE7B73C502

Password:

69E8A4956EED1A8EB33E8DB7907DB0CF5B78A1222C19598E74A9D20683545B7CDCB9E212C618C5FF49B50B0C8145A64ECDCED83284C7DB73B73B8F233B25E315162A95EE5C357B1E7FEE6310937EF166837E06C6CF00EDCBFFEF49D46746CC176D2919BEA04DCF990E0C43A154102E9E8448799FC829EC2E38570951E7AA62EDAD63F807FB818FF8551781C688651D320231DF65D4AEB1A45C5B18D4F27909D5DE4529551297ABC98A0648B0AB5DD9AC2E344FDF2B41290BB17068F6ADFEF72C306F8BA10316E70B41A06A1DB718C2614AA4F7CEF2BBA38906771F471986FBBCF80B412D12EEC2E2495F35C088818887C7F70C8092A6D2DFAFB9A0A0209267119486E51C78631A2A520C2B6B8EAD57EE2A3AFA251EFBD5806258A0F081FAF53512E365F4265EC6D708663E075F7A385E8A3FB036E5C0F0D82155F83C616264C8566A1B7FB563CF8064985ED08E38A67D580FFDAFF4F3361DEFF2C877CB913E0B04761CA76E35DED921E15AEA61BF8B4DFE1A989CCED5D31A60F817F6E0D52036769A731291B94F08516DC7012C1F97429A07FEFD133AEB7BA2B7A585495A51198E2565D09F1A327ACFCCD4C4C29DC43DBC0CF8A03A72EE0C

Login and password are fictional (just in case).

Technically, the word vault implies that the device has some form of storage, and without storage, it's just an encoder and decoder of your precious passwords. But I haven't figured out an efficient way to organize a file system. And for now, the external storage serves as a vault for the already encrypted passwords.

It's up to you where to store the ciphertexts. I can only suggest Twinkle or a database from one of my previous project.

If you have anything better than that, don't hesitate to use it.

Let's suppose that a couple of days have passed, and now you need to retrieve your data.

1) Power up the device;

2) Enter 2 to the Serial Monitor and press Send;

3) Paste the ciphertext to the Serial Monitor;

4) Press Enter.

Even though this version of the password vault is more secure than the previous one (at least from the side of the encryption scheme), it still has some flaws and inconveniences. I did my best to make this device as secure and as user-friendly as possible, but I kinda hit my ceiling here. I admit that this is the best I can do for now.

If you like this tutorial, please share it.

Thank you for reading this tutorial.