180 lines
7.1 KiB
Markdown
180 lines
7.1 KiB
Markdown
# Motenpoche
|
|
|
|
Motenpoche ([mot-ɑ̃-pɔʃ] - like in *"Mot en poche"*, French for "word in [your] pocket")
|
|
is a physical password vault to carry around your secrets securely. Once connected
|
|
to a PC and unlocked with a main passphrase it will paste passwords selected from
|
|
your collection by pressing a button.
|
|
|
|
Passwords can be provisioned with the help of a host-side command line tool that
|
|
can be run on a GNU/Linux PC, either one by one or importing from an existing
|
|
(software) vault.
|
|
|
|
## Status
|
|
|
|
This project is still in an early alpha phase and has not been properly tested yet.
|
|
|
|
There are in particular, the following known security issues:
|
|
|
|
- No proper string boundary check
|
|
- No proper serial protocol hardening
|
|
- Incomplete password wiping from memory after use
|
|
|
|
Use at your own risk, no guarantee provided on loss of secret data, service
|
|
profiles, bank details or other relevant information that have been stored on the
|
|
device. The author and the contributors recommend not to use this software for any
|
|
purpose other than security auditing, research and study, and they cannot be held
|
|
responsible or any damage of any kind resulting from any proper or improper use.
|
|
|
|
## Software License
|
|
|
|
The software distributed in this project is uniquely released under the terms of
|
|
GNU GPL v.2.
|
|
|
|
## What is this for
|
|
|
|
I'm lazy and skeptical when it comes to distributed password managers. I don't
|
|
like the idea of keeping a wallet of passwords on a cloud server. On the other
|
|
hand, I'm oftern traveling and carrying a laptop, where I must periodically update
|
|
my password database if I want to access services when I'm abroad.
|
|
|
|
This system was created to have a temporary physical storage that can be carried
|
|
around (and lost, or forgotten on a public transportation...) with reduced risk.
|
|
|
|
More features may be available in the future based on user experience.
|
|
|
|
## Hardware design
|
|
|
|
The design is based on the rp2040 "Raspberry Pi Pico" board, with a few components
|
|
and peripherals connected as shown here:
|
|
|
|
![motenpoche schematic](doc/png/motenpoche_sch.png)
|
|
|
|
|
|
### Pinout
|
|
|
|
Here is a recap of the pins used on the Raspberry PI, as configured by the
|
|
software in this repository:
|
|
|
|
| Pin | Function | Connects to | Pullup/pulldown |
|
|
| --- | -------- | ----------- | --------------- |
|
|
| GPIO2 | FUNC\_SPI | SPI Flash SCLK | none |
|
|
| GPIO3 | FUNC\_SPI | SPI Flash MOSI | none |
|
|
| GPIO4 | FUNC\_SPI | SPI Flash MISO | none |
|
|
| GPIO5 | OUT | SPI Flash CS | none |
|
|
| GPIO16 | OUT | Green LED cathode | none |
|
|
| GPIO17 | OUT | Red LED cathode | none |
|
|
| GPIO18 | IN | Rotary Keypress | pull-up |
|
|
| GPIO19 | IN | Rotary S1 | pull-down |
|
|
| GPIO20 | IN | Rotary S2 | pull-down |
|
|
| GPIO21 | IN | Pushbutton "Back" | pull-down |
|
|
| GPIO22 | IN | Pushbutton "Confirm" | pull-down |
|
|
| GPIO26 | FUNC\_I2C | I2C Display SDA | none (automatic pull-up) |
|
|
| GPIO27 | FUNC\_I2C | I2C Display SCL | none (automatic pull-up) |
|
|
|
|
## How it works
|
|
|
|
The siple idea behind it is that the device does not carry any secret in plain
|
|
text. The passwords are stored on an external SPI flash, encrypted and signed with
|
|
unique keys created when the device is initialized.
|
|
The encryption key is symmetrical (ChaCha) and can be derived on board using the
|
|
main passphrase, which is entered through the rotary and the confirm button.
|
|
|
|
The signature key (ECC256) is created during device initialization on the PC that
|
|
holds it. The key is then used to sign the passwords to be added to the vault.
