Password Vault V3.0

by Northstrix in Circuits > Microcontrollers

15775 Views, 102 Favorites, 0 Comments

Password Vault V3.0

IMG_20220210_150305.jpg

Let me begin this tutorial by reminding you that storing your passwords in an unencrypted form is the same as keeping the key from your house under the mat.

Your house might have the best lock in the world, but what's the point in it if you keep the key from it in an easily accessible place?

That's the problem I'm trying to solve by making this device. I'm trying to give you the ability to securely store your passwords, keys, and other important stuff.

This version of the password vault is a device that has the capability to encrypt your passwords, store the encrypted passwords in its built-in memory, hash passwords, and securely send passwords to another device.

In addition to that, you can also set the master password and the initialization vector (increment the key) to prevent an attacker from decrypting your passwords by simply obtaining physical access to your vault.

Supplies

IMG_20220210_154250.jpg

Supplies for the vault:

  • ESP8266 x1
  • 1.77 Inch TFT LCD with ST7735 x1
  • Arduino Nano/Uno/Compatible board x1
  • PS/2 Keyboard x1
  • PS/2 Port x1
  • 580 ohm resistor x1

Supplies for the receiver:

  • ESP32 x1
  • 16x2 or 24x2 LCD Display x1
  • I2C LCD Adapter x1
  • 4x4 Keypad x1
  • Piece of paper with the letter E x1
  • Piece of paper with the letter F x1

Encryption Algorithm for Passwords

AES + Serpent + AES in counter mode Encryption algorithm.png

This device utilizes AES-256 + Serpent + AES-256 encryption algorithm to encrypt and decrypt your passwords. It requires three keys to function: two keys for the AES and one key for Serpent. This algorithm takes eight characters (64 bits) and three keys as an input, generates 192 random bits in the encryption process and produces a sixty-four-character string in the hexadecimal format as an output. If the length of the input block isn't equal to eight, then the padding is applied.

The encryption process goes as follows:

1) The algorithm takes an input block;

2) If the length of an input block isn't equal to eight, then the padding is applied;

3) Input block is passed to the AES alongside 64 random bits;

4) AES encrypts obtained 128-bit block using the first key;

5) The result of the previous step is split into two equal 64-bit halves;

6) 64 random bits are concatenated to each half;

7) Each of the 128-bit halves is encrypted using Serpent;

8) Each ciphertext from the Serpent is encrypted using AES with the second key;

9) Concatenation of two ciphertexts produced by the AES using the second key is the resulting ciphertext.

Each AES's key is incremented each time after the algorithm uses that key. That property applies to both ciphers.

And by the way, if you give the algorithm the same input more than once, the output will be different every time. This property applies to both encryption algorithms utilized by this device!

Encryption Algorithm for the Wireless Password Projection

AES + Serpent Encryption algorithm.png

Unlike the previous encryption algorithm, this one only requires two keys; one for the AES and one for the Serpent. The AES-256 + Serpent encryption algorithm takes eight characters (64 bits) as an input (if the input length isn't multiple of eight ASCII characters, padding is applied), generates 64 random bits (eight characters), and passes 128 bits to the AES (Advanced Encryption Standard) cipher. After that, the AES's ciphertext split into two half, 64 bits each. Each half of the AES's ciphertext then passed to the Serpent cipher alongside 64 random bits. Finally, the resulting ciphertext is the concatenation of the two ciphertexts from the Serpent cipher. Random bits generated during the encryption process are thrown away during the decryption process.

Install Drivers and Configure Arduino IDE *Optional

If you've never flashed ESP32 or ESP8266 before you'll need to configure Arduino IDE and install drivers to upload the firmware to the boards, you can find drivers here:

CH340 driver for ESP8266: https://sparks.gogo.co.nz/ch340.html

CP210x driver for ESP32: https://www.silabs.com/developers/usb-to-uart-brid...

In case you don't have Arduino IDE, you can download it here: https://www.arduino.cc/en/software

Configuring IDE isn't a part of this tutorial, you can read about it here:

ESP32: https://randomnerdtutorials.com/installing-the-esp...

ESP8266: https://randomnerdtutorials.com/how-to-install-esp...

Download Firmware From GitHub

Untitled.png

You can download the firmware here https://github.com/Northstrix/Password_Vault_V3.0

Download and Install the Libraries

ESP8266TrueRandom: https://github.com/marvinroger/ESP8266TrueRandom

Adafruit-ST7735-Library: https://github.com/adafruit/Adafruit-ST7735-Librar...

