DIY IoT Data Vault With Google Firebase (Midbar Firebase Edition V1.0)

Around three and a half years ago, I embarked on a self-guided journey to learn cryptography. During the first few months, I gathered most of the information I needed from Coursera, supplemented by additional resources from YouTube and various websites I discovered through Google. After acquiring a satisfactory level of theoretical knowledge (perhaps more than I could comprehend at that time), I slowed down my study of cryptography for roughly a year. Once I felt I had processed and comprehended most of the theory I had learned the previous year, I took a couple more courses, Googled the missing pieces, and started working with cryptographic primitives in practice. At first, I experimented with 3DES, then I created my own encryption algorithm based on it. Later on, I also started working with the implementation of Serpent. As I progressed further, I learned to use cryptography alongside different parts of the system and created the first version of Midbar. I then continued to refine Midbar, and after one and a half years of development, I finally made the fully functional IoT version of Midbar that is not just equipped with an advanced encryption algorithm coupled with the sophisticated integrity verification feature but also utilizes the capabilities of Google Firebase.

That version of Midbar stores the encrypted data in the cloud while keeping the keys on the ESP32!

As for why this project is called Midbar - Midbar (מדבר) is a Hebrew word that means "pasture," "uninhabited land," "wilderness," "large tracts of wilderness (around cities)," and "desert." I had two reasons for choosing the word Midbar as the name of this project. First - while working on my previous projects, I noticed that the so-called "device that keeps your personal data secure in an encrypted form" market is pretty much a "desert around the oasis of the password manager market." Second - I couldn't find a better word to describe this project. At first, I wanted to call it a "Password Vault," but it's more than that. So, I decided to call it Midbar.

You can also read this tutorial on Medium and Hackster.

• ESP32 x1
• 1.77 Inch TFT LCD with ST7735 x1
• PS/2 Keyboard x1
• PS/2 Port x1
• Access Point x1
• 10µF capacitor x1 *optional

The "3DES + AES + Blowfish + Serpent" encryption algorithm in cipher block chaining mode first appeared in the Midbar V2.5. And since then has been utilized by the Midbar (Raspberry Pi Pico Version), Midbar V3.0, Midbar V4.0, KhadashPay V2.0, Midbar (Raspberry Pi Pico Version) V2.0, KhadashPay V2.0 (Raspberry Pi Pico Version), Midbar V5.0, Midbar (STM32F401CCU6 Version), KhadashPay V3.0 (STM32F401CCU6 Version), KhadashPay V3.0, Midbar (STM32F401CCU6 + Arduino Uno Version), KhadashPay V3.5, Black Swan V2.0, Midbar (Teensy 4.1 Version), Hash Latch, Midbar (Teensy 4.1 Version) V2.0, Midbar (ESP8266 Version) V2.0, Midbar (STM32F407VET6 Version) and Midbar (STM32F407VET6 + Arduino Uno Version).

Although the "3DES + AES + Blowfish + Serpent" encryption algorithm ain't exactly what I would call "a cryptographically weak encryption algorithm," operating it in a weird derivation of the ECB mode, the way it was done by the Midbar V2.0 wasn't the best idea that I had. Even though that wouldn't've allowed the attacker to produce the legitimate ciphertext by swapping the blocks within the ciphertext, an attacker could still make a legitimate ciphertext by replacing the nth block of the ciphertext N1 with the nth block of the ciphertext N2. To fix that vulnerability (instead of just notifying the user that the decrypted ciphertext might've been forged), I made the "3DES + AES + Blowfish + Serpent" encryption algorithm work in CBC mode. So, if an attacker replaces a block of ciphertext, they spoil not just that block but also the subsequent one.

I'll be honest with you, the bit-flipping attack "kinda works," but I doubt that it would ever go unnoticed because of the "HMAC-SHA256"-based integrity verification feature

And let's not forget that this encryption algorithm performs the operation called superencryption.

As defined by NIST, superencryption is an encryption operation for which the plaintext input to be transformed is the ciphertext output of a previous encryption operation.

Such organization of the encryption algorithms makes a combined encryption algorithm that is at least as strong as the strongest one in the cascade, has a longer key, might be more resistant to some attacks, and might produce a ciphertext with higher entropy. Anyway. It won't hurt to have an additional layer of security (or several of them).

The Midbar Firebase Edition V1.0 is the fifteenth version of Midbar that verifies the integrity of the whole record. So, the legitimate ciphertexts moved between the cells aren't much of a threat to it.

The integrity verification feature of Midbar is based on "HMAC-SHA256." When you enter data into Midbar, it consolidates all the data into a single string, computes a tag for that string, and saves the newly computed tag in encrypted form. When you decrypt your data, Midbar also decrypts the previously saved tag and computes a new one for the decrypted data. It then compares both tags. If they don't match - Midbar notifies you that the integrity verification failed.

