Syncing MCU Password Vault With Desktop App Using Google Firebase

by Northstrix in Circuits > Microcontrollers

89 Views, 1 Favorites, 0 Comments

Syncing MCU Password Vault With Desktop App Using Google Firebase

Syncing Diagram.png

For a while, I’ve been developing a data vault called Midbar. While Midbar is a fully functional device that does its job, its feature set is limited. Notably, it lacks synchronization with the desktop app. So, after a long consideration, I’ve finally decided to add that feature.

I acknowledge that syncing a version of Midbar with the desktop app poses security risks by making that particular version more prone to side-channel attacks. However, having this version available gives you one more option to choose from.

If you prioritize security over convenience and rich feature set, check out the MCU-only version of Midbar DIY Hardware Data Vault With Teensy 4.1 (Midbar (Teensy 4.1) V3.0).

Now, Let’s get to it!

This article is also available on Medium.

Supplies

Supplies for a hardware vault:

  • ESP32 x1
  • 1.77 Inch TFT LCD with ST7735 x1
  • PS/2 Keyboard x1
  • PS/2 Port x1
  • Wi-Fi Access Point x1


Supplies for a desktop app:

  • Environment that can execute the python code x1

Encryption Algorithm

AES in CBC.png

By default, Midbar utilizes the 3DES + AES + Blowfish + Serpent encryption algorithm in CBC Mode for data encryption. Using this algorithm for the MCU-only versions of Midbar was fine, as I already had the necessary libraries at hand. However, porting this encryption algorithm to the Python app turned out to be challenging. For starters, I couldn’t even find the library with the Serpent implementation. I admit I wasn’t looking hard enough and gave up too early. And since I have no intention of making a Serpent library for Python and didn’t even try looking for libraries for 3DES and Blowfish, I opted for using the AES-256 in CBC mode for data encryption.

Notice that this particular implementation of cipher block chaining mode increments the key each time after the block cipher is used.

Key Derivation Function

Key Derivation Algorithm.png

As you can see on the diagram, firstly, the master password is hashed using the SHA-512 hash function. The resulting hash is then split into two equal halves. The left half is utilized as the AES key, while the right half undergoes another hashing. This secondary hash is then encrypted using AES-256 in CBC mode.

Then, during the authentication attempt, the master password is hashed in the same manner again, and the second hash is then compared with the decrypted master password hash. Matching hashes mean that the user has entered the correct master password.

Integrity Verification

Integrity verification.png

To verify the record integrity: I used the integrity verification method that first appeared in the Midbar V2.5 and simply replaced the HMAC-SHA256 with SHA-512.

So, the forged ciphertexts, and the legitimate ciphertexts moved between the cells aren’t much of a threat to that version of Midbar.

When you add a record to Midbar, it concatenates all the data you’ve entered into a single string, hashes it, and then stores that hash in the encrypted form.

When Midbar decrypts your data, it also decrypts the previously calculated hash and computes a new one for the decrypted data. It then compares both hashes and if they don’t match — Midbar notifies you that the integrity verification failed.

MCU Vault

Hardware Vault.jpg

To make the vault that can sync with the desktop app, I took the DIY IoT Data Vault With Google Firebase (Midbar Firebase Edition V1.0), cut its functionality to a password vault, replaced the 3DES + AES + Blowfish + Serpent Encryption Algorithm in CBC Mode with the AES in CBC Mode and then switched the integrity verification feature from the HMAC-SHA256-based to the SHA512-based.

Desktop App

Unlock Desktop App.png
About Desktop App.png

A desktop app capable of decrypting the data encrypted by the hardware MCU vault (and vice versa) is written in Python. GUI is made using the custom TKinter. Just like the hardware MCU vault, the desktop app connects to the Google Firebase and operates with the encrypted data stored there.

Setting the Whole Thing in Motion

If you want to actually make this vault and test it for yourself, follow the instructions below.

Install CP210x Driver and Configure Arduino IDE

If you’ve never flashed ESP32 before you need to configure Arduino IDE and install CP210x driver to upload the firmware into the board, you can download the CP210x driver for ESP32 here: https://www.silabs.com/developers/usb-to-uart-bridge-vcp-drivers

Configuring IDE isn’t a part of this tutorial. You can read about it here: https://randomnerdtutorials.com/installing-the-esp32-board-in-arduino-ide-windows-instructions/

Download Firmware

You can download the firmware for Midbar from one of these sources:

https://sourceforge.net/projects/midbar-firebase-edition/

https://github.com/Northstrix/Midbar-Firebase-Edition

Download and Install the Libraries

Adafruit-ST7735-Library: https://github.com/adafruit/Adafruit-ST7735-Library

Adafruit-GFX-Library: https://github.com/adafruit/Adafruit-GFX-Library

Adafruit_BusIO: https://github.com/adafruit/Adafruit_BusIO

PS2KeyAdvanced: https://github.com/techpaul/PS2KeyAdvanced

PS2KeyMap: https://github.com/techpaul/PS2KeyMap

Firebase-ESP32: https://github.com/mobizt/Firebase-ESP32

The process of unpacking libraries is typical. You can unpack the content of the archive into the folder: …\Arduino\libraries. Or open the Arduino IDE, click to the Sketch -> Include Library -> Add .ZIP Library… and select every archive with libraries.