Adafruit-GFX-Library: https://github.com/adafruit/Adafruit-GFX-Library

LiquidCrystal_I2C: https://github.com/johnrickman/LiquidCrystal_I2C

Keypad: https://github.com/Chris--A/Keypad

PS2Keyboard: https://github.com/PaulStoffregen/PS2Keyboard

Adafruit_BusIO: https://github.com/adafruit/Adafruit_BusIO

The process of unpacking libraries is typical. You can unpack the content of the archive into the folder: ...\Arduino\libraries. Or open the Arduino IDE, click to the Sketch -> Include Library -> Add .ZIP Library... and select every archive with libraries.

Other required libraries are already present in one way or another.

Generate Keys

FE4SMLGKXYP30LV.jpg

To make the unauthorized deciphering of your passwords computationally infeasible - It is crucial to generate your own keys and never reuse them unless it's necessary.

The best way to generate the keys is to throw 20-sided dice.

If you get a number from 1 to 9, write it down.

If you get a number from 10 to 15, write down a letter corresponding to that number.

10 = A;

11 = B;

12 = C;

13 = D;

14 = E;

15 = F.

If you get 20, write down 0.

If you get something else, don't write anything and throw the dice again.


Since I'm going to expose the keys to the whole world, I've used an untested RNG to generate the keys, don't ever do that! That will compromise the security of the device.

Get the MAC Address of the ESP32

m.png

To get the MAC address of the ESP32 upload this code into the board.

#include <WiFi.h>

void setup(){
  Serial.begin(115200);
  Serial.println();
  Serial.print("ESP Board MAC Address:  ");
  Serial.println(WiFi.macAddress());
}
 
void loop(){

}

Then open the Serial Monitor, and reboot the board.

If done correctly, you should see the MAC address in the console.

The MAC address of this board is EC:94:CB:67:3A:4C

Some boards will flash without any problems.

Unfortunately, that's not the case for all boards. If you configured IDE correctly, installed drivers, selected the corresponding port, and still keep getting this error: A fatal error occurred: Failed to connect to ESP32: Timed out waiting for packet header. Connect a 10µF capacitor to the board while flashing.

Connect the positive lead of the capacitor to the EN pin of the ESP32;

Connect the negative lead of the capacitor (usually indicated by the gray stripe) to the GND pin of the ESP32.

Don't forget to disconnect the capacitor after the board flashes.

Modify Firmware

keys table.png

Open the files Firmware_for_ESP8266.ino and Firmware_for_ESP32.ino and then replace my keys with those you've generated.

Vault requires four keys, while receiver only needs two. Make sure that skey and projection_key are the same on both devices.

Don't forget to replace the receiver's MAC address in the line

uint8_t broadcastAddress[] = {0xEC, 0x94, 0xCB, 0x67, 0x3A, 0x4C};

in the file Firmware_for_ESP8266.ino

Note that all keys are in hexadecimal format!

Flash the ESP8266

esp8266.png

Upload the modified firmware from the folder Firmware_for_ESP8266 into the ESP8266.

Flash the Arduino

arduino.png

Upload the firmware from the folder Firmware_for_Arduino into the Arduino.

Flash the ESP32

esp32.png

Upload the modified firmware from the folder Firmware_for_ESP32 into the ESP32.

Assemble the Vault

IMG_20220210_121621.jpg

Assembling the vault shouldn't be hard. In my opinion, the most tangled part of it is to connect the PS/2 port in the right way.

Ignore the 3.5 mm jack socket and the socket for the WS2812 stripe. These are the remnants from one of the previous projects.

Circuit Diagram for the Vault

Circuit diagram of the vault.png

Assemble the Receiver

IMG_20220210_142909.jpg

Assembling the receiver is even easier than assembling the vault. You only need to connect a keypad and LCD Adapter to the ESP32.

Circuit Diagram for the Receiver

Circuit diagram of the receiver.png

Power Up the Vault

IMG_20220210_122058.jpg

You should see the main menu.

* (Asterisk) symbol on the left indicates selected option.

Press (Down Arrow) to go down the menu.

Press (Up Arrow) to go up the menu.

Set Master Password

IMG_20220210_133007.jpg
IMG_20220210_133300.jpg

The purpose of the master password is to prevent an attacker from deciphering your notes by simply getting physical access to the device. The master password is used to derive a part of the key. The master password isn't stored in the permanent memory. You need to enter it every time you're powering up the device. After you disconnect power from the device, every modified part of the key will be lost because it's stored in the volatile memory.

