Hardware components | ||||||
 |
| × | 1 | |||
| × | 1 | ||||
| × | 1 | ||||
| × | 1 | ||||
| × | 1 | ||||
| × | 1 | ||||
Software apps and online services | ||||||
 |
| |||||
Around three and a half years ago, I embarked on a self-guided journey to learn cryptography. During the first few months, I gathered most of the information I needed from Coursera, supplemented by additional resources from YouTube and various websites I discovered through Google. After acquiring a satisfactory level of theoretical knowledge (perhaps more than I could comprehend at that time), I slowed down my study of cryptography for roughly a year. Once I felt I had processed and comprehended most of the theory I had learned the previous year, I took a couple more courses, Googled the missing pieces, and started working with cryptographic primitives in practice. At first, I experimented with 3DES, then I created my own encryption algorithm based on it. Later on, I also started working with the implementation of Serpent. As I progressed further, I learned to use cryptography alongside different parts of the system and created the first version of Midbar. I then continued to refine Midbar, and after one and a half years of development, I finally made the fully functional IoT version of Midbar that is not just equipped with an advanced encryption algorithm coupled with the sophisticated integrity verification feature but also utilizes the capabilities of Google Firebase.
That version of Midbar stores the encrypted data in the cloud while keeping the keys on the ESP32!
As for why this project is called MidbarβββMidbar (ΧΧΧΧ¨) is a Hebrew word that means βpasture, β βuninhabited land, β βwilderness, β βlarge tracts of wilderness (around cities), β and βdesert.β I had two reasons for choosing the word Midbar as the name of this project. Firstβββwhile working on my previous projects, I noticed that the so-called βdevice that keeps your personal data secure in an encrypted formβ market is pretty much a βdesert around the oasis of the password manager market.β SecondβββI couldnβt find a better word to describe this project. At first, I wanted to call it a βPassword Vault, β but itβs more than that. So, I decided to call it Midbar.
You can also read this tutorial on Instructables and Medium.
3DES + AES + Blowfish + Serpent Encryption Algorithm In CBC Mode
The β3DES + AES + Blowfish + Serpentβ encryption algorithm in cipher block chaining mode first appeared in the Midbar V2.5. And since then has been utilized by the Midbar (Raspberry Pi Pico Version),Midbar V3.0,Midbar V4.0,KhadashPay V2.0,Midbar (Raspberry Pi Pico Version) V2.0,KhadashPay V2.0 (Raspberry Pi Pico Version),Midbar V5.0,Midbar (STM32F401CCU6 Version),KhadashPay V3.0 (STM32F401CCU6 Version),KhadashPay V3.0,Midbar (STM32F401CCU6 + Arduino Uno Version),KhadashPay V3.5,Black Swan V2.0,Midbar (Teensy 4.1 Version),Hash Latch,Midbar (Teensy 4.1 Version) V2.0,Midbar (ESP8266 Version) V2.0,Midbar (STM32F407VET6 Version) and Midbar (STM32F407VET6 + Arduino Uno Version).
Although the β3DES + AES + Blowfish + Serpentβ encryption algorithm ainβt exactly what I would call βa cryptographically weak encryption algorithm, β operating it in a weird derivation of the ECB mode, the way it was done by the Midbar V2.0 wasnβt the best idea that I had. Even though that wouldnβtβve allowed the attacker to produce the legitimate ciphertext by swapping the blocks within the ciphertext, an attacker could still make a legitimate ciphertext by replacing the nth block of the ciphertext N1 with the nth block of the ciphertext N2. To fix that vulnerability (instead of just notifying the user that the decrypted ciphertext mightβve been forged), I made the β3DES + AES + Blowfish + Serpentβ encryption algorithm work in CBC mode. So, if an attacker replaces a block of ciphertext, they spoil not just that block but also the subsequent one.
Iβll be honest with you, the bit-flipping attack βkinda works, β but I doubt that it would ever go unnoticed because of the βHMAC-SHA256β-based integrity verification feature
And letβs not forget that this encryption algorithm performs the operation called superencryption.
As defined by NIST, superencryption is an encryption operation for which the plaintext input to be transformed is the ciphertext output of a previous encryption operation.
Such organization of the encryption algorithms makes a combined encryption algorithm that is at least as strong as the strongest one in the cascade, has a longer key, might be more resistant to some attacks, and might produce a ciphertext with higher entropy. Anyway. It wonβt hurt to have an additional layer of security (or several of them).
Integrity Verification
The Midbar Firebase Edition V1.0 is the fifteenth version of Midbar that verifies the integrity of the whole record. So, the legitimate ciphertexts moved between the cells arenβt much of a threat to it.