If you've never flashed ESP32 before you need to configure Arduino IDE and install CP210x driver to upload the firmware into the board, you can download the CP210x driver for ESP32 here: https://www.silabs.com/developers/usb-to-uart-bridge-vcp-drivers

Configuring IDE isn't a part of this tutorial. You can read about it here: https://randomnerdtutorials.com/installing-the-esp32-board-in-arduino-ide-windows-instructions/

You can download the firmware for Midbar from one of these sources:

https://sourceforge.net/projects/midbar-firebase-edition/

https://github.com/Northstrix/Midbar-Firebase-Edition

Adafruit-ST7735-Library: https://github.com/adafruit/Adafruit-ST7735-Library

Adafruit-GFX-Library: https://github.com/adafruit/Adafruit-GFX-Library

Adafruit_BusIO: https://github.com/adafruit/Adafruit_BusIO

PS2KeyAdvanced: https://github.com/techpaul/PS2KeyAdvanced

PS2KeyMap: https://github.com/techpaul/PS2KeyMap

Firebase-ESP32: https://github.com/mobizt/Firebase-ESP32

The process of unpacking libraries is typical. You can unpack the content of the archive into the folder: ...\Arduino\libraries. Or open the Arduino IDE, click to the Sketch -> Include Library -> Add .ZIP Library... and select every archive with libraries.

Other required libraries are already present in one way or another.

I would be happy to explain to you how to set up Google Firebase. However, I believe that the article at https://medium.com/firebase-developers/getting-started-with-esp32-and-firebase-1e7f19f63401 does a better job on that. I suggest reading the article up until the "Development Environment Setup" headline.

When setting up the database, save the "Realtime Database URL" and "Web API Key."

These values will be needed later.

To make the unauthorized deciphering of your data computationally infeasible - It is crucial to generate your own keys and never reuse them

It's entirely up to you how to generate the keys. I can only offer you an option to do so.

I've modified one of my previous projects to work as a random number generator, the generated output seems "random enough" for me, but I haven't run any tests. So, I can't guarantee that it's random.

Use it at your own risk!

To generate the keys - launch gen.exe from the "V1.0\Untested RNG" folder and click the "Generate keys for Midbar" button. The background turns from dark gray to light gray when you press that button.

Open the "Firmware.ino" file from the "V1.0\Firmware" folder and put your values to the following variables:

WIFI_SSID

WIFI_PASSWORD

API_KEY

DATABASE_URL

After that, replace my keys with yours.

You have to switch the partition scheme to the "Huge APP (3MB No OTA/1MB SPIFFS)" before you flash ESP32 because the firmware is too big for the default partition.

Upload the firmware from the "V1.0\Firmware" folder into the ESP32. Don't forget to hold the "BOOT" button when the firmware upload starts.

Some boards will flash without any problems.

Unfortunately, that's not the case for all boards. If you configured IDE correctly, installed drivers, selected the corresponding port, and still keep getting this error: A fatal error occurred: Failed to connect to ESP32: Timed out waiting for packet header. Connect a 10µF capacitor to the board while flashing.

Connect the positive lead of the capacitor to the EN pin of the ESP32;

Connect the negative lead of the capacitor (usually indicated by the gray stripe) to the GND pin of the ESP32.

It shouldn't be hard to assemble.

Just compare it with Midbar (STM32F401CCU6 + Arduino Uno Version) or Midbar (RTL8720DN + Arduino Uno Version), and you'll understand what I mean.

Power the Midbar up, wait till it connects to your access point (Wi-Fi), initialize the firebase, and display the random lock screen.

That version of Midbar has 18 lock screens.

*Credit for the used photos:

Atlanta

Photo by Joey Kyber on Unsplash

Be'er Sheva

Photo by Levi Meir Clancy on Unsplash

Dallas

Photo by Braden Egli on Unsplash

Dallas

Photo by Talena Reese on Pexels

Frankfurt:

Photo by Igor Flek on Unsplash

Kansas City

Image by Cloud11 from Pixabay

Los Angeles

Image by herdzmedia from Pixabay

Minneapolis

Photo by Daniel McCullough on Unsplash

Nashville

Image by Paul Brennan from Pixabay

Netanya

Photo by Shai Pal on Unsplash

New Orleans

Photo by Morgan Petroski on Unsplash

Pittsburgh

Photo by Yuhan Du on Unsplash

Salt Lake City

Image by RobinSaville from Pixabay

Santiago

Photo by Jeffrey Eisen on Unsplash

Tel Aviv

Image by ran from Pixabay

Tel Aviv

Photo by Micah Camper on Unsplash

Tel Aviv

Photo by Shai Pal on Unsplash

Toronto

Photo by Nadine Shaabana on Unsplash

To use the Midbar, you first need to set the master password.

