Midbar (ESP8266 Version)

A while ago, I made the ESP32 version of Midbar which later evolved into a multi-user Cipherbox. While developing the Cipherbox, I realized that even the Lite version of it might be too expensive and too redundant for some people, so I "resurrected" the single-user Midbar project and made an ESP8266 version of it.

The purpose of Midbar is to significantly increase the cost of unauthorized access to its user's personal data.

ESP8266 version of Midbar utilizes the 3DES + AES + Blowfish + Serpent encryption algorithm alongside the ESP8266's built-in memory to store eight passwords and four credit cards in the encrypted form. It also utilizes the HMAC SHA-256 to verify the integrity of the stored logins, which means that if at least one bit of an encrypted login gets flipped, Midbar will inform you about it by displaying the following alert: "Integrity Verification Failed!!!"

In case you've missed the original Midbar or just want to know why I called it Midbar in the first place - Midbar (מדבר) is a Hebrew word that means "pasture," "uninhabited land," "wilderness," "large tracts of wilderness (around cities)," "desert." I had two reasons for choosing the word Midbar as the name of this project. First - while working on my previous projects, I noticed that the so-called "device that keeps your personal data secure in an encrypted form" market is pretty much a "desert around the oasis of the password manager market." Second - I couldn't find a better word to describe that project. At first, I wanted to call it a "Password Vault," but then I realized that it's more than just a password vault. So, I just called it Midbar!

• ESP8266 x1
• 0.96 Inch OLED SSD1306 Display x1
• EC11 Rotary Encoder x1
• 4.7k resistors x7
• 22nf capacitors x2
• 330 Ohm resistor x1
• Buttons x2

ESP8266 version of Midbar utilizes three encryption algorithms:

• 3DES + AES + Blowfish + Serpent;
• Serpent;
• 3DES.

Let me briefly describe the implementation of each algorithm:

• 3DES + AES + Blowfish + Serpent is the strongest encryption algorithm utilized by this device. It's a combined encryption algorithm that's composed of four cryptographically strong encryption algorithms. It splits its input into 80-bit long blocks and then separately encrypts each block, infusing 48 random bits into each block. It produces the 128-bit (16 bytes) long output. That encryption algorithm performs superencryption;
• The serpent is an encryption algorithm that was competing in the Advanced Encryption Standard contest against Rijndael (now AES) and other algorithms. It takes a 64-bit long input, adds 64 random bits, and produces the 128-bit long output;
• 3DES is an outdated encryption algorithm. You can still use it to encrypt your data, but if I were you, I wouldn't be using it for anything important. It takes a 32-bit long input, adds 32 random bits, and produces the 64-bit long output.

Integrity verification is an essential feature absent in the previous version of Midbar, leaving it vulnerable to the block-swapping attack.

Before I get to the description of the integrity verification feature, I would like to clarify where it's present and where it's absent.

It's present in:

• Logins;
• 3DES + AES + Blowfish + Serpent encryption algorithm;
• Serpent encryption algorithm.

It's absent in:

• Credit Cards;
• 3DES encryption algorithm.

The backbone of the integrity verification feature is the Hash-based Message Authentication Code constructed from the SHA-256.

For the sake of convenience, I've truncated the output of the HMAC SHA-256 for the 3DES + AES + Blowfish + Serpent encryption algorithm to 240 bits because that algorithm takes 80-bit long blocks as input.

As for logins, HMAC SHA-256 takes a concatenation of title, login, password, and website alongside the key as an input and produces a 256-bit output. That 256-bit long output of HMAC is then truncated to 240 bits and encrypted with 3DES + AES + Blowfish + Serpent.

When Midbar decrypts the record, it also decrypts the tag. It then computes a new tag for the decrypted credentials and compares the new tag with the decrypted tag. If these two don't match, Midbar displays the following alert: "Integrity Verification Failed!!!"

Since ESP8266 only has 4 KB of memory available for the user data, I had to remap it several times to fit as many records as possible.

Eventually, I came up with these results:

• The value stored in the first cell indicates whether the master password is set or not;
• Cells 1 - 48 store the encrypted hash of the master password;
• Cells 49 - 3952 store the encrypted logins and credit cards.

If you've never flashed ESP8266 before you'll need to configure Arduino IDE and install drivers to upload the firmware to the boards, you can find drivers here:

CH340 driver: https://sparks.gogo.co.nz/ch340.html

CP210x driver: https://www.silabs.com/developers/usb-to-uart-brid...

