The KhadashPay Project

by Northstrix in Circuits > Microcontrollers

1657 Views, 9 Favorites, 0 Comments

The KhadashPay Project

IMG_20220813_134410_hdr.jpg

The KhadashPay project is an open-source payment system. I made it to provide the business owners with the opportunity to easily deploy a card payment system in their store without having to buy an expensive terminal, pay fees from each transaction, and waste time and resources dealing with the bank.

As for the customers of the store where the KhadashPay is deployed, Khadash pay doesn't keep any logs whatsoever and doesn't require a bit of your personal information to create an account.

The name KhadashPay is a combination of two words - Khadash (Hebrew: חדש - New) and Pay.

KhadashPay consists of four microcontrollers: ESP32, Arduino Uno, and two other Arduino Nano compatible MCUs.

ESP32 is the device's core. It runs SQLite, handles the input from the peripherals (via Arduinos), and stores the data about accounts.

Each of the three Arduinos is an intermediary between the ESP32 and some peripheral.


Before you continue reading this instructable, I would like to remind you that this payment system isn't connected to any existing financial institution. It works completely offline, and all the money kept in it is nothing more than just numbers entered by the operator and stored in the ESP32's built-in flash memory (in an encrypted form).

Supplies

IMG_20220814_120516_hdr.jpg
  • ESP32 x1
  • Arduino Uno x1
  • Arduino Nano/Uno/Compatible board x2
  • 2.4 Inch TFT LCD with ILI9341 x1
  • 1.77 Inch TFT LCD with ST7735 x1
  • Mifare RC522 x1
  • PS/2 Keyboard x1
  • PS/2 Port x1
  • 580 ohm resistors x4
  • LED x1
  • 4x4 Keypad x1
  • 10µF capacitor x1 *optional
  • RFID cards x4 + 1 card for each client

Data Encryption and Integrity Check

EA1.png

All data stored in the KhadashPay is encrypted or encrypted and then hashed.


This device utilizes Blowfish + AES-256 + Serpent + AES-256 encryption algorithm to encrypt and decrypt the data. The algorithm requires four keys to function: one key for Blowfish, two keys for the AES, and one key for Serpent. This algorithm takes eight characters (64 bits) and four keys as input and produces a sixty-four-character string in the hexadecimal format as an output.


I could've just used the AES to encrypt the stored data, but since I had a more sophisticated encryption algorithm from my previous project, I've decided to use that one instead (although I watered it down a bit). Since the account number and PIN are stored as hashes of the encrypted values, I needed the algorithm to always produce the same output for the same input. So I replaced the random numbers added during the encryption process with the predefined number. Even though that made the encryption algorithm vulnerable to the chosen-plaintext attack, it's still protected from the block swapping attack.


The encryption process goes as follows:

1) The algorithm takes an input block;

2) If the length of an input block isn't equal to eight, then the padding is applied;

3) Input block is encrypted using Blowfish;

4) The result of the previous step is passed to the AES alongside 64 predetermined bits;

5) AES encrypts obtained 128-bit block using the first key;

6) The result of the previous step is split into two equal 64-bit halves;

7) 64 predetermined bits are concatenated to each half;

8) Each of the 128-bit halves is encrypted using Serpent;

9) Each ciphertext from the Serpent is encrypted using AES with the second key;

10) Concatenation of two ciphertexts produced by the AES using the second key is the resulting ciphertext.


As for the "Integrity check" feature, it works as follows.

1) First 3 bytes of the RFID card are given to the HMAC-SHA256 (Hash-Based Message Authentication Code) alongside the balance;

2) HMAC-SHA256 computes a tag for the value given to it;

3) KhadashPay splits the concatenation of tag, first 3 bytes of the RFID card, and balance into 8-bit blocks, and then passes each block to the encryption algorithm (described above);

4) Encryption algorithm encrypts all of that and produces the ciphertext (that's stored in the cell for the balance);

5) When that ciphertext is decrypted, the KhadashPay extracts a tag from it and then computes the new tag for the concatenation of the first 3 bytes of the RFID card and balance;

6) It then compares tags and the first 3 bytes of the RFID card that were just decrypted with the first 3 bytes of the RFID card that were just read. If something doesn't match, the KhadashPay halts the current operations and throws an error "Integrity check failed"

Install Drivers and Configure Arduino IDE *Optional

If you've never flashed ESP32 or Arduino before, you'll need to configure Arduino IDE and install drivers to upload the firmware to the boards, you can find drivers here:

CP210x driver for ESP32: https://www.silabs.com/developers/usb-to-uart-brid...

CH340 driver for Arduino: https://sparks.gogo.co.nz/ch340.html

In case you don't have Arduino IDE, you can download it here: https://www.arduino.cc/en/software

Configuring IDE isn't a part of this tutorial, you can read about it here https://randomnerdtutorials.com/installing-the-esp...

