KhadashPay V3.0 (STM32F401CCU6 Version)

by Northstrix in Circuits > Microcontrollers

266 Views, 0 Favorites, 0 Comments

KhadashPay V3.0 (STM32F401CCU6 Version)

IMG_20230421_153658.jpg

Recently, I released the KhadashPay V2.0 and KhadashPay V2.0 (Raspberry Pi Pico Version). Although (in my opinion) both projects were already sufficient enough, they had a very noticeable flaw. They utilized their built-in memory to store the client data. So, I've decided to rid the KhadashPay of this flaw by making it store the client data on an external SD card.

I made KhadashPay because I wanted to provide business owners with the opportunity to easily deploy a card payment system in their store without having to buy an expensive terminal, pay fees for each transaction, and waste time and resources dealing with the bank.

As for the customers of the store where the KhadashPay is deployed, KhadashPay doesn't keep any logs whatsoever and doesn't require a bit of your personal information to create an account.

The KhadashPay is a combination of two words - Khadash (Hebrew: חדש - New) and Pay.


Before you continue reading this instructable, I would like to remind you that this payment system isn't connected to any existing financial institution. It works completely offline, and all the money kept in it is nothing more than just numbers entered by the operator and stored on the SD card (in an encrypted form).


*In this tutorial, I've reused some photos from the tutorial for the KhadashPay V2.0 because the GUI is basically the same, and I don't think there's a need to take shots of the same tabs twice.

Supplies

IMG_20230421_161249.jpg
  • STM32F401CCU6 x1
  • 240x320 TFT LCD with ST7789 (with slot for SD card) x1
  • SD Card x1
  • Mifare RC522 RFID Reader x1
  • 4x4 Keypad x1
  • RFID cards x4

3DES + AES + Blowfish + Serpent Encryption Algorithm in CBC Mode

F3XNYLVLFCJY3KM.png

The "3DES + AES + Blowfish + Serpent" encryption algorithm in cipher block chaining mode first appeared in the Midbar V2.5. And since then has been utilized by the Midbar (Raspberry Pi Pico Version)Midbar V3.0Midbar V4.0KhadashPay V2.0Midbar (Raspberry Pi Pico Version) V2.0KhadashPay V2.0 (Raspberry Pi Pico Version)Midbar V5.0, and Midbar (STM32F401CCU6 Version).

Although the "3DES + AES + Blowfish + Serpent" encryption algorithm ain't exactly what I would call "a cryptographically weak encryption algorithm," operating it in a weird derivation of the ECB mode, the way it was done by the Midbar V2.0 wasn't the best idea that I had. Even though that wouldn't've allowed the attacker to produce the legitimate ciphertext by swapping the blocks within the ciphertext, an attacker could still make a legitimate ciphertext by replacing the nth block of the ciphertext N1 with the nth block of the ciphertext N2. To fix that vulnerability (instead of just notifying the user that the decrypted ciphertext might've been forged), I made the "3DES + AES + Blowfish + Serpent" encryption algorithm work in CBC mode. So, if an attacker replaces a block of ciphertext, they spoil not just that block but also the subsequent one.

I'll be honest with you, the bit-flipping attack "kinda works," but I doubt that it would ever go unnoticed because of the "HMAC-SHA256"-based integrity verification feature

And let's not forget that this encryption algorithm performs the operation called superencryption.

As defined by NIST, superencryption is an encryption operation for which the plaintext input to be transformed is the ciphertext output of a previous encryption operation.

Such organization of the encryption algorithms makes a combined encryption algorithm that is at least as strong as the strongest one in the cascade, has a longer key, might be more resistant to some attacks, and might produce a ciphertext with higher entropy. Anyway. It won't hurt to have an additional layer of security (or several of them).

Integrity Verification

F9ODVVOLFFES1R0.jpg

Another cool feature provided to you by KhadashPay is the "HMAC-SHA256"-based integrity verification.

Before encrypting the user data, KhadashPay computes the tag for that data and encrypts it.

Later on, when KhadashPay decrypts your data, it also decrypts the previously calculated tag and computes a new tag for the newly decrypted data. It then compares both tags, and if they don't match - KhadashPay notifies you that the integrity verification failed.

"Belonging Check"

F9ODVVOLFFES1R0.jpg

Even though KhadashPay can't decrypt user data without the user's card, I still decided to add an additional check, just in case. 

The so-called "Belonging Check" (didn't really know what else to call it) is a feature that allows the KhadashPay to verify whether the record with the balance belongs to the card that is taped on the RFID reader or not.

Prepare the Software

Before flashing STM32 Black Pill, you need to install STM32CubeProg and set the Arduino IDE up. You can read about all of it here: https://www.sgbotic.com/index.php?dispatch=pages.view&page_id=49

Download Firmware

You can download the firmware for KhadashPay from one of these sources.

