Cipherbox

With the development of cryptanalysis and new hacking techniques, the cost of accessing your data without your authorization continues to decline, making it easier and more attractive for different sides to get it.

I'm not going to get into details about the motivation of each side and the goals they're trying to achieve by obtaining your data. Instead, I would like to focus on the solution to that problem.

In my opinion, the only way to keep your data private is to raise the costs of unauthorized access to it as high as possible, ideally higher than any reward that a third side can get by obtaining your data. Doing so puts away the incentives to access your data without your permission.

To raise the cost of unauthorized access to your data, I've developed cipherbox.

Cipherbox is what I consider to be a cryptographic swiss knife.

It utilizes six encryption algorithms, and it's also a vault that's locked with four RFID cards, your username, and password. Not to mention that several people can use it without interfering with one another (I guess you can also turn it into service).

Cipherbox consists of three microcontrollers: ESP32, Arduino Uno, and ESP8266.

ESP32 is the device's core. All encryption algorithms and SQLite run on it.

Arduino Uno - serves as a keyboard driver and an intermediary between the ESP32 and RFID reader.

ESP8266 is the receiver that only runs the AES + Serpent encryption algorithm in the decryption mode.

Supplies for the vault:

• ESP32 x1
• Arduino Uno x1
• 2.4 Inch TFT LCD with ILI9341 x1
• Mifare RC522 x1
• RFID cards x4
• PS/2 Keyboard x1
• PS/2 Port x1
• 580 ohm resistors x2
• LED x1
• 10µF capacitor x1 *optional

Supplies for the receiver:

• ESP8266 x1
• Nokia 5110 display x1

Out of 6 encryption algorithms utilized by this device, 4 perform something called superencryption.

As defined by NIST, superencryption is an encryption operation for which the plaintext input to be transformed is the ciphertext output of a previous encryption operation.

Organizing encryption algorithms in that way allows to easily build a combined encryption algorithm that is at least as strong as the strongest one in the cascade, has a longer key, might be more resistant to some attacks, and might produce a ciphertext with higher entropy. Anyway, it won't hurt to have an additional layer of security (or several of them).

Now, let's get to the description part.

I would like to begin with the fact that all encryption algorithms utilized by this device are symmetric (the same key is used to both - encrypt and decrypt data).

The first four algorithms on the list perform superencryption. And the first five make use of the initialization vectors and random numbers during the encryption process to prevent the chosen-plaintext attack and increase the entropy of the ciphertext.

• Blowfish + AES + Serpent + AES is the strongest encryption algorithm utilized by this device. It takes 8 characters as input and produces 64 characters long output. (I bet it can also be classified as quantum-resistant).
• AES + Serpent + AES is almost the same as Blowfish + AES + Serpent + AES, except for the Blowfish part.
• AES + Serpent is a bit weaker than the previous two but still strong enough to keep your data secure.
• Blowfish + Serpent is an encryption algorithm that takes 8 characters as input and produces 32 characters long output.
• Serpent is a bare minimum for keeping your data secure. It takes 8 characters as input and produces 32 characters long output.
• AES. If I were you - I would pay attention to that one. The implementation of AES utilized by this device is not exactly what I would call secure. It still works, and it's still able to encrypt your data, but it doesn't utilize the advantages of IV and random numbers during the encryption process. It produces the same ciphertext each time you encrypt the same message which makes it vulnerable to the chosen plaintext attack, and especially vulnerable to cryptanalysis. The only reason why I even put it there - is because I wanted to give you an option to play with the "bare AES."

If you've never flashed ESP32 or ESP8266 before you'll need to configure Arduino IDE and install drivers to upload the firmware to the boards, you can find drivers here:

CP210x driver for ESP32: https://www.silabs.com/developers/usb-to-uart-brid...

CH340 driver for ESP8266: https://sparks.gogo.co.nz/ch340.html

In case you don't have Arduino IDE, you can download it here: https://www.arduino.cc/en/software

Configuring IDE isn't a part of this tutorial, you can read about it here:

ESP32: https://randomnerdtutorials.com/installing-the-esp...

ESP8266: https://randomnerdtutorials.com/how-to-install-esp...

You can download firmware here https://github.com/Northstrix/Cipherbox

Adafruit-GFX-Library: https://github.com/adafruit/Adafruit-GFX-Library

Adafruit_ILI9341: https://github.com/adafruit/Adafruit_ILI9341

Adafruit_BusIO: https://github.com/adafruit/Adafruit_BusIO

PS2Keyboard: https://github.com/PaulStoffregen/PS2Keyboard

esp32_arduino_sqlite3_lib: https://github.com/siara-cc/esp32_arduino_sqlite3_lib

espsoftwareserial: https://github.com/plerup/espsoftwareserial/

rfid: https://github.com/miguelbalboa/rfid

nokia-5110-lcd-library: https://github.com/platisd/nokia-5110-lcd-library

The process of unpacking libraries is typical. You can unpack the content of the archive into the folder: ...\Arduino\libraries. Or open the Arduino IDE, click to the Sketch -> Include Library -> Add .ZIP Library... and select every archive with libraries.

