Midbar

Midbar (מדבר) is a Hebrew word that means "pasture," "uninhabited land," "wilderness," "large tracts of wilderness (around cities)," "desert." There are two reasons why I chose the word Midbar as the name of this project. First - while working on my previous projects, I noticed that the so-called "device that keeps your personal data secure in an encrypted form" market is pretty much a "desert around the oasis of the password manager market." Second - I couldn't find a better word to describe that project. At first, I wanted to name it a "Password Vault," but then I realized that this is also a "Credit Card Vault," "Note Vault," "Phone number Vault" and just "Data Vault." None of these names would be a complete description of this device, and using a combination of all of these to name it would've been weird, hard to remember, and just inconvenient. So, I just called it Midbar!

Midbar utilizes a strong encryption algorithm (AES-256 + Serpent + AES-256) combined with a sophisticated embedded database (SQLite3) to keep your personal data secure.

The device has roughly 1.5Mb of memory allocated for the storage of the user data. Each character weighs 8 bits - in an encrypted form, eight characters weigh 512 bits (64 bytes). So, the device should be able to store roughly 190 000 characters in an encrypted form (without taking the space occupied by the database into account).

Supplies for the vault:

• ESP32 x1
• 2.4 Inch TFT LCD with ILI9341 x1
• Arduino Nano/Uno/Compatible board x1
• PS/2 Keyboard x1
• PS/2 Port x1
• 580 ohm resistor x1
• 10µF capacitor x1 *optional

Supplies for the receiver:

• ESP8266 x1
• 1.77 Inch TFT LCD with ST7735 x1

This device utilizes AES-256 + Serpent + AES-256 encryption algorithm to encrypt and decrypt your data. That's not the first and not the last device to utilize this encryption algorithm. The algorithm requires three keys to function: two keys for the AES and one key for Serpent. This algorithm takes eight characters (64 bits) and three keys as an input, generates 192 random bits in the encryption process, and produces a sixty-four-character string in the hexadecimal format as an output. If the length of the input block isn't equal to eight, then the padding is applied.

The encryption process goes as follows:

1) The algorithm takes an input block;

2) If the length of an input block isn't equal to eight, then the padding is applied;

3) Input block is passed to the AES alongside 64 random bits;

4) AES encrypts obtained 128-bit block using the first key;

5) The result of the previous step is split into two equal 64-bit halves;

6) 64 random bits are concatenated to each half;

7) Each of the 128-bit halves is encrypted using Serpent;

8) Each ciphertext from the Serpent is encrypted using AES with the second key;

9) Concatenation of two ciphertexts produced by the AES using the second key is the resulting ciphertext.

Each AES's key incremented after the algorithm uses that key.

The algorithm that encrypts data that's being sent to another device is very similar to that one, except for one thing, it ends on step 7.

And by the way, if you give the algorithm the same input more than once, the output will be different every time.

If you've never flashed ESP32 or ESP8266 before you'll need to configure Arduino IDE and install drivers to upload the firmware to the boards, you can find drivers here:

CP210x driver for ESP32: https://www.silabs.com/developers/usb-to-uart-brid...

CH340 driver for ESP8266: https://sparks.gogo.co.nz/ch340.html

In case you don't have Arduino IDE, you can download it here: https://www.arduino.cc/en/software

Configuring IDE isn't a part of this tutorial, you can read about it here:

ESP32: https://randomnerdtutorials.com/installing-the-esp...

ESP8266: https://randomnerdtutorials.com/how-to-install-esp...

You can download firmware here https://github.com/Northstrix/Midbar

Adafruit-GFX-Library: https://github.com/adafruit/Adafruit-GFX-Library

Adafruit_ILI9341: https://github.com/adafruit/Adafruit_ILI9341

Adafruit_BusIO: https://github.com/adafruit/Adafruit_BusIO

PS2Keyboard: https://github.com/PaulStoffregen/PS2Keyboard

esp32_arduino_sqlite3_lib: https://github.com/siara-cc/esp32_arduino_sqlite3_lib

The process of unpacking libraries is typical. You can unpack the content of the archive into the folder: ...\Arduino\libraries. Or open the Arduino IDE, click to the Sketch -> Include Library -> Add .ZIP Library... and select every archive with libraries.

Other required libraries are already present in one way or another.

The primary purpose of the ESP32 Filesystem Uploader is to let you upload files into ESP's filesystem. In this tutorial, the purpose of this tool is to upload an empty SPIFFS image into ESP.

Download the file called ESP32FS-1.0.zip from here: https://github.com/me-no-dev/arduino-esp32fs-plugin/releases/

then extract the content of the archive into the folder: ...\Arduino\Tools\

After that, restart the Arduino IDE.

Click Tools -> ESP32 Sketch Data Upload. Then click Yes in the pop-up window. The program is going format the built-in flash memory.

Some boards will flash without any problems.

Unfortunately, that's not the case for all boards. If you configured IDE correctly, installed drivers, selected the corresponding port, and still keep getting this error: A fatal error occurred: Failed to connect to ESP32: Timed out waiting for packet header. Connect a 10µF capacitor to the board while flashing.

Connect the positive lead of the capacitor to the EN pin of the ESP32;

Connect the negative lead of the capacitor (usually indicated by the gray stripe) to the GND pin of the ESP32.

Don't forget to disconnect the capacitor after the board flashes.

I modified one of my previous projects to work as a random number generator, the generated output seems "random enough" for me, but I haven't run any tests. So, I can't guarantee that it's random.

Use it at your own risk.

To generate the keys - launch gen.exe from the Untested RNG folder, and then click the "Generate keys for Midbar" button.

