Close
0%
0%

Hardware password manager

Small USB unit which simulates keyboard and generates, keeps and types up to eight passwords

Similar projects worth following
NOTE: There is a new version of this project. Please read Project Log #3 (Hacker's True RNG). New schematics diagram is added to the existing one.

This is a hardware password manager, built with PIC18F2455. Computer sees it as a standard USB HID keyboard, so it works on every computer and needs no extra software. When you are asked to type the password, you just plug it in USB port and press the corresponding key.

So...
...no manual password typing...
...no driver installation...
...no password keeping in the computer...
...no crackable PRNG password creation...
...no peeking over your shoulder while you type the password...

Dimensions are 76x24x12 mm, which is not bigger than most USB sticks. It uses the internal white noise TRNG to generate your passwords, which are held in internal MCU flash.

This is an open project, and the source code (in MPLAB assembler) is available at www.voja.rs/PROJECTS/npr.ht

Some more details...

All passwords are 15...20 character in length (which is random).

At least one lowercase, one uppercase character and one digit is guaranteed in each password

There are no punctuation marks or special characters, as not all servers accept them. But I shall add that option in setup, so you can choose it.

USB stack is open-source assembler software, by Bradley A. Minch. I have modified it so that it accepts uppercase/lowercase charracters, servicing <shift> bit in USB packet.

My friend asked me: Why don't you embed some PIN code, which can be typed directly on the unit, so that nobody can "borrow" it form you and use it? Good point, but you don't have to type PIN on this small and uncomfortable keyboard, you can add it at the more convenient way: type some extension on the existing passwords. So, when you generate new password, use the PC keyboard to type your "pin" on after it, and then store the extended password (there will be no conflict between USB keyboards on the computer). You have to do the same each time you use your password. This can be the same sequence of (say 4, or so) characters for all passwords.

GitHub link: https://github.com/vantonic/password_manager

Here's a brief demo:


  • 1 × PIC18F2455 (or PIC18F2550) Microcontroller, SO28
  • 1 × LM358 SO8, Amplifier and Linear ICs / Operational Amplifiers
  • 1 × 4 MHz Ceramic Resonator SMD ceramic resonator
  • 1 × Red LED round, 3 mm through-hole
  • 1 × Blue LED Round, 3 mm through-hole

View all 18 components

  • Version B prototype

    Voja Antonic08/17/2015 at 14:38 8 comments

    My PCBs arrived at last, so I can build the final prototype, with much simpler hardware.

    The main modification is in True RNG hardware - istead of external white noise generator, which also worked fine, now I use the uninitialized internal RAM state. I described that process at http://hackaday.com/2015/06/29/true-random-number-generator-for-a-true-hacker/, so I won't write about it here.

    I have built six units (that much I promissed to my friends), and everything works great. Here is the first photo:


  • Hacker's True RNG

    Voja Antonic06/07/2015 at 08:58 2 comments

    How to save a lot of components, time and board space? White noise TRNG (True Random Number Generator) works fine - it is the standard solution for low-cost (and yet relatively high quality) random numbers, but it needs a lot of external components and takes two thirds of PCB space. Why can't we use some software PRNG (Pseudo RNG) instead of it?

    Most gaming machines use that solution, and it works fine, but in this case it won't be a good idea. Here's why.

    PRNG starts from some known seed and it always produces the same sequence when initialized with the same state. That's why gaming machines constantly employ their PRNGs to generate dummy random numbers (and thus new seeds) frequently. When someone starts playing the game, he can't say how many times seed was changed, so it appears as truly random number generator.

    This project works in the other way - if you want to create the new password, you plug the unit in USB port and press two buttons (new-A...D). It could be very fast and thus predictable, even if you have a good PRNG with long sequence. But if we could generate the truly random seed for PRNG, we could solve the problem.

    PIC MCUs don't have internal hardware for TRNG, but there is one resource which we can use, specifically with this project. When you apply power to the MCU, its internal Data RAM will have the unknown contents. Each flip-flop will be initialized to 0 or 1 state, which could the consequence of imperfection of internal circuits, but in most cases it will depend on thermal noise. That's why the contents of RAM is different each time it's switched on.

    This feature is used for seed generation. Some flip-flops will always have the same state, but it doesn't matter, as most of them will be random. Our TRNG routine has to generate only eight bytes of TRNG sequence, so we can use many bits to make only one random bit. It will XOR the first 256 bytes of RAM to generate first byte, and so on - 256 bytes guarantee that there will be enough truly random (or, to be more specific, unpredictable) bytes. As this MCU has 2K of Data RAM, we shall have eight truly random 8-bit numbers. Four of them are used as 32-bit PRNG seed, and the remaining four are used for additional scrambling of PRNG results: if bit 0 in byte 0 (or 1,2,3) is set, then the result byte will be XORed with byte 4 (or 5,6,7), which was generated during initial RAM XORing. There is one more scrambling at the end - randomization sequence is constantly dummy invoked at about 70 KHz rate while MCU is waiting for the key to be pressed.

    All this guarantees that excluding of TRNG hardware (white noise generator and DC-DC convertor) won't cause any performance degradation. The same procedure of seed creation can be used for other applications, keeping in mind the main thing - RAM contents must be uninitialized and used as-is, immidiatelly after power on. Here we need chaotic (high entropy) RAM contents, so we can't use no battery backup or high capacity decoupling - keep in mind that CMOS RAM retention voltage can be pretty low. That is why there is no RAM initializaton in firmware (except the small "housekeeping" portion), and there is 1K resistor in parallel with MCU supply line (bottom left on the yellow highlighted schematics diagram), it guaranees that RAM will not remember anything from its previous "reincarnations"!