SourceForge: https://sourceforge.net/projects/khadashpay/

OSDN: https://osdn.net/projects/khadashpay/

GitHub: https://github.com/Northstrix/KhadashPay

If you just need the firmware for the device alongside the RNG, then I would advise you to download a 0.2 MB archive either from SourceForge or OSDN.

But if you need the firmware for all versions of KhadashPay alongside the extra code, photos, and diagrams, in that case, I would advise you to download the 97.2 MB archive from GitHub.

Download and Install the Libraries

SdFat: https://github.com/adafruit/SdFat

rfid: https://github.com/miguelbalboa/rfid

Keypad: https://github.com/Chris--A/Keypad

Adafruit-GFX-Library: https://github.com/adafruit/Adafruit-GFX-Library

Adafruit_BusIO: https://github.com/adafruit/Adafruit_BusIO

Adafruit-ST7735-Library: https://github.com/adafruit/Adafruit-ST7735-Library *It's not a mistake. This library is needed to interact with the ST7789-based LCD.

The process of unpacking libraries is typical. You can unpack the content of the archive into the folder: ...\Arduino\libraries. Or open the Arduino IDE, click "Sketch" -> "Include Library" -> "Add .ZIP Library..." and select every archive with libraries.


Generate Keys

gen.png

To make the unauthorized deciphering of your data computationally infeasible - It is crucial to generate your own keys and never reuse them

It's entirely up to you how to generate the keys. I can only offer you an option to do so.

I've modified one of my previous projects to work as a random number generator, the generated output seems "random enough" for me, but I haven't run any tests. So, I can't guarantee that it's random.

Use it at your own risk!

To generate the keys - launch gen.exe from the "V3.0\STM32F401CCU6_Version\Untested RNG" folder and click the "Generate keys for KhadashPay V3.0" button. The background turns from dark gray to light gray when you press that button.

Modify the Firmware

mf.png

Open the "Firmware.ino" file from the "V3.0\STM32F401CCU6_Version\Firmware" folder and replace my keys with those you've generated.

Flash STM32F401CCU6

flash.png

Set the STM32 Black Pill into the bootloader mode by doing the following:

  • Hold the BOOT0 button;
  • Press the NRST button;
  • Release the BOOT0 button.


Make sure that the settings in the "Tools" tab match those on the screen, especially the following settings:

Board: "Generic STM32F4 series"

Board part number: "BlackPill F401CC"

U(S)ART support: "Enabled (generic 'Serial')"

Upload method: "STM32CubeProgrammer (DFU)"


And then, upload the firmware from the "V3.0\STM32F401CCU6_Version\Firmware" folder into the STM32.


You don't need to select the COM port to flash STM32 Black Pill.

Assemble the Device

KhadashPay Circuit Diagram.png

Assembling the KhadashPay V3.0 (STM32F401CCU6 Version) should be easier than KhadashPay V2.0 (Raspberry Pi Pico Version) and KhadashPay V2.0.

Power the KhadashPay Up and Tap Four RFID Cards on the RFID Reader

IMG_20230421_154330.jpg
IMG_20230421_154441.jpg
IMG_20230421_154807.jpg
IMG_20230421_154836.jpg

After being powered up, the KhadashPay displays the "KhadashPay STM32F401CCU6" and "Tap RFID card N1" inscriptions alongside the lock screen.

Tap four RFID cards on the RFID reader one after another. The most important thing here is to tap the cards in the same order every time you unlock the KhadashPay. Otherwise, it just won't unlock.

If you don't have four cards, you can tap one card four times.

And by the way, the first card you tap on the RFID reader becomes the "operator card" right after you set the master password. You'll need this information later in this tutorial. For now, just remember it.


*Credit for the photo of Tel Aviv:

Photo by Micah Camper on Unsplash

Set the Master Password

IMG_20230421_155030.jpg
FY9WP89LFFES1VQ.jpg
FOIIXSZLFFES1VR.jpg

To use the KhadashPay, you first need to set the master password.

While entering the master password on the 4x4 keypad, note that the '*' key serves as a backspace, and the 'A' key serves as a decimal point.

And remember, you can't change the master password without losing the ability to decrypt all user data stored on the SD card!

KhadashPay won't be able to decrypt the user data without the master password because the keys for the encryption algorithms are partially derived from it. Perhaps, it won't even unlock without the correct master password.

When you're done entering the master password, press either the '#" or 'C' key on the keypad to finish the input and set the master password.


After you've unlocked the KhadashPay and got to the menu:

  • Press the "0" key on the 4x4 keypad to go down the menu;
  • Press the "8" key on the 4x4 keypad to go up the menu;
  • Press the "#" key on the 4x4 keypad to perform the selected action;
  • Press the 'D' key on the 4x4 keypad to show the lock screen. After that, press any key to return to the menu.