To get the receiver's MAC address, upload this code into the ESP8266.

#include <ESP8266WiFi.h>

void setup(){
  Serial.begin(115200);
  Serial.println();
  Serial.println(WiFi.macAddress());
}
 
void loop(){

}

Then open the Serial Monitor, and reboot the board.

If done correctly, you should see the MAC address in the console.

The MAC address of this board is 5C:CF:7F:FD:85:1D

Open the files Firmware_for_ESP32.ino and Firmware_for_ESP8266.ino and then replace my keys with those you've generated.

Vault requires four keys, while receiver only needs two. Make sure that skey and projection_key are the same on both devices.

Don't forget to replace the receiver's MAC address in the line

uint8_t broadcastAddress[] = {0x5C, 0xCF, 0x7F, 0xFD, 0x85, 0x1D}; // Receiver's MAC address

in the file Firmware_for_ESP32.ino

Upload the firmware from the folder Firmware_for_Arduino into the Arduino.

Upload the firmware from the folder Firmware_for_ESP32 into the ESP32.

Upload the firmware from the folder Firmware_for_ESP8266 into the ESP8266.

Assembling the vault shouldn't be hard. In my opinion, the most tangled part of it is to connect the PS/2 port in the right way.

The receiver is even easier to assemble. Just connect the display to the ESP8266.

Ignore the 3.5 mm jack socket and the socket for the WS2812 stripe. These are the remnants from one of the previous projects.

At this point, you should see the login menu. If you're seeing something else, I would advise you to disassemble the device, flash the boards again, and then assemble it back.

After powering the vault up, you need to unlock it. Technically, you can unlock it with any password. But since the master password serves as an input for the key derivation algorithm, you will only be able to decrypt the records with the same master password that you used to encrypt them.

The master password isn't stored in the permanent memory. You need to enter it every time you're powering up the device. After you disconnect power from the device: every modified part of the key will be lost because it's stored in the volatile memory.

After you enter the master password and press "Enter," the master password is hashed with SHA-512, then this hash goes through Serpent 576 times, and after that, the obtained result is used to modify the parts of two AES's keys.

One of the numbers derived from the master password is used as a verification number.

The verification number must always be the same for the same password.

I've used this master password:

One of the few blumen in deze midbar

And obtained the verification number 56

Sometimes the device can reboot right after being unlocked. It's a known bug - beware of it!

Ok, let's start with a small user guide.

» (Guillemet) symbol on the left indicates the selected option.

Press ↓ (Down Arrow) to go down the menu.

Press ↑ (Up Arrow) to go up the menu.

After making up your mind about the action that you would like to perform, press the key with the corresponding number on the keyboard to perform that action.

To add login. Select the "Login" in the menu and press "1" on the keyboard. After that, enter the title, username, password, and website. Press "Enter" when you've finished entering the data to move to the next window.

According to the tests that I've conducted during the development of my previous projects - ESP32 is able to encrypt and decrypt a record with a length of 700-characters without any problems. So, technically, you can put 700 characters into each field in every category.

All credentials are fictional (just in case).

To show all logins. Select the "Login" in the menu and press "5" on the keyboard. You will see all titles with usernames. If all logins don't fit on the screen, you can always open the Serial Monitor and see the complete list there.

I've added another record to fill the list.

All credentials are fictional (just in case).

To view login. Select the "Login" in the menu and press "4" on the keyboard. You will see all titles with their corresponding numbers on the left. To view a record, enter the number of the record on the keyboard and press "Enter."

The "Remove" option works exactly the same as the view option with only one exception. It's called by pressing "2."

All credentials are fictional (just in case).

To edit login. Select the "Login" in the menu and press "2" on the keyboard. You will see all titles with their corresponding numbers on the left. To edit a record, enter the number of the record on the keyboard and press "Enter." After that, enter the new password for the record and press "Enter" to save the changes. Press "Esc" to cancel.

All credentials are fictional (just in case).

To send the text to the receiver: Press the "Tab" button on the keyboard, enter the text you want to send, and press "Enter" to send it. I was able to send a 104-character text without any problems. The received text is also shown in the Serial Monitor.

Sometimes the device can reboot right after calling this feature. It's a known bug - beware of it!

All credentials are fictional (just in case).

I've already explained to you how to use this device. Options in the first four categories in the menu are identical. The interface is very intuitive. So, let's skip that. The "Encryption" category gives you access to the encryption algorithm. Normally, you won't need it unless you wanna play with the device. If you want to hash something using the SHA-512 hash function while entering the data into the Serial Monitor, then set the first ComboBox to "No line ending." As for the Category "SQLite3," just ignore it if you don't know how to use it. I left it for the advanced users who don't need an introduction to that.

One important thing though: do not delete the file called "midbar.db" unless you want to wipe out all your records.

And again, let me remind you - that you can use this device without ever touching the four categories on the bottom.

All credentials are fictional (just in case).

Finally, after almost a year of working with the encryption algorithms, databases, and ESP-NOW, I made a fully-functional data vault. You no longer need to use an external database or open the Serial Monitor every time you want to encrypt, decrypt, or save something. Once programmed, it can work autonomously without a need to ever connect to a computer. The availability of the source code alongside the MIT License allows you to completely customize this device or even make your own version of it. More than that, this open-source project can even compete with similar devices that are available on the market. If you want to make your own version of this device, please do so. It would be interesting to observe how many forks will be available on GitHub and how each fork will evolve (if it will ever get forked at all). On that note, I would like to finish this tutorial.

If you like this tutorial, please share it.

Thank you for reading this tutorial.