After the master password is entered, it's hashed with SHA-512, then this hash goes through Serpent 576 times, and after that, the obtained result is used to modify the parts of two AES's keys.

One of the numbers derived from the master password is used as a verification number. The verification number must always be the same for the same password.


I've used this master password:

Your house might have the best lock in the world, but what's the point in it if you keep the key from it in an easily accessible place.

And obtained the verification number 186

Set IV

IMG_20220210_125340.jpg
IMG_20220210_133912.jpg

The purpose of the initialization vector is the same as the purpose of the master password. It just works differently - instead of deriving a part of the key from the input string, the initialization vector (in that case) sets the number of iterations of the first sixteen sections of the key. It works as a counter. Each section of the AES's key can have a value between 0 and 255. IV only affects the first sixteen sections of the key. It works as follows: iterate the current section until it reaches 255, on the next iteration set the current section equal to zero and increment the next section by one. The same principle applies to every section.

Now let me explain why I wrote (in that case) - IV is supposed to be a number that is used as a starting point for the counter. In that case, it is a starting point for the counter (in the counter mode), but instead of being a starting point itself, it increments the key by itself! That's the key difference between that case and what IV is supposed to be.

I hope I wrote an explanation that's clear enough. Anyway, if you don't get something, you can always ask a question in the comment section.

I've used 321654 as an IV.

Encrypt Password

IMG_20220210_131731.jpg
enc_pass.png

First of all, open the Serial Monitor because the ciphertext is printed into the Serial Monitor.

To encrypt a password, select the Encrypt password option in the menu, enter the password on the keyboard, and then press the Enter button on the keyboard to encrypt a password.

Press the Esc button to cancel the operation and get back to the main menu. That applies to all options in the main menu.


Eventually, I came up with these results:


Plaintext:

This version of the password vault is a device that has the capability to encrypt your passwords, store the encrypted passwords in its built-in memory, hash passwords, and securely send passwords to another device.


Ciphertext:

a727fe32fc0a5e9b2e0b71a1ef3d6f3374c2e0fd01f8114db572a5d9d789aea89e0b4a01d172cb8b0d6ec9e13db8e64cf789aa1131048dae19a59f16e7d4f30c637ff263bbc7d6220a3552455613a2f128389ac5f9a52c005befb23846beb1fe4a2a06bd9a4c410eec106800ca0a5f55ab32504abdf66c74cf1bb60f40d3c56d05442be3ab3358c92c02863e7d0d9a06f78581e02e91b3ddfbe98d9b948d87c42f113a6522295361360b6237a49a1a64835585a66b354b829fc5ae00daf420f157e23bffa26aaf84bad55ef60c9f1362e3a596d0265d2c6d6911381dff998af9947a153e2bf1e8093a3098e6c71632be8f15799d681cad8d8bbc58af51b7362877c8e12bcf30daa5b1b29efd70ef7ffeb91f32325cb85028b335de2f5deb052c1a4c901a4873118cee6769f90b8c380d64310addf8250b9502a7fe8c8b1c3daffe3638da709973b5b31984e2bbd2dd1748f4be8c90739f3e9bb902179635e95894a81883e785421e9f265e6a182ddbd1daa95cd9383b52b80cde75330b3ad2e748f65f99b51a70d3a58507544bf2aee154911d723ad0ea09176dc952729d1f3fc62fee18eab7281ef7c4e42588c1a9b624f59369fba4df428a9414fcd4096c5aa91087029de584054d46bd59e06b4f08acbd622aaca9607f6d5ce101a91972ea3d98e5489caa9ec134809ec5cfac1b7c4c537672e16042361dbf0c87c0f90a0ff7df7f2362651cb5c618c25f4f99d8ff2fdac7de4bb5d495dc59f9cb2b15694f8a179ff7187a78d50c6258e4cc7b69418a8c4f7361a92eae9ad41744779f41d95e703f7634c79da747a114c0a6c74e5eb6e82927022270af99589ed3354d3f02bd63d489b56dd715e07206f427debf89ea9ce5dfc657d384ee6ec0822ad2a8ae5c8d3a335329ee9343f778a2be51d358227bc3cf68dc728f2f2ba93aab7fd4e9c932f66507b0b3e9354437fc9fa2f48f94ce22df76b0abb463d4847cf743cf0b6b9117532328538674d2b7eb3066111de993e6ca31ec82216edb9673d8eb9e0352f18acd5a0a43ec6843e9abd31ec40675e5152d6039ad56ff7382e2dca7726116a5684f67a60cdd032fd262991486acb1b583d7d1f234211a7400bfa92e7cad779792365899eec4a3b94b054761c3befff77b12b059af7bb25a7f8f8c6440b5667f19243b3f484552e71b2d47abf427c6a9290130ded6a23bcf627b8ccb3cc3