Other required libraries are already present in one way or another.

Set Up Google Firebase

F2Q2ELELNLRHDXU.png

I would be happy to explain to you how to set up Google Firebase. However, I believe that the article at https://medium.com/firebase-developers/getting-started-with-esp32-and-firebase-1e7f19f63401 does a better job on that. I suggest reading the article up until the “Development Environment Setup” headline.

When setting up the database, save the “Realtime Database URL” and “Web API Key.”

These values will be needed later.

Modify the Firmware

modf.png

Open the “Firmware.ino” file from the “V2.0\Firmware” folder and put your values to the following variables:

WIFI_SSID

WIFI_PASSWORD

API_KEY

DATABASE_URL

After that, replace my keys with yours.

Switch the Partition Scheme to the "Huge APP (3MB No OTA/1MB SPIFFS)"

switchpartsc.png

You have to switch the partition scheme to the “Huge APP (3MB No OTA/1MB SPIFFS)” before you flash ESP32 because the firmware is too big for the default partition.

Flash ESP32

flash.png

Upload the firmware from the “V2.0\Firmware” folder into the ESP32. Don’t forget to hold the “BOOT” button when the firmware upload starts.

Assemble the Vault

Midbar Circuit Diagram.png

It shouldn’t be hard to assemble.

Just compare it with Midbar (STM32F401CCU6 + Arduino Uno Version) or Midbar (RTL8720DN + Arduino Uno Version), and you’ll understand what I mean.

Get the Firebase Private Key

1.png
2.png
3.png
4.png

To enable the desktop app to interact with the Firebase, you need to get the private key and place it in the same folder as the desktop (client) application.

To do so:

  • Open your database;
  • Click on the “Settings” icon;
  • Click on the “Project settings” line;
  • When the next tab loads, go to the “Service accounts” tab;
  • Click the “Generate new private key” button;
  • Click the “Generate key” button in the pop-up window;
  • Save the private key to the “…\V2.0\Desktop App” folder under the “firebase key.json” name.


Add Database URL to the Desktop App

dburl.png

Navigate to the “…\V2.0\Desktop App” folder, open the “db_url.txt” file, replace my database URL with yours, press “Ctrl + S” and close the file.

Power the MCU Vault Up

F4KS6YWLNN6Y611.png

Power the Midbar up, wait till it connects to your access point (Wi-Fi), initialize the firebase, and display the random lock screen.

That version of Midbar has 18 lock screens.

*Credit for the used photos:

Atlanta

Photo by Joey Kyber on Unsplash

Be’er Sheva

Photo by Levi Meir Clancy on Unsplash

Dallas

Photo by Braden Egli on Unsplash

Dallas

Photo by Talena Reese on Pexels

Frankfurt:

Photo by Igor Flek on Unsplash

Kansas City

Image by Cloud11 from Pixabay

Los Angeles

Image by herdzmedia from Pixabay

Minneapolis

Photo by Daniel McCullough on Unsplash

Nashville

Image by Paul Brennan from Pixabay

Netanya

Photo by Shai Pal on Unsplash

New Orleans

Photo by Morgan Petroski on Unsplash

Pittsburgh

Photo by Yuhan Du on Unsplash

Salt Lake City

Image by RobinSaville from Pixabay

Santiago

Photo by Jeffrey Eisen on Unsplash

Tel Aviv

Image by ran from Pixabay

Tel Aviv

Photo by Micah Camper on Unsplash

Tel Aviv

Photo by Shai Pal on Unsplash

Toronto

Photo by Nadine Shaabana on Unsplash

Set Master Password

IMG_20231015_140042.jpg
IMG_20231015_140201.jpg
IMG_20231015_140206.jpg
setp1.png
setp2.png
fbafeter password set.png

Once you configure the MCU password vault and the desktop app, set the master password. The master password can be set using the MCU password vault or the desktop app, whichever you launch first.

Enjoy the Result

IMG_0258.JPG
Add Login.png
IMG_0266.JPG
View Login.png
fbwithlogin.png

If you made it to that point, you should have a fully functional password vault that allows you to store your login credentials encrypted with the AES-256 CBC in the Google Firebase

And while Midbar is no guarantee of world peace or social harmony, I do believe that it’s an important contribution to the protection of your data from unauthorized access.

I think it’s also worth mentioning that Midbar’s source code is distributed under the MIT license. That grants you the freedom to customize, adapt, and modify Midbar according to your needs and preferences. In other words, you can create your own version of Midbar or use it as a starting point for building new projects without the need for external permission.

If you found this tutorial to be useful, please consider sharing it.

Thank you for reading this article.