In case you don't have Arduino IDE, you can download it here:

https://www.arduino.cc/en/software/

Configuring IDE isn't a part of this tutorial, you can read about it here:

https://randomnerdtutorials.com/how-to-install-esp...

You can download the firmware for Midbar from one of these sources.

SourceForge: https://sourceforge.net/projects/midbar/

OSDN: https://osdn.net/projects/midbar/

GitHub: https://github.com/Northstrix/Midbar

If you just need the firmware for the device alongside the RNG, then I would advise you to download a 0.15 MB archive either from SourceForge or OSDN.

But if you need the firmware for all versions of Midbar alongside the extra code, photos, and diagrams, in that case, I would advise you to download the 34.9 MB archive from GitHub.

Adafruit-GFX-Library: https://github.com/adafruit/Adafruit-GFX-Library

Adafruit_SSD1306: https://github.com/adafruit/Adafruit_SSD1306

Adafruit_BusIO: https://github.com/adafruit/Adafruit_BusIO

EncButton: https://github.com/GyverLibs/EncButton

The process of unpacking libraries is typical. You can unpack the content of the archive into the folder: ...\Arduino\libraries. Or open the Arduino IDE, click Sketch -> Include Library -> Add .ZIP Library... and select every archive with the library.

To ensure that Midbar will work as intended, you must clear the EEPROM before uploading the firmware.

To clear the EEPROM upload the sketch from the "Clear_EEPROM" folder into the ESP8266, and then reboot the board.

To make the unauthorized deciphering of your data computationally infeasible - It is crucial to generate your own keys and never reuse them.

The best way to generate the keys is to throw 20-sided dice.

If you get a number from 1 to 9, write it down.

If you get a number from 10 to 15, write down a letter corresponding to that number.

10 = A;

11 = B;

12 = C;

13 = D;

14 = E;

15 = F.

If you get 20, write down 0.

If you get something else, don't write anything and throw the dice again.

There's also an easier option.

I modified one of my previous projects to work as a random number generator, the generated output seems "random enough" for me, but I haven't run any tests. So, I can't guarantee that it's random.

Use it at your own risk.

To generate the keys - launch gen.exe from the "Untested RNG" folder and then click the "Generate keys for Midbar" button. The background turns blue when you press that button.

Open the file "Firmware.ino", scroll down a bit, and then replace my values of the kderalgs, numofkincr, hmackey, des_key, AES_key, Blwfsh_key, serp_key with yours.

Upload the firmware from the "Firmware" folder into the ESP8266.

Assembling the Midbar shouldn't be hard. In my opinion, the hardest part of the process is to connect the encoder.

As for the possible component replacements:

• You can replace the 330-Ohm resistor with a 220-Ohm - 1k resistor;
• You can replace 4.7k resistors with 4.7k - 10k resistors;
• And you can replace the capacitors with 22nf - 100nf capacitors.

To use the Midbar, you first need to set the password (or should I call it the "Master Password"?).

To do so:

• Power up Midbar;
• Quad-click the encoder button;
• Enter the password that you would like to use to unlock the Midbar. You can't change your password. And Midbar won't be able to decrypt your data without your password because the keys for the encryption algorithms are partially derived from your password. Perhaps, it won't even unlock without the correct password. Beware of it;
• Quad-click the encoder button.

After you've unlocked the Midbar and got the main menu:

• Turn the rotary encoder to the right to go down the menu.
• Turn the rotary encoder to the left to go up the menu.
• Press the "A" button to open the selected menu.
• While in the submenu, press the "B" button to return to the main menu.

While entering a text in a tab:

• Click the encoder button four times to continue;
• Click the encoder button five times to cancel the current operation.

*If the hex value decreases when you rotate the encoder to the right, I would advise you to swap the wires connected to the D5 and D6 pins.

As I've mentioned In the introduction, this version of Midbar can store eight passwords and four credit cards in encrypted form.

To add a login:

1. Select the "Logins" line in the main menu;
2. Press the "A" button;
3. Select the "Add" line;
4. Press the "A" button;
5. Choose the slot you want to put the login to by rotating the encoder;
6. Press the "A" button;
7. Enter title;
8. Quad-Click the encoder button;
9. Enter login;
10. Quad-Click the encoder button;
11. Enter password;
12. Quad-Click the encoder button;
13. Enter website;
14. Quad-Click the encoder button.