Save Ciphertext Into the Vault's Built-in Memory

IMG_20220210_151048.jpg
IMG_20220210_151111.jpg

Finally, I figured out how to utilize the built-in flash memory of ESP8266.

All operations with the built-in memory are carried out via the Serial monitor. I understand that it might not be as convenient as it could've been, but nothing is perfect. And compared to the two previous versions of the password vault, this version at least has the capability to make use of the ESP's built-in memory.

To save a record into the built-in memory: open the Serial Monitor, select the Save file into memory option in the menu, press the Enter button on the keyboard, enter the filename into the text field in the Serial Monitor, press the Send button in the Serial Monitor, enter the content of the file into the text field in the Serial Monitor, and then press the Send button in the Serial Monitor.

Load Ciphertext From the Vault's Built-In Memory

IMG_20220210_151213.jpg

To load the content of a stored file, open the Serial Monitor, select the Load file from memory option in the menu, press the Enter button on the keyboard, enter the filename into the text field in the Serial Monitor, and then press the Send button in the Serial Monitor.

Remove Ciphertext From the Vault's Built-In Memory

IMG_20220210_151313.jpg

To remove the saved file, open the Serial Monitor, select the Remove file from memory option in the menu, press the Enter button on the keyboard, enter the filename into the text field into Serial Monitor, and then press the Send button in the Serial Monitor.

List All Stored Records

sf.png

To list all stored files, open the Serial Monitor, select the List all stored files option in the menu, press the Enter button on the keyboard.

You should see the list of all stored files in the Serial Monitor.

Decrypt Password

IMG_20220210_141857.jpg
dec_pass.png

Let's suppose that a couple of days have passed, and now you need to retrieve your data.

First of all, you need to set the same master password and the initialization vector that you've used at the time of encryption. After that select, the Decrypt password option in the menu, press the Enter button on the keyboard and then paste the ciphertext into the Serial Monitor.


Eventually, I came up with these results:


Master password:

Your house might have the best lock in the world, but what's the point in it if you keep the key from it in an easily accessible place.


Verification number:

186


IV:

321654


Ciphertext:

a727fe32fc0a5e9b2e0b71a1ef3d6f3374c2e0fd01f8114db572a5d9d789aea89e0b4a01d172cb8b0d6ec9e13db8e64cf789aa1131048dae19a59f16e7d4f30c637ff263bbc7d6220a3552455613a2f128389ac5f9a52c005befb23846beb1fe4a2a06bd9a4c410eec106800ca0a5f55ab32504abdf66c74cf1bb60f40d3c56d05442be3ab3358c92c02863e7d0d9a06f78581e02e91b3ddfbe98d9b948d87c42f113a6522295361360b6237a49a1a64835585a66b354b829fc5ae00daf420f157e23bffa26aaf84bad55ef60c9f1362e3a596d0265d2c6d6911381dff998af9947a153e2bf1e8093a3098e6c71632be8f15799d681cad8d8bbc58af51b7362877c8e12bcf30daa5b1b29efd70ef7ffeb91f32325cb85028b335de2f5deb052c1a4c901a4873118cee6769f90b8c380d64310addf8250b9502a7fe8c8b1c3daffe3638da709973b5b31984e2bbd2dd1748f4be8c90739f3e9bb902179635e95894a81883e785421e9f265e6a182ddbd1daa95cd9383b52b80cde75330b3ad2e748f65f99b51a70d3a58507544bf2aee154911d723ad0ea09176dc952729d1f3fc62fee18eab7281ef7c4e42588c1a9b624f59369fba4df428a9414fcd4096c5aa91087029de584054d46bd59e06b4f08acbd622aaca9607f6d5ce101a91972ea3d98e5489caa9ec134809ec5cfac1b7c4c537672e16042361dbf0c87c0f90a0ff7df7f2362651cb5c618c25f4f99d8ff2fdac7de4bb5d495dc59f9cb2b15694f8a179ff7187a78d50c6258e4cc7b69418a8c4f7361a92eae9ad41744779f41d95e703f7634c79da747a114c0a6c74e5eb6e82927022270af99589ed3354d3f02bd63d489b56dd715e07206f427debf89ea9ce5dfc657d384ee6ec0822ad2a8ae5c8d3a335329ee9343f778a2be51d358227bc3cf68dc728f2f2ba93aab7fd4e9c932f66507b0b3e9354437fc9fa2f48f94ce22df76b0abb463d4847cf743cf0b6b9117532328538674d2b7eb3066111de993e6ca31ec82216edb9673d8eb9e0352f18acd5a0a43ec6843e9abd31ec40675e5152d6039ad56ff7382e2dca7726116a5684f67a60cdd032fd262991486acb1b583d7d1f234211a7400bfa92e7cad779792365899eec4a3b94b054761c3befff77b12b059af7bb25a7f8f8c6440b5667f19243b3f484552e71b2d47abf427c6a9290130ded6a23bcf627b8ccb3cc3