The integrity verification feature of Midbar is based on βHMAC-SHA256.β When you enter data into Midbar, it consolidates all the data into a single string, computes a tag for that string, and saves the newly computed tag in encrypted form. When you decrypt your data, Midbar also decrypts the previously saved tag and computes a new one for the decrypted data. It then compares both tags. If they donβt matchβββMidbar notifies you that the integrity verification failed.
Install CP210x Driver And Configure Arduino IDE *OptionalIf youβve never flashed ESP32 before you need to configure Arduino IDE and install CP210x driver to upload the firmware into the board, you can download the CP210x driver for ESP32 here: https://www.silabs.com/developers/usb-to-uart-bridge-vcp-drivers
Configuring IDE isnβt a part of this tutorial. You can read about it here: https://randomnerdtutorials.com/installing-the-esp32-board-in-arduino-ide-windows-instructions/
Download FirmwareYou can download the firmware for Midbar from one of these sources:
https://sourceforge.net/projects/midbar-firebase-edition/
https://github.com/Northstrix/Midbar-Firebase-Edition
Download And Install The LibrariesAdafruit-ST7735-Library: https://github.com/adafruit/Adafruit-ST7735-Library
Adafruit-GFX-Library: https://github.com/adafruit/Adafruit-GFX-Library
Adafruit_BusIO: https://github.com/adafruit/Adafruit_BusIO
PS2KeyAdvanced: https://github.com/techpaul/PS2KeyAdvanced
PS2KeyMap: https://github.com/techpaul/PS2KeyMap
Firebase-ESP32: https://github.com/mobizt/Firebase-ESP32
The process of unpacking libraries is typical. You can unpack the content of the archive into the folder: β¦\Arduino\libraries. Or open the Arduino IDE, click to the Sketch -> Include Library -> Add.ZIP Libraryβ¦ and select every archive with libraries.
Other required libraries are already present in one way or another.
Set Up Google Firebase
I would be happy to explain to you how to set up Google Firebase. However, I believe that the article at https://medium.com/firebase-developers/getting-started-with-esp32-and-firebase-1e7f19f63401 does a better job on that. I suggest reading the article up until the βDevelopment Environment Setupβ headline.
When setting up the database, save the βRealtime Database URLβ and βWeb API Key.β
These values will be needed later.
Generate Keys
To make the unauthorized deciphering of your data computationally infeasibleβββIt is crucial to generate your own keys and never reuse them
Itβs entirely up to you how to generate the keys. I can only offer you an option to do so.
Iβve modified one of my previous projects to work as a random number generator, the generated output seems βrandom enoughβ for me, but I havenβt run any tests. So, I canβt guarantee that itβs random.
Use it at your own risk!
To generate the keysβββlaunch gen.exe from the βV1.0\Untested RNGβ folder and click the βGenerate keys for Midbarβ button. The background turns from dark gray to light gray when you press that button.
Modify The Firmware
Open the βFirmware.inoβ file from the βV1.0\Firmwareβ folder and put your values to the following variables:
WIFI_SSID
WIFI_PASSWORD
API_KEY
DATABASE_URL
After that, replace my keys with yours.
Switch The Partition Scheme To The βHuge APP (3MB No OTA/1MB SPIFFS)β
You have to switch the partition scheme to the βHuge APP (3MB No OTA/1MB SPIFFS)β before you flash ESP32 because the firmware is too big for the default partition.
Flash ESP32
Upload the firmware from the βV1.0\Firmwareβ folder into the ESP32. Donβt forget to hold the βBOOTβ button when the firmware upload starts.
Some boards will flash without any problems.
Unfortunately, thatβs not the case for all boards. If you configured IDE correctly, installed drivers, selected the corresponding port, and still keep getting this error: A fatal error occurred: Failed to connect to ESP32: Timed out waiting for packet header. Connect a 10Β΅F capacitor to the board while flashing.
Connect the positive lead of the capacitor to the EN pin of the ESP32;
Connect the negative lead of the capacitor (usually indicated by the gray stripe) to the GND pin of the ESP32.
Assemble Midbar
It shouldnβt be hard to assemble.
Just compare it with Midbar (STM32F401CCU6 + Arduino Uno Version) or Midbar (RTL8720DN + Arduino Uno Version), and youβll understand what I mean.
Power The Midbar Up
Power the Midbar up, wait till it connects to your access point (Wi-Fi), initialize the firebase, and display the random lock screen.
That version of Midbar has 18 lock screens.
*Credit for the used photos:
Photo by Joey Kyber on Unsplash
Photo by Levi Meir Clancy on Unsplash
Photo by Braden Egli on Unsplash
Photo by Talena Reese on Pexels
Photo by Igor Flek on Unsplash
Image by herdzmedia from Pixabay
Photo by Daniel McCullough on Unsplash
Image by Paul Brennan from Pixabay
Photo by Morgan Petroski on Unsplash
Image by RobinSaville from Pixabay
Photo by Jeffrey Eisen on Unsplash
Photo by Micah Camper on Unsplash
Photo by Nadine Shaabana on Unsplash
Set Master Password
To use the Midbar, you first need to set the master password.