Other required libraries are already present in one way or another.

The primary purpose of the ESP32 Filesystem Uploader is to let you upload files into ESP's filesystem. In this tutorial, the purpose of this tool is to upload an empty SPIFFS image into ESP.

Download the file called ESP32FS-1.0.zip from here: https://github.com/me-no-dev/arduino-esp32fs-plugin/releases/

then extract the content of the archive into the folder: ...\Arduino\Tools\

After that, restart the Arduino IDE.

Click Tools -> ESP32 Sketch Data Upload. Then click Yes in the pop-up window. The program is going format the built-in flash memory.

Some boards will flash without any problems.

Unfortunately, that's not the case for all boards. If you configured IDE correctly, installed drivers, selected the corresponding port, and still keep getting this error: A fatal error occurred: Failed to connect to ESP32: Timed out waiting for packet header. Connect a 10µF capacitor to the board while flashing.

Connect the positive lead of the capacitor to the EN pin of the ESP32;

Connect the negative lead of the capacitor (usually indicated by the gray stripe) to the GND pin of the ESP32.

Don't forget to disconnect the capacitor after the board flashes.

To make the unauthorized deciphering of your data computationally infeasible - It is crucial to generate your own keys and never reuse them.

The best way to generate the keys is to throw 20-sided dice.

If you get a number from 1 to 9, write it down.

If you get a number from 10 to 15, write down a letter corresponding to that number.

10 = A;

11 = B;

12 = C;

13 = D;

14 = E;

15 = F.

If you get 20, write down 0.

If you get something else, don't write anything and throw the dice again.

There's also the easiest option.

I modified one of my previous projects to work as a random number generator, the generated output seems "random enough" for me, but I haven't run any tests. So, I can't guarantee that it's random.

Use it at your own risk.

To generate the keys - launch gen.exe from the Untested RNG folder, and then click the "Generate keys for Cipherbox" button. The background turns from black to blue when you press that button.

To get the receiver's MAC address, upload this code into the ESP8266.

#include <ESP8266WiFi.h>

void setup(){
  Serial.begin(115200);
  Serial.println();
  Serial.println(WiFi.macAddress());
}
 
void loop(){

}

Then open the Serial Monitor, and reboot the board.

If done correctly, you should see the MAC address in the console.

The MAC address of this board is 5C:CF:7F:FD:85:1D

Open the files "Firmware_for_ESP32.ino" and "Firmware_for_ESP8266.ino" from the folders "Cipherbox-main\V1.0\Firmware_for_ESP32" and "Cipherbox-main\V1.0\Firmware_for_ESP8266" and then replace my keys with those you've generated.

The vault requires six keys, while the receiver only needs two. Make sure that projection_key and proj_serp_key are the same on both devices.

Don't forget to replace the receiver's MAC address in the line

uint8_t broadcastAddress[] = {0x5C, 0xCF, 0x7F, 0xFD, 0x85, 0x1D}; // Receiver's MAC address

in the file Firmware_for_ESP32.ino

Upload the firmware from the folder "Cipherbox-main\V1.0\Firmware_for_Arduino" into the Arduino.

Upload the firmware from the folder "Cipherbox-main\V1.0\Firmware_for_ESP32" into the ESP32.

Upload the firmware from the folder "Cipherbox-main\V1.0\Firmware_for_ESP8266" into the ESP8266.

Assembling the vault shouldn't be hard. In my opinion, the most tangled part of it is to connect the PS/2 port in the right way.

The receiver is even easier to assemble. Just connect the display to the ESP8266.

Ok, it's time to unlock the vault. Power the vault up and consequently approximate four RFID cards to it. You need to approximate cards in exactly the same order every time you unlock the vault, or you won't be able to decrypt your stuff.

Important thing: If you want to reboot ESP32, reboot all boards. And if the keyboard suddenly stops working as intended, only reboot the Arduino Uno.

Well, it's more like "sign up and immediately log in" the first time you're entering a new username and password. Every other time, it's just "log in."

You can enter any username and password you want, just make sure to keep them both secret. Let me explain why. The username determines the name of the database that will be used to store your notes, while the password is used in the key derivation process.

If an attacker discovers your username, an attacker will be able to delete all your logins and notes. If an attacker discovers your username and password, an attacker will be able to decrypt all your stuff.

