Close
0%
0%

free-u2f

a super cheap universal second factor token

dhruv-gramopadhyeDhruv Gramopadhye
Following
Liked Like project

Just one more thing

To make the experience fit your profile, pick a username and tell us what interests you.

Pick an awesome username
hackaday.io/
Your profile's URL: hackaday.io/username. Max 25 alphanumeric characters.
Pick a few interests
Projects that share your interests
People that share your interests

We found and based on your interests.

Choose more interests.

OK, I'm done! Skip
Similar projects worth following
993 views
1 comments
993 followers
View Gallery
free-u2f will be an open-source, open-hardware USB-A Universal Second Factor token based on the ultra-cheap CH55x series microcontrollers. The goal is to have the same level of security as a physical key or higher.

Why a super-cheap MCU and not a more expensive hardware security module you may ask? The answer is simple. Right now, U2F devices start at approx 10$, with most around 20$ (like the cheapest YubiKey available at the time of this writing). The goal is to produce a U2F device that is so insanely cheap that it can be rolled out to the masses quickly and without too much money. U2F is facing a chicken-and-egg problem right now. Websites don't implement it because not a lot of people have U2F devices.

This project can allow for the production of cheap U2F devices that companies can roll out to their employees, and individuals can buy for themselves (and for friends and family), thus increasing the pressure on websites or other authenticators to implement U2F devices.

Got my PCBs from OSH park. They look pretty great, but their panelization or whatever added these nasty little bumps on the USB connector. It takes a bit to file these down, and its super annoying. I'll populate the boards very soon. I'm also still working on the software. I've been super busy lately with college app essay, work, and rocketry, but I'll still try to get this done

I've been documenting the project as I worked on it in a private discord. Over the next few days I'll copy over the progress I've made here.

  • Cancelled Project

    Dhruv Gramopadhye11/20/2021 at 02:53 0 comments

    I did some work on this project several months ago, before deciding it wasn't viable. It turns out getting the code size small enough to fit on the CH554/CH552 is not a very easy task. Getting the thing to run crypto is therefore nearly impossible. 

    I've tried working with some really really low footprint libraries for crypto; uECC (micro ECC) looked like a good bet. Even with space-optimized configuration, it didn't seem viable. I tried smaller libraries that I found on github (derivatives of uECC), and still found no luck. 

    I don't think this project is viable, but it was fun exploring!

  • Quick Update: Plans for the next few months

    Dhruv Gramopadhye05/11/2020 at 00:17 0 comments

    Just a quick update, I know I haven't moved on this project by much in a while.

    Luckily, I've stocked up on several CH55x parts, and I've done a LOT of soldering practice thanks to my effort on Oakton Rocketry's payload (maybe will document that on hackaday one day). I've also got a cheap CNC machine which I successfully used to mill a proof-of-concept PCB. I also have a few development boards sitting around, so I'm all set for quarantine!

    Hopefully once my school commitment decreases, I'll be able to spend more time on this project. I look forward to making some changes to the PCB design and starting to actually write some code for this. I've been reading up documentation for the SDCC compiler, it has a nice section that helped me understand the 8051 architecture.

    Also, special thanks to Aaron Christophel, who has already done a great deal of work as far as making the ch55x easier to develop for (including an android app that lets you flash your ch55x device). He gave me a few tips and pointers after I asked on his YouTube video where he describes his experiences working with the CH55x MCU's.

    My next steps are as follows (not really in any particular order, and these are very much subject to change. I'm just thinking aloud)

    - take a dev board and try to run some encryption tasks on it. uECC is an excellent library that I plan on using for this. If crypto tasks take way too long (more than say, 10 seconds), it may be best to use a more powerful CH55x device or consider some alternatives. 

    - Learn how to implement a USB device on the ch55x. There is plenty of sample code, but I want to re-implement an HID device meant for U2F. I already studied up some of the USB protocol, but I've got some ways to go. Ideally, it'll be capable of talking U2F to some minimal degree.

    - Actually write code for the U2F crypto tasks....

    - and integrate it with USB. At this point, I should have a functioning U2F device!

    - Re-do the PCB and make some prototypes! 

  • Soldering success, plug-in failure. Starting on software

    Dhruv Gramopadhye12/25/2019 at 23:44 0 comments

    I successfully hand soldered all the parts, including the SOIC ch554

    After plugging the device in to a USB port, the chip caught some part of the metal chassis for the USB connector and ended up getting ripped out: pins bent and all.

    I decided to switch to writing the software with the development boards that I had purchased earlier. I'll likely do a redesign of the hardware. 

    Attached is a photo of the carnage. Unfortunately I have no "before" picture.

    Maybe if I decide to stay with this design, I'll go with an even thinner PCB. The thickness of the PCB combined with the thickness of the chip was too tight a fit I guess, even though I did the math and the whole thing should have still made it in.

  • Got PCBs

    Dhruv Gramopadhye07/20/2019 at 01:53 0 comments

    Got my PCBs from OSH park. They look pretty great, but their panelization or whatever added these nasty little bumps on the USB connector. It takes a bit to file these down, and its super annoying. I'll populate the boards very soon. I'm also still working on the software. I've been super busy lately with college app essay, work, and rocketry, but I'll still try to get this done

  • Catch Up

    Dhruv Gramopadhye07/04/2019 at 03:12 0 comments

    I'm syncing up with the informal progress that I've been documenting on the discord server I was putting this in. Everything is cut and pasted, and not necessarily curated for hackaday-style documentation.

