Close

Does this project spark your interest?

Become a member to follow this project and don't miss any updates

Mooltipass

Offline password keeper project created by and for the Hackaday community

29 455 309
Enjoy this project?
Share on twitter   Share on Facebook

This project was created on 02/15/2014 and last updated a month ago.

Description
The mooltipass is an offline password keeper.
The concept behind this product is to minimize the number of ways your passwords can be compromised, while generating and storing long and complex random passwords for the different websites you use daily. It is designed to be as small as possible so it can fit in your pocket. Simply visit a website and the device will ask for confirmation to enter your credentials when you need to login.
Details

Mooltipass is composed of one main device and a smartcard.

On the device are stored your AES-256 encrypted passwords. The smartcard is a read protected EEPROM that needs a PIN code to unlock its contents (AES-256 key + a few websites credentials). As with your credit card, too many tries will permanently lock the smart card.
The mooltipass main components are: a smart card connector, an Arduino compatible microcontroller, a FLASH memory, an OLED screen and its touchscreen panel. The OLED screen provides good contrast and good visibility.

Components
  • 1 × ST662ACD-TR Content/Electronic Components/Semiconductors and Integrated Circuits/Power Management ICs/Switching Regulators and Controllers
  • 1 × ATMEGA32U4-MU Content/Electronic Components/Semiconductors and Integrated Circuits/Microprocessors, Microcontrollers, DSPs/ARM, RISC-Based Microcontrollers
  • 1 × AT88SC102 Content/Electronic Components/RF, IF, RFID and ZigBee/RF, IF, RFID, ZigBee Semiconductors and ICs/Memory
  • 1 × AT45DB011D-SSH-T Content/Electronic Components/Semiconductors and Integrated Circuits/Memory ICs/FLASH Memory

Project logs
  • Current status and progress #5: Beginning to work with the beta testers and polishing our user interface

    a month ago • 1 comment

    Dear Mooltipass enthusiasts,

    Shenzhen was an awesome place to visit and full of interesting people to meet. During my time there I had the opportunity to spend a complete day at our assembler's to check the beta testers units and teach them how to assemble the Mooltipass. As the team didn't want to wait for one month (or more) for the beta testers to receive their prototypes, we opted for DHL delivery.

    Here is our newsletter #5:

    - All the beta testers received their prototypes! As you can guess, they received it much earlier than we thought they would. They're currently waiting on the development team to send them a first firmware to test, as we want the latter to be as user friendly as possible.

    - Some beta testers actually couldn't wait, decided to take matters in their own hands and compile the firmware from the github repository... so we've already received very interesting feedback!

    - Some of them decided to have fun with our graphics generation tools...

    - We've written several tutorials to teach the beta testers how to update their Mooltipass and made several forms to gather all ideas/suggestions/remarks they may have

    - On the firmware side we're currently working on polishing our user interface to make it as simple as possible (we can't emphasize this enough!). The flash management library still needs to be finished though.

    - We're having difficulties finding someone who could make a small animation video to explain the Mooltipass without ruining our non-existing budget. If you know someone, please let us know!

    - The chrome plugin is getting better by the day, we're improving our login/password fields detection algorithm

    - We designed a nice Mooltipass stand that can be CNCed or 3D printed

    As you can guess we're very close to having a finished product! We're quite confident that the next newsletter will inform you guys how to get your hands on one.

    Cheers,

    Mathieu & the dev team

  • Testing the inrush current the quick & dirty way

    3 months ago • 0 comments

    I'm guessing that very few of you know that USB certifications impose a very strict limit on a USB connected device's inrush current.

    What's the inrush current? 

    It is basically the current that a device receives when it is connected to a USB port. It is usually high given the numerous decoupling capacitors on a board.

    How to measure it?

    One of the solutions is to do like I did: put a shunt resistor between your device and power supply, measure the voltage across it. As I'm sure you already know, it will represent the current going through it.

    What should I see above?

    This is the voltage across the shunt resistor when the device is first plugged to my computer. The USB certification specifies a maximum 50uC charge (Q = I*dt integrated) when the current is above 100mA.

    Looking at the oscilloscope you can see a 500mV vertical axis, corresponding to I = V / R = 500/1.5 = 333mA. The horizontal axis is 20us. 

    What we are going to do simply count the number of "blocks" for given time bins (red zone). Let's say we have 5 time bins here: 

    - first time bin has 4 blocks (1.333A)

    - second has 3 blocks (1A)

    - third has 2 (0.666A)

    - 4th and 5th have 1 (0.333A)

    Yes, this is a very approximate measurement ;). Anyway, this gives us: (1.33+1+0.66+0.33+0.33)*20us = 53uC!

    This is therefore very close to the norm.... we should reduce one of our capacitors' value then!

  • Current status and progress #4: final prototypes and beta testers program

    3 months ago • 1 comment

    Dear Mooltipass enthusiasts,

    I know I promised you guys more frequent updates but as you can guess things have been quite crazy during these last weeks ;).