To view a login:

1. Select the "Logins" line in the main menu;
2. Press the "A" button;
3. Select the "View" line;
4. Press the "A" button;
5. Choose the login you want to view by rotating the encoder;
6. Press the "A" button;
7. Press any button to view the next field.

To delete a login:

1. Select the "Logins" line in the main menu;
2. Press the "A" button;
3. Select the "Delete" line;
4. Press the "A" button;
5. Choose the login you want to delete by rotating the encoder;
6. Press the "A" button.

As I've mentioned earlier, the Midbar utilizes three encryption algorithms.

You can use any of them to encrypt a string.

To encrypt a string:

1. Open the Serial Monitor because the ciphertext printed to it;
2. Select the "Encryption Algs" line in the main menu;
3. Press the "A" button;
4. Select the encryption algorithm you would like to use;
5. Press the "A" button;
6. Select the "Encrypt" line;
7. Press the "A" button;
8. Enter the string you would like to encrypt;
9. Quad-Click the encoder button.

Plaintext:

Midbar is more than just a password vault

Ciphertext:

4a1e1bb3212cc224c201a6a335385db79cadb2b8691972b138b20e76144226b7c1b517f57fd224dc9d5df9367275e2131a240e7619bf9e8a1f738f8d57577807da047dd18c1af7dca6155cb0bb1729444d9468799ef4b96664bb1ccd29723b31d3c1db139d0cdb7756fc9af9e66ed36b987e7a675217b342e122b15ee573ad16

To decrypt a string:

1. Open the Serial Monitor because you'll need to paste the ciphertext to it;
2. Select the "Encryption Algs" line in the main menu;
3. Press the "A" button;
4. Select the line with the name of the encryption algorithm you've used to encrypt the string;
5. Press the "A" button;
6. Select the "Decrypt" line;
7. Press the "A" button;
8. Paste the ciphertext to the Serial Monitor;
9. Press the "Send" button on the Serial monitor.

Ciphertext:

4a1e1bb3212cc224c201a6a335385db79cadb2b8691972b138b20e76144226b7c1b517f57fd224dc9d5df9367275e2131a240e7619bf9e8a1f738f8d57577807da047dd18c1af7dca6155cb0bb1729444d9468799ef4b96664bb1ccd29723b31d3c1db139d0cdb7756fc9af9e66ed36b987e7a675217b342e122b15ee573ad16

Plaintext:

Midbar is more than just a password vault

Midbar can hash your data using either SHA-256 or SHA-512.

If you're not familiar with the hash functions, let me give you a simple explanation of what the hash function is.

The hash function is an algorithm that takes your input (in that case, it's a string) and gives you a fixed-length output derived from that input. One of the most important properties of the hash function is that it always produces the same output for the same input. That allows you to use the hash function to verify the data integrity.

To hash a string:

1. Select the "Hash Functions" line in the main menu;
2. Press the "A" button;
3. Select the hash function you would like to use;
4. Press the "A" button;
5. Enter the string you would like to hash;
6. Quad-Click the encoder button;
7. Press any button to return to the main menu.

String:

Midbar

Hash:

0415af21a07eb50be9ce02417f73c1d6b8c30631a5a4240b662ff89e3531fcfa02dfe06a808acacf81b523066f81495dc3004e375f08e71943cad0589807b160

I put a lot of effort into making this version of Midbar as secure, easy-to-use, and as affordable as I could. From the technical point of view, it utilizes an unnecessarily strong encryption algorithm alongside the fairly sophisticated Hash-based Message Authentication Code constructed from the SHA-256.

Even though Midbar is "somewhat resembling" a cryptographic fortress, that "fortress" can't and won't give you a 100% guarantee that your personal data would stay untouchable to everyone. And it's not about giving you a 100% guarantee. It's about raising the cost of unauthorized access to your data as high as possible.

And by the way, if you want to make your own version of the Midbar, please do so! It would be interesting to observe how many forks will be available on GitHub and how each fork will evolve. Don't forget that there's always room for improvement, even if it seems that there's none. And you can be the one who makes that improvement.

That's it for this tutorial.

If you like this tutorial, please share it.

Thank you for reading this tutorial.