    There is one more suggestion. Instead of 18F2455 (or 2550), it is better to use 18F24K50 (or 25K50). It is significanly cheaper (around half a price), it has internal clock source accurate enough for USB application, and internal MCLR pull-up.

    Now there are only a few electronic components. USB and ICSP connectors, slightly smaller keys, LEDs and MCU (now in SSOP package) are still here, but there are only two capacitors and three resistors - that's all. I made the new PCB project, here it is compared to the first version. Dimensions of the final unit (excluding USB connector) will be 65x17x9.5 mm.

    And the component placement:

    Here are some tests of...

    Read more »

  • Firmware is finished

    Voja Antonic06/01/2015 at 22:31 0 comments

    Firmware is complete (assembly language), at least beta version. Works great, but testing is still in progress.

    Source filea are available at http://www.voja.rs/PROJECTS/npr.htm

    By the way, to keep your passwords safe in this unit, you should...:

    - Never click on "Remember password" option when your browser asks you
    - Never leave this hardware unattended in the group of people
    - All the passwords are in MCU Flash, don't keep them anywhere else, except on the backup paper
    - If you use it on some public computer, change the password when you arrive home
    - Scan your computer for Trojans frequently, as the only drawback of this approach is possibility that some Key Logger or similar spy program is installed in your computer.

  • Final assembly

    Voja Antonic05/29/2015 at 16:27 0 comments

    I received PCBs from my supplier and built the final version of the unit. Now I shall show it around to my friends, to hear their opinion.

    I have upgraded the firmware a little. I added more password registers, so there are eight instead of four passwords. I also rearanged key functions a little, so the key which was named RNG will act as "Mode switch" key - it toggles between RED and BLUE led. Key NEW acts similarly to Shift or Ctrl key on the computer.

    Here is the key function list:

    Key ....................Red mode ..........................................Blue mode

    A: .......................Type password A ............................Type password E
    B: .......................Type password B ............................Type password F
    C: .......................Type password C ............................Type password G
    D: .......................Type password D ............................Type password H
    NEW-A: ............Create and type password A ......Create and type password E
    NEW-B: ............Create and type password B ......Create and type password F
    NEW-C: ............Create and type password C ......Create and type password G
    NEW-D: ............Create and type password D ......Create and type password H

    Special functions:

    RNG: Toggle between Red mode and Blue mode (this key will be renamed)
    NEW-RNG in RED mode: Type password list
    NEW-RNG in BLUE mode: Hex random stream

    If the mode is RED, then the last command (NEW-RNG) is for backup password list creating. You open some text editor (Notepad or so), press NEW-RNG and get something like this (this was not typed on keyboard, byt generated directly from my unit - the only thing that I added are dots, as this editor does not like spaces in a row and does not support proportional fonts):

    Password list

    A: YwymSBLIf3GyzPyTuV0 .......... 34
    B: 44XKZRtY9nJ7rouW2l ................ 2
    C: BwULbiSIsS9pXyxl7b9 ............ 82
    D: x0W2QMXWQuxOOVk ............ 19
    E: yGa3poQ8SiuIEBGMZexc .......... 1
    F: M5jVWc16Au8OmtYb ............... 36
    G: c9bkTP9f8nbVzI6dkT13 ............. 1
    H: Jeq6XTqRI1bR4Kg6 .................... 2

    The last column shows how many times the password was invoked since it was created (this number should be at least 1, as the password is automayically invoked once immediately after its creation). You can use this counter state to check if someone used it without your knowledge.

    Now you can print the password list and keep the paper at some safe place (do not keep it as a file on the computer - why did you build this unit then?)

View all 4 project logs

  • 1
    Step 1

    As the enclosure is made of FR4 (PCB material), all electronic components should be soldered first, as it will be harder after the whole enclouser assembing.

  • 2
    Step 2

    Program the MCU (software is available at http://www.voja.rs/projects) and then measuer the voltages at DC-DC convertor outputs (9-9.5 and 4-4.5V). DC-DC convertor will not work if MCU is not programmed and running.

  • 3
    Step 3

    Check if the noise signal is present at MCU AN0 input (you can use oscilloscope or, if you don't have one, you can also connect it to PC speakers input to hear the noise).

View all 4 instructions

Enjoy this project?

Share

Discussions

Starhawk wrote 09/06/2019 at 20:24 point

I love the illustration there... ;)

  Are you sure? yes | no

Bartosz wrote 01/29/2017 at 09:47 point

this vill be beter https://hackaday.io/project/3555-zamek-the-offline-pocket-password-manager

please think about:

* One time password

* switch to PREVENT change firmware from host.

look at yubikey and creating compatibility machine

  Are you sure? yes | no

lond wrote 06/04/2015 at 11:33 point

Nice design!

Is it possible to change the blue led to a RGB-led to expand the memory banks and just use the red led for status?

/// Marcus

  Are you sure? yes | no

Voja Antonic wrote 06/04/2015 at 13:59 point

Sure, there are enough free output ports on the MCU. There is only one question - is there need to introduce confusing color code for more than 8 passwords, which will probably never be used

  Are you sure? yes | no

Matt Henderson wrote 06/03/2015 at 17:20 point

I had the same idea at one point, never took the time to implement it though; Well done!

  Are you sure? yes | no

davedarko wrote 05/31/2015 at 19:00 point

Wow! This is an awesome case design! And I like the HID approach and analog backup :)

  Are you sure? yes | no

Similar Projects

Does this project spark your interest?

Become a member to follow this project and never miss any updates