    Project U2F

    Background:
    U2F (Universal Second Factor) is a protocol developed by the FIDO Alliance for two-factor authentication that eliminates the effectiveness of phishing attacks by having a separate device confirm a domain name before authenticating, solving a problem that TOTP (Time based One Time Password) did not. It provides a specification for how physical U2F "tokens" can interact with browsers and web servers in order to provide a cryptographic ECDSA proof in response to a challenge provided by the server. A well known brand of U2F devices a "YubiKey", a quick google search for "U2F", "FIDO" or "YubiKey" will provide additional background information

    Project Description:
    To build a U2F device that is as cheap as possible. Instead of using an (expensive) secure element (SE) Project U2F will use a low cost micro controller and hardened software. This will result in a device that, if stolen temporarily, may be disassembled (components desoldered) and cloned, given a sufficient attack. Since a theif that steals a U2F token already has access to those keys, this slight decrease in security is not a concern, especially for the average user. Since U2F already operates on the premise of physical security, we're using different components in order to decrease the price without making any significant additional demands on the user for physical security

    Microcontroller Requirements
    - Reasonable program memory
    - Hardware multiplier (for eliptical curve crypto)
    - Reasonably clock speed
    - USB Device capabilities
    - Open source toolchain for linux OR macOS
    - Supports languages other than assembly
    - At least a couple other projects that have been able to interface with USB module
    - Cheap, especially in volume
    Cost and MCU selection
    Given these requirements, I've decided to use one of WCH's microcontrollers, specifically one in their CH55x lineI've ordered two development boards for a total of ~8$ shipping, one for the CH554 which has both USB Slave and Host, one for the CH552 which has USB Slave only

    The CH551 is cheaper than the CH552 which is cheaper than the CH553 (so on until the CH559, which has USB Host, Slave, and HUB capabilities. Overkill!))

    Depending on compatibility, I may eventually use the cheaper CH551 after writing code for the 552 target. All of them have Intel 8051-compatible architecture

    I plan to depend on the sdcc SDK for ch55x devices. My use of the CH551 will depend on SDK compatibility

    The CH554 costs ~60cents in volume ,
    The CH552 costs ~30 cents in same volume
    The CH551 costs ~20 cents in same volume

    Estimated PCB cost is <15cents/pc (bulk)

    all other components are passive and should cost less than a couple cents. An LED (or two) will be included to indicate the state of the device. This should cost no more than another couple cents. There will be no physical button, instead there will be a capacitive touch button

    All CH55x devices have a capacitive-touch driver

    Entropy for use in crypto will be taken from ADC's least signifcant bits. This seems to be a standard practice.

    I will post some resourced I found to aid in firmware development (implementations for other platforms that I will use as reference implementations, USB documentation and specification stuff etc.) as well as progress on firmware development very soon.



View all 5 project logs

Enjoy this project?

Share

Discussions

neohackerjd wrote 07/17/2023 at 08:40 point

I hope you find a solution as passwords are so damn annuoying and so bad. Nobody remembers their passwords, everyone reuses passwords, they are cryptography weak as hell as I saw a guy on YouTube (a known well liked guy) use John the Ripper and Kali with 3 Nvidia 4000 series GPUs and brute force a 10 character password in 19 seconds. The estimated time prior to the arrival of crazy parallel processing 7 years! So, in the past years a 10 character password is bunk and P@55w0rD is a bad idea. But I also read that they have come up with a classical way to increase the "abilities of classical computers to "crunch" numbers by several factors, so even without"quantum" (all of which still remains to be seen) GPU clusters, neural networks, better classical algorithms, and huteristics means our current cryptography is in serious trouble and I assume the people really interested in it are also several factors ahead of what we are aware of so a quantum resistant cypto key stored in a truly resistant cypto chip on a USB key is a very good idea. No more passwords. Just carry your (keys - have some stashed at home and perhaps one at the bank or a new business idea a small safe deposit box pop up store very small and compact with a copy duplicate of you "yubui" key. Put it on your keychain (it's been 20 years since I lost my keys). How long has it been since you have forgotten your password or used the same password over and how many people use a 10 character or less password. Passwords suck - a massive 4000 bit certificate would be pretty hard to guess. Yeah man in the middle unless the software and hardware take this into consideration and even the keys that come out every time are merely iterations of the original and roll. I am suck of having to sign in and get a sms and then a text or use my authenticator. But you would be wise to be using three factor authentication. In Switzerland when E-Banking first rolled out we had to use 3 factor and now it's down to 2 but really 3 factor give the ability to compromise phones etc ... Something had to give or we can throw all electronic transactions and private conversations or data on the non-air gapped computer networks out the window. 

  Are you sure? yes | no

Similar Projects

On a daily basis I use many different VC programs. I wanted a way to mute that was software agnostic.
Project Owner Contributor

Multi VC Mute Button

colin-russell-conwayColin Russell-Conway

Memtype, an elegant solution to have your credentials stored everywhere.
Project Owner Contributor

Memtype: Open Source Password Keeper

miguelMiguel

Measure brain activity with light
Project Owner Contributor

fNIR Brain Imager

jeremy-ruhlandJeremy Ruhland

I have a Mobostick, it's a wireless streaming USB dongle from 2011. Does any documentation or software still exist?
Project Owner Contributor

Mobostick - getting it working

themekonThe_Mekon

Does this project spark your interest?

Become a member to follow this project and never miss any updates

Going up?

About Us Contact Hackaday.io Give Feedback Terms of Use Privacy Policy Hackaday API

© 2024 Hackaday

Yes, delete it Cancel

Report project as inappropriate

You are about to report the project "free-u2f", please tell us the reason.

Send message

Your application has been submitted.

Remove Member

Are you sure you want to remove yourself as a member for this project?

Project owner will be notified upon removal.