Plaintext:

This version of the password vault is a device that has the capability to encrypt your passwords, store the encrypted passwords in its built-in memory, hash passwords, and securely send passwords to another device.

Hash Data With SHA-512

IMG_20220210_135032.jpg
IMG_20220210_135255.jpg

To prevent unauthorized modification of the encrypted password or forgery of a fake password using already obtained ciphertexts, you should hash the password before encrypting it, encrypt the hash and then store the resulted hash in an encrypted form.

Project Password

IMG_20220210_145025.jpg
IMG_20220210_145234.jpg
IMG_20220210_150103.jpg
IMG_20220210_150152.jpg
IMG_20220210_144440.jpg
IMG_20220210_150305.jpg
IMG_20220210_150718.jpg
IMG_20220210_150634.jpg

The wireless password projection feature allows you to securely send a password from one board to another.

To use this feature, you first need to set the keys on both boards: to do so: select the Project password option in the menu, press the Enter button on the keyboard, and then type the newly generated key from the vault on the receiver board's keypad.

You should obtain the same verification numbers on both devices. If it's not the case, reboot the receiver and enter the key again.

To generate a new key, either reboot the vault and then select Project password option, or go to the Additional features and then select Generate a new key for the wireless password projection option by pressing the 2 button on the keyboard.

To set another key on the receiver board: reboot it, and enter the new key on the keypad.

I'll be honest with you. Sometimes the vault can reboot in the process of the key generation. Beware of it.

After the key is set on both boards, press any button on the keyboard to get to the part where you enter the password, and then press the Enter button on the keyboard to send the password to the receiver.

As for the wireless password projection itself, it works fine, but sometimes the received password isn't displayed on the LCD correctly. To fix that minor issue, I would recommend you to look at the received password in the Serial Monitor. In that case, you'll be able to see an undistorted and full-length password.

I was able to send a 500-character password from the vault to the receiver without any problems!

I admit that using a display that can only display a few characters isn't very convenient, but that's the best I could do. I've tried to connect SSD1306 OLED and Nokia 5110 displays to the ESP32, but these displays refused to work with the ESP-NOW protocol enabled. I've also tried to drive these displays via Arduino, didn't work either. I (and probably many other people who might find this device useful) would be grateful to you for forking the repository on GitHub and making a version of the receiver with a better display.

Find a Good Use for This Device

IMG_20220210_150936.jpg

Even with all of its flaws and inconveniences, this device is capable of encrypting, securely storing, and then decrypting your passwords.

In essence, this device is a fusion of several of my previous projects, open-source code that I've taken from GitHub, and some features provided by the manufacturer of the microcontroller. I made the first version of the password vault roughly half a year ago. Back then, it was a simple encryptor and decryptor of passwords. Now, it's a device that can at least be called a vault and at least resembles a minimum viable product.

In addition to the primary features of this device, it can give you the ability to securely send your passwords over the air using the ESP-NOW protocol and calculate hashes for your passwords using the SHA-512 hash function.

It's also worth mentioning that this device is partially compatible with two of my previous projects: Encrypted Data Vault: Raspberry Pi Pico + ESP32 Version and Encrypted Note Storage V3.0 If and only if you will use the same keys on all devices.

I hope you will find a good use for this device.

If you like this tutorial, please share it.

Thank you for reading this tutorial.