|
|
|
|
Passwords can be provisioned using the host tool, either one by one, or importing
|
|
from a CSV file previously exported from, e.g. a software password manager
|
|
or a web browser.
|
|
|
|
When the device is unlocked, selecting the service needed from the "Services" menu
|
|
will paste the password onto the PC. The user should ensureto select the right
|
|
password box before activating the service on the device to prevent password leaks
|
|
in clear text on the PC screen.
|
|
|
|
Multiple paste modes are available from the "Settings" menu onboard. The device
|
|
can for example fill username + password web forms automatically, by typing in the
|
|
username, then the TAB key, then the password and finally ENTER.
|
|
|
|
### Initialization
|
|
|
|
The device can be initialized using a TOFU (Trust on First Use) mechanism. When
|
|
the device is in "factory mode", it can be initialized using the host command line
|
|
application, selecting the "TOFU" function. The application will then ask to input
|
|
(and confirm) the main password that will be used to unlock the device.
|
|
As mentioned, this procedure also creates the main signature key to provision
|
|
passwords. If you want to be able to add passwords to the vault from different
|
|
PCs, ensure that you carry a copy of the key generated in `~/.pvault/`.
|
|
|
|
### Adding password services
|
|
|
|
Passwords can be provisioned using the host tool, either manually or importing
|
|
them from a CSV file. The information is then encrypted on the PC using the main
|
|
password, signed using the signature key and transmitted to the device.
|
|
|
|
The device must be unlocked in order to receive password services to add to the
|
|
database. Uploading a single password may take a few seconds because the device
|
|
verifies that the source of the information is trusted.
|
|
|
|
|
|
### What does the PC see?
|
|
|
|
When you connect motenpoche to your PC, it will show up as three different
|
|
devices:
|
|
|
|
- A USB drive, containing the source and the binary of the host command line tool `mep` [TODO]
|
|
|
|
- A serial port (typically /dev/ttyACM0), used by the host command line tool to communicate
|
|
with the device, initialize it after factory reset and upload passwords.
|
|
|
|
- A HID keyboard device. Motenpoche will use a 'fake' keyboard to input the selected
|
|
password when requested.
|
|
|
|
### Security considerations
|
|
|
|
- The algorithm used to generate the encryption key is PBKDF2, using SHA512 for
|
|
hashing, and a random salt generated when the device is initialized
|
|
|
|
- Neither the passwords, nor the main secret, or any private key is ever stored
|
|
on the device. When the device is turned off, the storage is encrypted.
|
|
|
|
- Password checking is performed on board by decrypting the signature stored in the
|
|
initial settings page, and then checking for the integrity (sha) and
|
|
authenticity (ecc signature) of the page itself.
|
|
Each password is then decrypted on demand and sent to the PC through the HID
|
|
keyboard device.
|
|
|
|
- Passwords can still be intercepted by a keylogger, e.g. using a USB sniffer.
|
|
(This is not very different from an actual USB keyboard).
|
|
|
|
- Main keys and passwords are never transmitted via USB.
|
|
|
|
|
|
### Future development
|
|
|
|
- The command line tool `mep` might have a function to "rekey" the device, changing
|
|
the salt and the constant part of the IV used for the encryption
|
|
|
|
- Store private keys / custom secret files in the storage device. Those would be
|
|
invisible until the device is unlocked.
|
|
|
|
## Compiling and flashing to Raspberry-pi pico:
|
|
|
|
To compile the firmware run the following from the source directory:
|
|
|
|
```
|
|
mkdir build
|
|
cd build
|
|
make -C ../msc_content
|
|
cmake .. -DFAMILY=rp2040 -DPICO_SDK_PATH=/path/to/motenpoche/pico-sdk
|
|
```
|
|
|
|
### Host tool
|
|
|
|
A copy of the host tool `mep` is in the `msc_content` directory. Compile using
|
|
"make", then run the tool pointing it to the correct USB serial device, e.g.:
|
|
|
|
```
|
|
./mep /dev/ttyACM0
|
|
```
|
|
|
|
|