Although if you don't need the vault capabilities and only want to use ciphers, you can log in under any username or leave the username field empty. Just make sure to always enter the same password, or you won't be able to decrypt your ciphertexts.

Press "Tab" (↹) to move between fields. The current field is indicated by the inscription below. When you're done, press "Enter" to log into the vault.

I got the verification number 6117 for the password "1234567890-=qwertyuiop[]asdfghjkl;'zxcvbnm,./LKJHGFDSA?><MNBVCXZ+_(*&^%$#@!"

After logging in and getting to the main menu.

Press ↓ (Down Arrow) to go down the menu.

Press ↑ (Up Arrow) to go up the menu.

Press ← (Left Arrow) or → (Right Arrow) to change the AES mode.

Open the Serial Monitor and set the baud rate to "115200" because the ciphertext will be printed into the Serial Monitor.

To encrypt text. Select the desired encryption algorithm in the menu and press "1" on the keyboard. After that, enter the text that you want to encrypt and press "Enter" to encrypt it.

Eventually, I came up with these results:

Plaintext:

Cipherbox is what I consider to be a cryptographic swiss knife. The existence of this device wouldn't've been possible without a lot of open source code that I've found on the Internet and put together.

Ciphertext:

4c31cfb14b75d0ba0902f1c5fc243471dab7dca6e94fd89d07936b969bff63980311223bd62d9cf4d012235cf308e41c3c431f2e1ca78e3778341cc7ed21d2dd0f878187ff15d34fa42f8ede7c490ee3a18d81beed0599df1d4ad8619abef667ae5ba9cec776dc348e532e61f448c74883a2cd54c6f583ca3d10d01d2a2dd7bb682c8c2b579fec10a93772324e39db0afa09667b0b4b3631d033690b9868a32ccce7592bafb4280d46b3aa6ad44c0f51749fd7d7698944286342c9107690f90b0021d0d87ae831298f9f89dfc486b8f2d4ed36d901fa602a13fb7f9f7086fcd0f2da1ab23d65dc1cf87dd3eecff73a97d90ea16528d1a42f9d74bc7e2f742c80c2ba820f0195318eb680ffa7e69ca00a0c142f4edc05815412f58a9a5056a8620fc79e521c658d3865411baf1f41bfa88370124a400f36b4ae1dfa5e09036d22c9696c42faa7ec0020f9a9f417de42c04d60d92c941e7aa3f8f5aa305840de88a9b866e3b99966f556b45482c3c7b889db214fa642b395f61d64ddae03142742dc1e4c5300559bf9157af0c4ce3922d0f3843398a6ecbb2cb5eafd679f4ee814bfb7e3d675e16bc1c27cf8f97438454836a1ce806243da42292428f9e82e73eb5bcb55c45f55550cb0bce6b909bbd2f47fe2946c82148a12a4a28ed6d4fa435c6f6bd1cfa0961fd76ac3a23d7bfcfe3aad723e5898821ad4f6fb6a966b37e5343e028ceac0d562954ad7346d1d4ea04ed573feeeb3e4707e06f41777e7e77172caef4039b2c8a6f08e87f93a528d3591d3e90406a3bbf5ce4da651a129529c92c99da7c63d41b6ee645ebaa664950259f02f9e102a563d676cfc091371dd87321f3f99033399edb02631ddeb973801f1e310bbf4ca9a1aaec375a104baaddb3e0f0992b306a34db3505feb199c2e823f9e7f32cf42ea43d24dc494bd66e6bb9eca4f956a63195c17c7b6d1f345e4a0bcc50373d1d610fe143fa96046234832c62f58438242ac845fcbc00dccc121da6a902f53e467b7df936d3eed47da7548c92df0498d143db4a2a00cb1e8390b64a95f6f38c593b9e3e8587e88d1696ab52b71caa14d2d20fc7829b329c098ce87b576efdd761dd9e4a5d8fb0f1a6f9dab0bb28c5595fcb928215bc3e67695096de5c2107da3de17d49c436abc600eb58341

Open the Serial Monitor and set the baud rate to "115200" because you'll need to paste the ciphertext into the Serial Monitor.

To decrypt text. Select the encryption algorithm that was used to encrypt the text in the menu and press "2" on the keyboard. After that, paste the ciphertext into the Serial Monitor and press "Send."