Create an Account

IMG_20230421_155202.jpg
FAR6B9NLFFESE58.jpg
FTVPQ5MLFFESE59.jpg
F0OU8HJLFFESE6D.jpg
FGBXOJ7LFFESE6E.jpg
F8HU6HWLFFESE6F.jpg
FLIDUSBLFFESE6G.jpg
F4CMYUQLFFES1X8.jpg

Ok, let's start with the facts about the KhadashPay account.

  • Each account is bound to the RFID card and PIN;
  • The PIN can have a length from 1 to 8 characters;
  • The PIN can have the following characters: '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B', 'D';
  • A client can create several accounts using the same card as long as the pins are different;
  • The maximum amount of money stored in the account is only limited by the double variable type (don't worry about that, the KhadashPay can still store a 15-digit number without any problems);
  • Not even the owner of the KhadashPay can see your balance without your card.


To create an account on KhadashPay V3.0:

Operator:

  • Select the "New Account" line in the menu;
  • Press the '#' key on the 4x4 keypad;
  • Tap the operator RFID card on the RFID reader;
  • Press the '#' key on the 4x4 keypad and give the device to the client.

Client:

  • Tap your RFID card on the RFID reader;
  • Set your PIN;
  • Press the '#' key on the 4x4 keypad;
  • Enter the PIN that you've set again;
  • Press the '#' key on the 4x4 keypad.

Put Money Into the Account

IMG_20230421_155145.jpg
F6D0BX6LFFESE9C.jpg
F4EMVY6LFFESE9D.jpg
FRE44JULFFESE9E.jpg
FMPWVNLLFFESE9J.jpg
FODQ3L9LFFESE9K.jpg
FVEM3NYLFFESE9S.jpg

To put money into the account:

Operator:

  • Select the "Put Money In" line in the menu;
  • Press the '#' key on the 4x4 keypad;
  • Tap the operator RFID card on the RFID reader;
  • Enter the amount of money to be put into the client's account;
  • Press the '#' key on the 4x4 keypad;
  • Press the '#' key on the 4x4 keypad and give the device to the client.

Client:

  • Tap your RFID card on the RFID reader;
  • Enter your PIN;
  • Press the '#' key on the 4x4 keypad.

Make a Sale

IMG_20230421_155116.jpg
FGGEIV5LFFESEC1.jpg
F7EMPEALFFESEC2.jpg
F05Q5LKLFFESEC3.jpg
FD6NUCOLFFESEC4.jpg
FGVOO8GLFFESEC5.jpg
FA56R6LLFFESEC6.jpg
FETUYOFLFFES1X2.jpg

To make a sale:

Operator:

  • Select the "Make A Sale" line in the menu;
  • Press the '#' key on the 4x4 keypad;
  • Tap the operator RFID card on the RFID reader;
  • Enter the sale amount;
  • Press the '#' key on the 4x4 keypad;
  • Press the '#' key on the 4x4 keypad and give the device to the client.

Client:

  • Tap your RFID card on the RFID reader;
  • Enter your PIN;
  • Press the '#' key on the 4x4 keypad.

View Balance

IMG_20230421_155209.jpg
FKEOYUVLFFESEKZ.jpg
FDE7IM8LFFESEL1.jpg
FF3PDLHLFFESEL2.jpg
F1DVZG8LFFESEL3.jpg
FA6ATWULFFESEL4.jpg

To view balance:

Operator:

  • Select the "View Balance" line in the menu;
  • Press the '#' key on the 4x4 keypad;
  • Tap the operator RFID card on the RFID reader;
  • Press the '#' key on the 4x4 keypad and give the device to the client.

Client:

  • Tap your RFID card on the RFID reader;
  • Enter your PIN;
  • Press the '#' key on the 4x4 keypad.

Find a Good Use for KhadashPay

Even though this version of the KhadashPay is very stable and unrestrained by the amount of the MCU's built-in memory. It's not as flawless as it seems, and of course, it's nowhere near being "perfect."


First and foremost, in terms of the user experience, it's slow, not to the point of unusability, but to the point when it still might be a bit annoying to work with it (especially if you try to erase something).

Also, I hadn't figured out how to use the STM32F401CCU6's random number generator in the Arduino IDE and used the Arduino's "random()" function to generate the random numbers. So, use the KhadashPay V3.0 (STM32F401CCU6 Version) and any other version of KhadashPay at your own risk. 


And by the way, KhadashPay's source code is distributed under the MIT license, so if you want to make your own version of the KhadashPay or change something in it, don't wait for anyone else to do it for you. Take the initiative into your own hands and do it! Don't forget that there's always room for improvement, even if it seems that there's none.

If you like this tutorial, please share it.

Thank you for reading this tutorial.