You can't change your master password without performing the factory reset first!

Midbar won't be able to decrypt your data without your master password because the keys for the encryption algorithms are partially derived from it. Perhaps it won't even unlock without the correct master password.

When you're done entering your master password, press either the "Enter" or the "ESC" key on the PS/2 keyboard.

After you've unlocked the vault and got to the main menu:

• Press the "↓" (DOWNWARDS ARROW) key on the PS/2 keyboard to go down the menu.
• Press the "↑" (UPWARDS ARROW) key on the PS/2 keyboard to go up the menu.
• Press the "Enter" key on the PS/2 keyboard to open the selected menu.
• While in the submenu, press either the "Esc" or the "Backspace" key on the PS/2 keyboard to return to the main menu.

While entering a text in a tab:

• Press "Enter" on the PS/2 keyboard to continue.
• Press the "Esc" button on the PS/2 keyboard to cancel the current operation.

That version of Midbar allows you to store records of four types: login credentials, credit card information, notes, and phone numbers.

Since working with records of other types is basically the same as working with logins, I'll only provide instructions on how to work with logins.

To add a login (from PS/2 keyboard):

1. Select the "Logins" line in the main menu;
2. Press the "Enter" key on the PS/2 keyboard;
3. Select the "Add" line;
4. Press the "Enter" key on the PS/2 keyboard;
5. Choose the slot you want to put the login to by pressing the "←" (Leftwards Arrow) and "→" (Rightwards Arrow) keys on the PS/2 keyboard;
6. Press the "Enter" key on the PS/2 keyboard;
7. Select the "PS/2 Keyboard" line;
8. Press the "Enter" key on the PS/2 keyboard;
9. Enter the title;
10. Press the "Enter" key on the PS/2 keyboard;
11. Enter the username;
12. Press the "Enter" key on the PS/2 keyboard;
13. Enter the password;
14. Press the "Enter" key on the PS/2 keyboard;
15. Enter the website;
16. Press the "Enter" key on the PS/2 keyboard.

*All credentials demonstrated here are entirely fictitious. Any similarity to actual credentials is purely coincidental.

To view login:

1. Select the "Logins" line in the main menu;
2. Press the "Enter" key on the PS/2 keyboard;
3. Select the "View" line;
4. Press the "Enter" key on the PS/2 keyboard;
5. Choose the slot you want to view the login from by pressing the "←" (Leftwards Arrow) and "→" (Rightwards Arrow) keys on the PS/2 keyboard;
6. Press the "Enter" key on the PS/2 keyboard;
7. Press the "↑" (Upwards Arrow) key on the PS/2 keyboard to print the record to the serial terminal.

*All credentials demonstrated here are entirely fictitious. Any similarity to actual credentials is purely coincidental.

To edit a login:

1. Select the "Logins" line in the main menu;
2. Press the "Enter" key on the PS/2 keyboard;
3. Select the "Edit" line;
4. Press the "Enter" key on the PS/2 keyboard;
5. Select the login you would like to edit by pressing the "←" (Leftwards Arrow) and "→" (Rightwards Arrow) keys on the PS/2 keyboard;
6. Press the "Enter" key on the PS/2 keyboard;
7. Enter the new password;
8. Press "Enter" on the PS/2 keyboard.

*All credentials demonstrated here are entirely fictitious. Any similarity to actual credentials is purely coincidental.

To delete a login:

1. Select the "Logins" line;
2. Press the "Enter" key on the PS/2 keyboard;
3. Select the "Delete" line;
4. Press the "Enter" key on the PS/2 keyboard;
5. Select the login you would like to delete by pressing the "←" (Leftwards Arrow) and "→" (Rightwards Arrow) keys on the PS/2 keyboard;
6. Press the "Enter" key on the PS/2 keyboard.

Despite some flaws and inconveniences and the requirement for Internet access to operate - the current version of Midbar also has its upsides. One of them - is the ability to (almost) effortlessly replace a broken Midbar with a new one without losing access to your valuable data. To do this, you only need to upload the same firmware and use the same master password on the new device.

And while Midbar is no guarantee of world peace or social harmony, I do believe that it's an important contribution to the protection of your data from unauthorized access.

I think it's also worth mentioning that Midbar's source code is distributed under the MIT license. That grants you the freedom to customize, adapt, and modify Midbar according to your needs and preferences. In other words, you can create your own version of Midbar or use it as a starting point for building new projects without the need for external permission.

If you found this tutorial to be useful, please consider sharing it.

Thank you for reading this tutorial.