    Here is our newsletter #4:

    - As you may have seen in the latest Mooltipass article our current hardware is considered as final. This is a major step, meaning that we can concentrate all of our resources on the firmware development process and proceed with the beta testers program.

    - Speaking of the latter I'm currently busy asking quotes to different assemblers... once I get them a final contribution price will be agreed on and selected beta testers will be contacted

    - Missed the beta testers call? Here is a quick form you can still fill. Please note that very few will be selected from there as we want to privilege people that have been supporting us from the start

    - All the low level libraries (except the node management code) are finished!

    - A "new" contributor is currently designing our user interface. We especially asked a non-geek person as we want our GUI to be as simple to use as possible. Here is a draft, what do you think?

    - The Mooltipass has been tested on Linux / Mac / Windows / Android and we are extremely happy to inform you that it doesn't require any driver to function!

    - A chrome plugin (using the chrome.hid library) has been created and tested together with the Mooltipass.

    As you may have understood we're very close to getting the Mooltipass in our supporters' hands. Words of encouragement are strongly welcome as they keep us going during this long process :).

    Cheers,

    Mathieu

View all 11 project logs

Discussions

Victor Suarez Rovere wrote 20 days ago null point

Have you seen this similar entry, PassKey? It offers an unprecedented level of security.
http://hackaday.io/project/2620

Are you sure? [yes] / [no]

Mathieu Stephan wrote 20 days ago null point

Hey Victor,
I can see that you're _extremely_ biased on the subject ;). This is a very ambitious project that you're considering... how many people are working on it?

Are you sure? [yes] / [no]

Mathieu Stephan wrote 20 days ago null point

Just to be sure I completely understand your project: are you implementing a commercial man in the middle device?

Are you sure? [yes] / [no]

John Reiter wrote 25 days ago null point

What if the smart card also had RFID for door access? You could use it as an employee ID as well.

Are you sure? [yes] / [no]

Mathieu Stephan wrote 25 days ago null point

that would be neat indeed... however different companies have different type of NFC cards so it'd be hard to be flexible enough

Are you sure? [yes] / [no]

Mark Jeronimus wrote a month ago null point

Not to burst your bubble but let me tell you why no one has ever made something similar. I work at a large hardware security evaluation lab, and I can tell you that without rigorous security evaluation and feedback, devices like this are almost sure to contain side-channel leaks and exploits. Even if every part is tested and certified, the final product may not be secure. We had companies having to re-evaluating things only because they swapped an innocent chip with a different footprint, for which the main PCB was re-routed. Evaluation of a simple PIN entry device can cost between $100,000 - $500,000. Especially with the publicity you're getting here and in China, there'll be attackers for sure. Probably safe for most people, but not for a commercial product.

Are you sure? [yes] / [no]

Mark Jeronimus wrote a month ago null point

I'll give you a free tip. Use temper-switches to detect entry and modification of the device. Usually they are placed around buttons so they can't be tapped electrically. Also don't leave space that attackers can inserts evesdrop/logging devices into.

Are you sure? [yes] / [no]

Mathieu Stephan wrote a month ago null point

Hey Mark,

Considering the tone of your comment: is it a reason not to try then?
This is why we are going the open hardware way. Perhaps concerned individuals like yourself will consider putting some of their time to either look at our code or go for a black box type of attack. We already have several pen-testers checking our security implementation, and we would love you to be one of them :)

Cheers

Are you sure? [yes] / [no]

Mathieu Stephan wrote a month ago null point

Thanks for the tip Mark, we actually already had this one on day 2 after we launched this project ;)

Are you sure? [yes] / [no]

markbng wrote 3 months ago 1 point

Very nice project. Very professional project.
Please note that the AT88SC102 is NOT secure (www.break-ic.com). You can use the ATECC108 instead. An ARM cortex M3/M4 controller is preferred for main controller (good performance/cost ratio).
Do you also make a 'lastpass' browser add-on?

Are you sure? [yes] / [no]

Mathieu Stephan wrote 3 months ago 1 point

Thanks!
It depends what you mean by secure. Security has a cost so the appropriate question would be: how long does it take / how expensive is it to break the AT88SC102 security?

Are you sure? [yes] / [no]

markbng wrote 3 months ago null point

I know. Security is difficult. You have to choose a good security for a reasonable price. I don't know the exact price (I use the break-ic list only to see which components can be hacked), but I think the price is from 800USD up to a few thousand dollar.

Are you sure? [yes] / [no]

elliot.buller wrote 3 months ago null point

Not sure if there's any interest but I have 50 AT88SC0404C atmel crypto cards from a previous project. They are unused and in the protective sleeve. All white, looks like they could be printed on. Feel free to email if anyone has interest. elliot.buller(AT)gmail.com

Are you sure? [yes] / [no]

Mathieu Stephan wrote 3 months ago null point

Thanks for the offer Elliot!
However we're only supporting the AT88SC102 atm.