Download the Firmware From GitHub (or From SourceForge)

FQSR9KYL6URSHDU.png

You can download firmware here https://github.com/Northstrix/KhadashPay

*Updated: If you don't want to download a 54mb archive from GitHub, you can download a 0.1mb archive that contains the same firmware from the SourceForge: https://sourceforge.net/projects/khadashpay/

Download and Install the Libraries

Adafruit-GFX-Library: https://github.com/adafruit/Adafruit-GFX-Library

Adafruit_ILI9341: https://github.com/adafruit/Adafruit_ILI9341

Adafruit-ST7735-Library: https://github.com/adafruit/Adafruit-ST7735-Library

Adafruit_BusIO: https://github.com/adafruit/Adafruit_BusIO

PS2Keyboard: https://github.com/PaulStoffregen/PS2Keyboard

esp32_arduino_sqlite3_lib: https://github.com/siara-cc/esp32_arduino_sqlite3_lib

espsoftwareserial: https://github.com/plerup/espsoftwareserial/

rfid: https://github.com/miguelbalboa/rfid

Keypad: https://github.com/Chris--A/Keypad

The process of unpacking libraries is typical. You can unpack the content of the archive into the folder: ...\Arduino\libraries. Or open the Arduino IDE, click to the Sketch -> Include Library -> Add .ZIP Library... and select every archive with libraries.

Other required libraries are already present in one way or another.

Install ESP32 Filesystem Uploader

FT3L6X4L626VO97.png

The primary purpose of the ESP32 Filesystem Uploader is to let you upload files into ESP's filesystem. In this tutorial, the purpose of this tool is to upload an empty SPIFFS image into ESP.

Download the "ESP32FS-1.0.zip" file here https://github.com/me-no-dev/arduino-esp32fs-plugin/releases/

And then extract the content of that archive into the "...\Arduino\Tools\" folder.

After that, restart the Arduino IDE.

Format ESP32'S Built-In Flash Memory

e.png

Click Tools -> ESP32 Sketch Data Upload. Then click Yes in the pop-up window. The program is going format the built-in flash memory.

Some boards will flash without any problems.

Unfortunately, that's not the case for all boards. If you configured IDE correctly, installed drivers, selected the corresponding port, and still keep getting this error: A fatal error occurred: Failed to connect to ESP32: Timed out waiting for packet header. Connect a 10µF capacitor to the board while flashing.

Connect the positive lead of the capacitor to the EN pin of the ESP32;

Connect the negative lead of the capacitor (usually indicated by the gray stripe) to the GND pin of the ESP32.

Don't forget to disconnect the capacitor after the board flashes.

Generate Keys

k.png

To make the unauthorized deciphering of your data computationally infeasible - It is crucial to generate your own keys and never reuse them.

The best way to generate the keys is to throw 20-sided dice.

If you get a number from 1 to 9, write it down.

If you get a number from 10 to 15, write down a letter corresponding to that number.

10 = A;

11 = B;

12 = C;

13 = D;

14 = E;

15 = F.

If you get 20, write down 0.

If you get something else, don't write anything and throw the dice again.


There's also an easier option.

I modified one of my previous projects to work as a random number generator, the generated output seems "random enough" for me, but I haven't run any tests. So, I can't guarantee that it's random.

Use it at your own risk.

To generate the keys - launch gen.exe from the "KhadashPay-main\V1.0\Untested RNG" folder, and then click the "Generate keys for KhadashPay" button. The background turns from black to blue when you press that button.

Modify the Firmware

m.png

Open the file "Firmware_for_ESP32.ino" from the folder "KhadashPay-main\V1.0\Firmware_for_ESP32" and then replace my keys with those you've generated.

You can change the currency in the line:

String space_and_currency = " USD"; // Space + Currency name

Flash the ESP32

esp32.png

Upload the firmware from the folder "KhadashPay-main\V1.0\Firmware_for_ESP32" into the ESP32.

Flash the PS/2 Keyboard Driver

ps2.png

Upload the firmware from the folder "KhadashPay-main\V1.0\Firmware_for_PS2_Keyboard_driver" into the Arduino Nano or any compatible board.

Flash the Card Reader Driver

cr.png

Upload the firmware from the folder "KhadashPay-main\V1.0\Firmware_for_Card_reader_driver" into the Arduino Uno.

Flash the 4x4 Keypad Driver

4x4.png

Upload the firmware from the folder "KhadashPay-main\V1.0\Firmware_for_4x4_Keypad_driver" into the Arduino Nano or any compatible board.

Assemble the Device

IMG_20220813_134021_hdr.jpg

Well, the most important thing here is not to get confused because there are lots of wires and a PS/2 port that you should probably map before connecting.

Circuit Diagram

Circuit diagram 1.png

Power Up the KhadashPay and Approximate Four RFID Cards

ezgif-3-29b9ec0e6e.gif

Ok, it's time to unlock the KhadashPay. Power the device up and consequently approximate four RFID cards to the RFID card reader. You need to approximate cards in exactly the same order every time you unlock the KhadashPay. Otherwise, the KhadashPay won't be able to properly work with data encrypted with the different combinations of cards.


