Simple Data Encrypter With HMAC

In this tutorial, I'll show you how to build a simple data encrypter that doesn't require any external components.

ESP8266, ESP32, Raspberry Pi Pico, or any compatible microcontroller.

The encryption algorithm implemented in this firmware uses HMAC-SHA256 (Hash-Based Message Authentication Code) to verify the integrity of the encrypted data and a combination of AES, Blowfish, and Serpent to encrypt and decrypt your data.

If you've never flashed ESP8266, ESP32 or Raspberry Pi Pico before you'll need to configure Arduino IDE and install drivers to upload the firmware into the boards. You can find drivers here:

CP210x driver for ESP32: https://www.silabs.com/developers/usb-to-uart-brid...

CH340 driver for Arduino: https://sparks.gogo.co.nz/ch340.html

In case you don't have Arduino IDE, you can download it here: https://www.arduino.cc/en/software

Configuring IDE isn't a part of this tutorial, you can read about it here:

ESP32: https://randomnerdtutorials.com/installing-the-esp...

ESP8266: https://randomnerdtutorials.com/how-to-install-esp...

Raspberry Pi Pico: https://www.tomshardware.com/how-to/program-raspberry-pi-pico-with-arduino-ide

You can download firmware here https://github.com/Northstrix/AES_Blowfish_Serpent_for_MCUs

To make the unauthorized deciphering of your data computationally infeasible - It is crucial to generate your own keys and never reuse them.

The best way to generate the keys is to throw 20-sided dice.

If you get a number from 1 to 9, write it down.

If you get a number from 10 to 15, write down a letter corresponding to that number.

10 = A;

11 = B;

12 = C;

13 = D;

14 = E;

15 = F.

If you get 20, write down 0.

If you get something else, don't write anything and throw the dice again.

There's also an easier option.

I modified one of my previous projects to work as a random number generator, the generated output seems "random enough" for me, but I haven't run any tests. So, I can't guarantee that it's random.

Use it at your own risk.

To generate the keys - launch gen.exe from the "Untested RNG" folder, and then click the "Gen. keys for AES + Blowfish + Serpent" button. The background turns from black to blue when you press that button.

Open the file "AES_Blowfish_Serpent_hmac_key_der.ino" and replace my keys with those you've generated.

Upload the modified firmware into your board:

*FOR ESP32 ONLY:

Some boards will flash without any problems.

Unfortunately, that's not the case for all boards. If you configured IDE correctly, installed drivers, selected the corresponding port, and still keep getting this error: A fatal error occurred: Failed to connect to ESP32: Timed out waiting for packet header. Connect a 10µF capacitor to the board while flashing.

Connect the positive lead of the capacitor to the EN pin of the ESP32;

Connect the negative lead of the capacitor (usually indicated by the gray stripe) to the GND pin of the ESP32.

Don't forget to disconnect the capacitor after the board flashes.

Before you do anything, open the Serial Monitor ("Tools" -> "Serial Monitor") and set the baud rate to "115200."

To ensure that an attacker won't be able to decrypt your data by simply obtaining physical access to the board, you need to enter your password every time you power up the board. After you enter the password, press the "Send" button.

You should get the verification number for your password. It must always be the same for the same password.

I got the verification number "2698" for the password "1234567890-=qwertyuiop[]asdfghjkl;'zxcvbnm,./LKJHGFDSA?><MNBVCXZ+_(*&^%$#@!"

To encrypt the string, enter "1" to the Serial Monitor, press the "Send" button, enter the string you want to encrypt, and then press the "Send" button.

I was able to successfully encrypt and then decrypt strings on the following boards with the following lengths:

• ESP8266: 700 chars;
• ESP32: 1900 chars;
• Raspberry Pi Pico: 16 000 chars.

Plaintext:
The encryption algorithm implemented in this firmware uses HMAC-SHA256 (Hash-Based Message Authentication Code) to verify the integrity of the encrypted data and a combination of AES, Blowfish, and Serpent to encrypt and decrypt your data.

Ciphertext:
58DC3E7FBF4BC28236DE05B37556080B053FCEB2D949ED818E0EF4BF0E3491DE5F10744B66A853D078F14C517043FC7987D492C7C6A5E9B631806C18110BB0CEE4F060ACD50B94BBF7B8AE4CB759EBBB44A863E7C807E6E20EE8991CC523D97BB8EBEFE773C2D0420B708F97D4A5E46CB0A9BA3E8A66A5E9B6C16057D6FB7E56CF8F1E66AD12B1F42C6E72F56EA099B807E846CF553E33EBAED45C063437037BD07E36AF8E88398FB193B22290FA25C9E7AC05E51D608E4A5ECDFFBA2A246393B55196FEE2B2A514CCA5C150845D340FBD694039A85762FBA47DBFAD5C3C9028365C786D188770A798AAF4C882BA9FC2A4DF3AD6E1C400FB8657580EC3A51ED95F4250C7715D12C83F4B6719EA129247

To decrypt the string, enter "2" to the Serial Monitor, press the "Send" button, paste the string you want to decrypt, and then press the "Send" button.

When the string is decrypted, the HMAC-SHA256 computes a tag for it. After that, the board compares the attached tag (the first 64 characters of the ciphertext) with the computed one. If these tags don't match, you gonna see the "!!!Integrity verification failed!!!" inscription.

Ciphertext:
58DC3E7FBF4BC28236DE05B37556080B053FCEB2D949ED818E0EF4BF0E3491DE5F10744B66A853D078F14C517043FC7987D492C7C6A5E9B631806C18110BB0CEE4F060ACD50B94BBF7B8AE4CB759EBBB44A863E7C807E6E20EE8991CC523D97BB8EBEFE773C2D0420B708F97D4A5E46CB0A9BA3E8A66A5E9B6C16057D6FB7E56CF8F1E66AD12B1F42C6E72F56EA099B807E846CF553E33EBAED45C063437037BD07E36AF8E88398FB193B22290FA25C9E7AC05E51D608E4A5ECDFFBA2A246393B55196FEE2B2A514CCA5C150845D340FBD694039A85762FBA47DBFAD5C3C9028365C786D188770A798AAF4C882BA9FC2A4DF3AD6E1C400FB8657580EC3A51ED95F4250C7715D12C83F4B6719EA129247

Plaintext:
The encryption algorithm implemented in this firmware uses HMAC-SHA256 (Hash-Based Message Authentication Code) to verify the integrity of the encrypted data and a combination of AES, Blowfish, and Serpent to encrypt and decrypt your data.