You canβt change your master password without performing the factory reset first!
Midbar wonβt be able to decrypt your data without your master password because the keys for the encryption algorithms are partially derived from it. Perhaps it wonβt even unlock without the correct master password.
When youβre done entering your master password, press either the βEnterβ or the βESCβ key on the PS/2 keyboard.
After youβve unlocked the vault and got to the main menu:
- Press the βββ (DOWNWARDS ARROW) key on the PS/2 keyboard to go down the menu.
- Press the βββ (UPWARDS ARROW) key on the PS/2 keyboard to go up the menu.
- Press the βEnterβ key on the PS/2 keyboard to open the selected menu.
- While in the submenu, press either the βEscβ or the βBackspaceβ key on the PS/2 keyboard to return to the main menu.
While entering a text in a tab:
- Press βEnterβ on the PS/2 keyboard to continue.
- Press the βEscβ button on the PS/2 keyboard to cancel the current operation.
That version of Midbar allows you to store records of four types: login credentials, credit card information, notes, and phone numbers.
Since working with records of other types is basically the same as working with logins, Iβll only provide instructions on how to work with logins.
To add a login (from PS/2 keyboard):
- Select the βLoginsβ line in the main menu;
- Press the βEnterβ key on the PS/2 keyboard;
- Select the βAddβ line;
- Press the βEnterβ key on the PS/2 keyboard;
- Choose the slot you want to put the login to by pressing the βββ (Leftwards Arrow) and βββ (Rightwards Arrow) keys on the PS/2 keyboard;
- Press the βEnterβ key on the PS/2 keyboard;
- Select the βPS/2 Keyboardβ line;
- Press the βEnterβ key on the PS/2 keyboard;
- Enter the title;
- Press the βEnterβ key on the PS/2 keyboard;
- Enter the username;
- Press the βEnterβ key on the PS/2 keyboard;
- Enter the password;
- Press the βEnterβ key on the PS/2 keyboard;
- Enter the website;
- Press the βEnterβ key on the PS/2 keyboard.
*All credentials demonstrated here are entirely fictitious. Any similarity to actual credentials is purely coincidental.
View Login
To view login:
- Select the βLoginsβ line in the main menu;
- Press the βEnterβ key on the PS/2 keyboard;
- Select the βViewβ line;
- Press the βEnterβ key on the PS/2 keyboard;
- Choose the slot you want to view the login from by pressing the βββ (Leftwards Arrow) and βββ (Rightwards Arrow) keys on the PS/2 keyboard;
- Press the βEnterβ key on the PS/2 keyboard;
- Press the βββ (Upwards Arrow) key on the PS/2 keyboard to print the record to the serial terminal.
*All credentials demonstrated here are entirely fictitious. Any similarity to actual credentials is purely coincidental.
Edit Login
To edit a login:
- Select the βLoginsβ line in the main menu;
- Press the βEnterβ key on the PS/2 keyboard;
- Select the βEditβ line;
- Press the βEnterβ key on the PS/2 keyboard;
- Select the login you would like to edit by pressing the βββ (Leftwards Arrow) and βββ (Rightwards Arrow) keys on the PS/2 keyboard;
- Press the βEnterβ key on the PS/2 keyboard;
- Enter the new password;
- Press βEnterβ on the PS/2 keyboard.
*All credentials demonstrated here are entirely fictitious. Any similarity to actual credentials is purely coincidental.
Delete LoginTo delete a login:
- Select the βLoginsβ line;
- Press the βEnterβ key on the PS/2 keyboard;
- Select the βDeleteβ line;
- Press the βEnterβ key on the PS/2 keyboard;
- Select the login you would like to delete by pressing the βββ (Leftwards Arrow) and βββ (Rightwards Arrow) keys on the PS/2 keyboard;
- Press the βEnterβ key on the PS/2 keyboard.
Despite some flaws and inconveniences and the requirement for Internet access to operateβββthe current version of Midbar also has its upsides. One of themβββis the ability to (almost) effortlessly replace a broken Midbar with a new one without losing access to your valuable data. To do this, you only need to upload the same firmware and use the same master password on the new device.
And while Midbar is no guarantee of world peace or social harmony, I do believe that itβs an important contribution to the protection of your data from unauthorized access.
I think itβs also worth mentioning that Midbarβs source code is distributed under the MIT license. That grants you the freedom to customize, adapt, and modify Midbar according to your needs and preferences. In other words, you can create your own version of Midbar or use it as a starting point for building new projects without the need for external permission.
If you found this tutorial to be useful, please consider sharing it.
Thank you for reading this tutorial.
Comments