Hardware Password Storage - wVAULT

Motivation

The intent here was to design a device for the security paranoid. Suppose that, at some point, the encryption you have used to secure your passwords is publicly broken. The popular and easy-to-use cloud storage is now a problem for you - your master list of passwords has definitely been accessed by the company maintaining it (they run the service) and potentially it has been accessed by others as well. The trust you placed in strong encryption meant you didn't worry about this, but your passwords could potentially be out in the open.

This project offers independence by tackling two of those threats: the passwords are not ever entrusted to a third party (therefore removing worries about economic pressures) and the passwords appear only on the hardware device, which completely lacks internet connectivity.

These advantages come with disadvantages; users must be very careful to keep a safe online backup of the device, because losing the physical object will result in the loss of all passwords.

Some added advantages include excellent portability: the device emulates a USB keyboard, so it is compatible with virtually all modern computers including many phones.

Because the device is physical, strong encryption is not as imperative. Nonetheless, AES 128-bit encryption is used for all content on the EEPROM to ensure that if found, it would require a highly dedicated effort to retrieve any information from the device.

Implementation Details

The wVAULT is dependent on a number of third party libraries. The Arduino Two-Wire library is used to interface with the EEPROM and OLED, while a modified OLED library is required to activate the OLED display.

The rsa128 library and md5 library are used in the encryption. In detail, each device features a random 128 bit salt embedded in the firmware, to hinder precomputation of the most probable keyspace. A passcode is entered using two of the pushbuttons and limited to 128 bits. Longer button presses perform bitshifts to allow access to the full 128 bits with a password of only 8 button presses. Naturally, some of this passcode space is very time consuming to reach and so it is reasonable to assume that for a common, shorter (six or seven short keypresses) passcode, the space is on the order of 32 bits.

The salt is XOR-ed with the passcode, and an MD5 is performed solely to scatter the values more or less evenly over the 128-bit keyspace. This results in the key that is used to decrypt and encrypt via AES128.

Because the wVAULT outputs single passwords over an emulated keyboard interface, its threat model consists mostly of an attacker who has unlimited access to the hardware. The likely attack involves detaching the EEPROM and attempting a brute force decryption on its memory. Becuase of the device dependent salt, the feasibility of the brute force attack requires extracting the salt from the micrprocessor's memory and then computing a list of probable passwords for an attack. This is certainly possible; mitigation would require a more complicated password entry mechanism or more specialized secure hardware elements like TPM.

Because the device only uses the passcode for immediate decryption of a single password, and then overwrites its internal variable, it is unlikely to be susceptible to an attack that maintains voltage to the device (for example, if an attacker were given access to the device while it is left plugged in to the computer).

Parts List

Pro Micro ATMega32u4 board 3D printed case (plans to come) 3 pushbuttons 3 silicone button caps 2 4k4-Ohm resistors 1 i2c OLED 1 AT24C256 - 256K EEPROM 1 microUSB-USB cable 2 switches (for write-protection on the EEPROM and ATMega reset)

ATMega32u4 Code


Schematics

Circuit Schematic

Circuit PCB

Gerber Zip