Are you sure? [yes] / [no]

elliot.buller wrote 3 months ago null point

I understand. Hard to develop for a moving target. I have pcsc scripts with apdu packet examples to access data, setup crypto, etc. More storage space too. I'll try and buy one to do the port myself once they are commercial. Been meaning to repurpose the smartcards and this sounds like a good opportunity. (Also will work for many automated laundry systems ;) Sorry, off topic.

Are you sure? [yes] / [no]

mexoplex wrote 4 months ago -1 point

you dont think the lawyers of the producers of the movie, " The Fifth Element" will be contacting you shortly?

Are you sure? [yes] / [no]

Mathieu Stephan wrote 3 months ago null point

so far so good!
I don't think so though, given there already exist multipass brands / companies around the world

Are you sure? [yes] / [no]

pierrep wrote 6 months ago 1 point

Maybe the concern with the use of an USB key is the accessibility of the datas, that are usually readable in all circumstances even using an encryption it might just ask a password to decrypt/use the USB key, as with a microcontroller datas may be harder to retreive thus more secure. That's mt little point of view on the use of USB. I must finally say the design of the 3D rendering is nice !

Are you sure? [yes] / [no]

phreaknik wrote 6 months ago null point

My only concern is the trade-off between security and convenience. This project gives much better security, but in order to access any web accounts we may have, we need to have the mooltipass with us. Are there plans to make a later revision that will just be a keychain-able USB drive? that way we dont need to add a whole new device to our daily tools (phone, wallet, keys, etc)?

That being said, I DO love this project and the direction yall have chosen, and you can expect me to be the first buyer or kickstarter funder!

Are you sure? [yes] / [no]

Mathieu Stephan wrote 6 months ago null point

Hey phreaknik,

Thanks a lot for the support! As for your questions, a smaller version might be designed in the future but it's not planned yet. Are you sure that in your case you'd need to carry the mooltipass all the time? For example I mostly do my browsing at home or at work, so in my case I'd use 2 mooltipass and one smartcard...

Are you sure? [yes] / [no]

phreaknik wrote 6 months ago null point

Mathieu,

Well as a student, I find myself sitting in front of a different computer every few hours every day, where i log into many accounts i would like to keep secure. I can easily sit down in front of 20 different computers a week, and sometimes never come back to the same computer twice. Even if I could afford twenty multipasses and came back to the same twenty computers every week, i certainly couldnt trust leaving them there at all these public computers.

This is why i feel a more portable option may be necessary for people like me to fully adopt the multipass as a security solution.

Just my two cents, and as I said before, I do really like the project. Definitely good work done!

Are you sure? [yes] / [no]

Jake wrote 4 months ago null point

Maybe, if this project really kicks off, you could see it as a standard device on computers?

Are you sure? [yes] / [no]

Mathieu Stephan wrote 4 months ago null point

Jake,

Hopefully! We need great supports and contributors to make this project a reality :)

Are you sure? [yes] / [no]

Mathieu Stephan wrote 6 months ago null point

The Mooltipass will be credit-card sized with a 12mm width. At the moment, we're not sure yet what the final price will be.

Are you sure? [yes] / [no]

pierrep wrote 6 months ago null point

I was wandering how much was actually the prototype at the end of built, it seems to be such a tiny object I was wandering how low cost.

Are you sure? [yes] / [no]

pierrep wrote 6 months ago null point

Okay, so maybe it's just a funny coincidence. Still a very promessing project, i'll follow it closely! Thank's for the quick answer!

Are you sure? [yes] / [no]

Mathieu Stephan wrote 6 months ago null point

Hey Pierrep, the name was actually suggested by one HaD reader after we started the development process!

Are you sure? [yes] / [no]

pierrep wrote 6 months ago null point

What a great idea it's really nice! Is the idea actually based on the Fith Element (1997) multipass card? I was sure I heard that term somewhere and finally remembered there was a multipass or "mooltipass" with the accent, that was mentioned in the movie.

Are you sure? [yes] / [no]

Mathieu Stephan wrote 6 months ago 1 point

Here is our newsletter #1:

- we should receive soon the bottom PCB for Olivier's design. Once we receive it, we'll be able to check that most Arduino shields are compatible with our device. Hopefully, it'll be bug free and fit in the case as well...

- we are currently designing the top PCB that will contain the touch sensor IC, capactive wheel / buttons and the LEDs

- we machined the case for Olivier's design... it's a bit wide but quite thin! I'll try to send pictures soon...

- it seems the other mechanical contributors are not really motivated to have their designs produced (even if I'd like so)... so they could use your words of encouragement!

- the Arduino Leonardo bootloader has been modified to work with the Mooltipass, you'll be able to find it in the repository

- we are using both a makefile and Atmelstudio for our development process (which is cool imho)

- we recently switched to a new graphics library (which is awesome) that can handle fixed and variable font widths but also different color depths... we still need to optimize it for speed though

- the credential management code should be finished in the next 2 weeks

- we lost contact with the person in charge of the USB code :-(

- the computer-side software / browser extension hasn't progressed much :-(

- we still need to format our code to the agreed convention

Any question/suggestion is welcome!
Cheers,
Mathieu

Are you sure? [yes] / [no]