Eventually, I came up with these results:

Ciphertext:

4c31cfb14b75d0ba0902f1c5fc243471dab7dca6e94fd89d07936b969bff63980311223bd62d9cf4d012235cf308e41c3c431f2e1ca78e3778341cc7ed21d2dd0f878187ff15d34fa42f8ede7c490ee3a18d81beed0599df1d4ad8619abef667ae5ba9cec776dc348e532e61f448c74883a2cd54c6f583ca3d10d01d2a2dd7bb682c8c2b579fec10a93772324e39db0afa09667b0b4b3631d033690b9868a32ccce7592bafb4280d46b3aa6ad44c0f51749fd7d7698944286342c9107690f90b0021d0d87ae831298f9f89dfc486b8f2d4ed36d901fa602a13fb7f9f7086fcd0f2da1ab23d65dc1cf87dd3eecff73a97d90ea16528d1a42f9d74bc7e2f742c80c2ba820f0195318eb680ffa7e69ca00a0c142f4edc05815412f58a9a5056a8620fc79e521c658d3865411baf1f41bfa88370124a400f36b4ae1dfa5e09036d22c9696c42faa7ec0020f9a9f417de42c04d60d92c941e7aa3f8f5aa305840de88a9b866e3b99966f556b45482c3c7b889db214fa642b395f61d64ddae03142742dc1e4c5300559bf9157af0c4ce3922d0f3843398a6ecbb2cb5eafd679f4ee814bfb7e3d675e16bc1c27cf8f97438454836a1ce806243da42292428f9e82e73eb5bcb55c45f55550cb0bce6b909bbd2f47fe2946c82148a12a4a28ed6d4fa435c6f6bd1cfa0961fd76ac3a23d7bfcfe3aad723e5898821ad4f6fb6a966b37e5343e028ceac0d562954ad7346d1d4ea04ed573feeeb3e4707e06f41777e7e77172caef4039b2c8a6f08e87f93a528d3591d3e90406a3bbf5ce4da651a129529c92c99da7c63d41b6ee645ebaa664950259f02f9e102a563d676cfc091371dd87321f3f99033399edb02631ddeb973801f1e310bbf4ca9a1aaec375a104baaddb3e0f0992b306a34db3505feb199c2e823f9e7f32cf42ea43d24dc494bd66e6bb9eca4f956a63195c17c7b6d1f345e4a0bcc50373d1d610fe143fa96046234832c62f58438242ac845fcbc00dccc121da6a902f53e467b7df936d3eed47da7548c92df0498d143db4a2a00cb1e8390b64a95f6f38c593b9e3e8587e88d1696ab52b71caa14d2d20fc7829b329c098ce87b576efdd761dd9e4a5d8fb0f1a6f9dab0bb28c5595fcb928215bc3e67695096de5c2107da3de17d49c436abc600eb58341

Plaintext:

Cipherbox is what I consider to be a cryptographic swiss knife. The existence of this device wouldn't've been possible without a lot of open source code that I've found on the Internet and put together.

To add login. Select the "Login" in the menu and press "1" on the keyboard. After that, enter the title, username, password, and website. Press "Enter" when you've finished entering the data to move to the next window.

According to the tests that I've conducted during the development of my previous projects - ESP32 is able to encrypt and decrypt a record with a length of 700-characters without any problems. So, technically, you can put 700 characters into each field in every category.

All credentials are fictional (just in case).

To show all logins. Select the "Login" in the menu and press "5" on the keyboard. You will see all titles with usernames. If all logins don't fit on the screen, you can always open the Serial Monitor and see the complete list there.

I've added another record to fill the list.

All credentials are fictional (just in case).

To view login. Select the "Login" in the menu and press "4" on the keyboard. You will see all titles with their corresponding numbers on the left. To view a record, enter the number of the record on the keyboard and press "Enter."

The "Remove" option works exactly the same as the view option with only one exception. It's called by pressing "2."

All credentials are fictional (just in case).

To edit login. Select the "Login" in the menu and press "2" on the keyboard. You will see all titles with their corresponding numbers on the left. To edit a record, enter the number of the record on the keyboard and press "Enter." After that, enter the new password for the record and press "Enter" to save the changes. Press "Esc" to cancel.

All credentials are fictional (just in case).

Cipherbox gives you the ability to securely send a text to a distance of up to 650 feet (200 meters).

To send the text to the receiver: Press the "Tab" button on the keyboard, enter the text you want to send, and press "Enter" to send it. I was able to send an 84-character text without any problems. The received text is also shown in the Serial Monitor.

Attention!!! The receiver is vulnerable to the replay attack (it's when the attacker resends the packages captured earlier). So, either make sure to keep the firmware and both ESPs away from anyone who's not authorized to work with it, or don't send extremely sensitive information over the air.

I identify this as the weakest point of this device. Beware of it!!!

I did my best to make the Cipherbox as secure and useful as possible.

It has 6 encryption algorithms (it's actually 14 if you count 3 AES modes in 4 algorithms). It has capabilities of the vault locked by a password and four RFID cards. And it has a "not-so-terrible" graphical user interface. Now, it's up to you what to do with it.

I hope you will find a good use for this device.

If you like this tutorial, please share it.

Thank you for reading this tutorial.