Important thing: If you want to reboot ESP32, reboot all boards. And if the keyboard suddenly stops working as intended, only reboot the microcontroller that's connected to it.

Log in to the KhadashPay

IMG_20220813_140040_hdr.jpg
IMG_20220813_140130_hdr.jpg
IMG_20220813_140203_hdr.jpg

You can enter any password you want, just make sure to keep it secret. When you're done, press "Enter" to log into the vault.

I got the verification number "3839" for the password "Whatever it can be"

The verification number must always be the same for the same combination of cards and the same password.

After logging in and getting to the (main) menu.

Press  (Down Arrow) to go down the menu.

Press  (Up Arrow) to go up the menu.

Create an Account

IMG_20220813_140528_hdr.jpg
IMG_20220813_140826_hdr.jpg
IMG_20220813_141157_hdr.jpg
IMG_20220813_141334_hdr.jpg
IMG_20220813_141522_hdr.jpg
IMG_20220813_141552_hdr.jpg
IMG_20220813_142249_hdr.jpg

Let's start with the facts about the KhadashPay account.


  • Each account is bound to the RFID card and PIN;
  • The PIN can have a length from 0 to 8 characters;
  • PIN can have the following characters: '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B', 'C', 'D';
  • A client can create several accounts using the same card as long as the pins are different;
  • The maximum amount of money stored in the account is only limited by the double variable type (don't worry about that, the KhadashPay can still store a 15-digit number without any problems);
  • Not even the owner of the KhadashPay can see your balance without your card and your PIN.


To create an account, select the "New account" line in the menu, press "Enter," and wait until the client approximates their RFID card to the card reader and sets the PIN. If you wish to cancel the operation, press "Esc."

When the account is created - you should see the inscriptions "Opened db successfully" and "Oper. done successfully."


Put Money Into the Account

IMG_20220813_140300_hdr.jpg
IMG_20220813_142646_hdr.jpg
IMG_20220813_142805_hdr.jpg
IMG_20220813_142946_hdr.jpg
IMG_20220813_143546_hdr.jpg

To put money into the account, select the "Put money in" line in the menu, press "Enter," and enter the amount of money to be put into the account. After that, press "Enter" and wait until the client approximates their RFID card to the card reader and enters the PIN. If you wish to cancel the operation, press "Esc."


When the money is in the account, you should see the inscriptions "Opened db successfully" and "Oper. done successfully."

View Balance

IMG_20220813_140548_hdr.jpg
IMG_20220813_141831_hdr.jpg
IMG_20220813_142217_hdr.jpg
IMG_20220813_143241_hdr.jpg

To view the balance, select the "View balance" line in the menu, press "Enter," and wait until the client approximates their RFID card to the card reader and enters the PIN. If you wish to cancel the operation, press "Esc."


The balance is shown on both displays.

Make a Sale

IMG_20220813_140244_hdr.jpg
IMG_20220813_143353_hdr.jpg
IMG_20220813_143424_hdr.jpg
IMG_20220813_143522_hdr.jpg
IMG_20220813_143546_hdr.jpg
IMG_20220813_143639_hdr.jpg
IMG_20220813_143715_hdr.jpg

To make a sale, select the "Make a sale" line in the menu, press "Enter," and enter the amount of money to be withdrawn from the account. After that, press "Enter" and wait until the client approximates their RFID card to the card reader and enters the PIN. If you wish to cancel the operation, press "Esc."


When the money is withdrawn from the account, you should see the inscriptions "Opened db successfully" and "Oper. done successfully."


If there's not enough money in the account to complete the transaction - you will see the corresponding error.

Find a Good Use for the KhadashPay

IMG_20220813_134410_hdr.jpg
IMG_20220813_145303_hdr.jpg
IMG_20220813_145545_hdr.jpg
IMG_20220813_135145_hdr.jpg
IMG_20220813_141413_hdr.jpg
IMG_20220813_141937_hdr.jpg
IMG_20220813_145001_hdr.jpg
IMG_20220813_145208_hdr.jpg

Although I put all my effort into the making of the KhadashPay, I didn't make it perfect in any possible way. Most of the time, it works as intended, but sometimes you might encounter the following bags:

  • It seems like the use of the "Backspace" button during login affects the generated keys without affecting the verification number;
  • One or several peripherals can suddenly stop working correctly;
  • The client display can suddenly stop working until the ESP32 is rebooted.

Hopefully, I'll have enough time and resources to continue improving this project. And even if I won't, the project's source code is available on GitHub under the MIT License. So, If you want to make your own version of the KhadashPay, please make it! It would be interesting to observe how many forks will be available on GitHub and how each fork will evolve (that is to say that there will be any forks). On that note, I would like to finish this tutorial.

I hope you will find a good use for this device.

If you like this tutorial, please share it.

If you have any questions about this project, don't hesitate to ask them down in the comment section.

Thank you for reading this tutorial.