Cards, Cables, Two Chips, or a Hardware Password Manager for Special Cases

Generated by the neural network “Shedevroom”

A password manager is a convenient and sometimes irreplaceable thing, because the number of combinations that the average IT specialist has to remember does not allow him to rely only on his own memory. Such managers have long learned to generate not only passwords of the required complexity, but also to automatically enter them into standard on-screen forms. The most advanced solutions can log into an account in complex, pre-configured scenarios. But in situations where the password manager is unavailable (for example, when logging into the system locally), the password has to be entered “the old-fashioned way”. In addition, there are specific risks: if the master password is compromised (which often happens when a user's device is hacked), all user passwords are considered stolen. This is a significant risk, especially for IT administrators.

Passwords should have been a thing of the past a long time ago, but there is no suitable replacement for them. Even technologies like PassKey are not yet widely used, as their implementation requires modifications to existing applications. With biometrics, things are even more complicated: the industry is heavily regulated, which significantly limits the use cases. So we will definitely have to live with passwords for some time.

If administrator passwords cannot be stored in a software password manager, then perhaps the problem can be solved by a hardware-software device that is connected to the desired host only for the duration of use. Such a device would have the basic capabilities of regular software password managers, but would be more resistant to attacks. Enthusiasts have already created many such solutions for personal use, and it would be strange to create another one. However, they all have security problems, which I decided to try to get rid of. Especially since this technical creativity helped me while away several cold evenings 🙂 I will tell you what came of it.

P.S. Once the author of these lines needed to create a dozen of reliable administrative passwords that could not be stored even in a password manager. Needless to say, what inconveniences had to be faced with each use.

Solution concept

Let's make a reservation about the operating principle of the device being developed. In a nutshell: it emulates keyboard input. The BadUSB technique is well known among information security specialists. Its essence lies in emulating a class of USB user input devices called Human Interface Device (HID). This class includes, in particular, mice with keyboards. The computer to which such a USB device is connected usually blindly trusts the information it provides about itself (hello, Plug&Play). And in order to deceive a gullible user and force him to connect such a device, it is enough to disguise it as a recognizable USB flash drive. As soon as he connects such a “flash drive”, the device will declare itself a keyboard, launch a command shell and enter the commands laid down by the intruder. In general, do not trust unfamiliar flash drives 🙂

Fig. 1. Keyboard emulator based on ATmega32U4

Emulating a physical keyboard is only part of the story. The work of the software and hardware password manager needs to be somehow managed, and there may be nuances here. The device must perform two main functions:

generate and save new passwords in the built-in memory;
enter them in USB keyboard emulation mode.

Each password created must be assigned an identifier so that the user can specify which password he needs at the moment. It is also necessary to ensure that the saved passwords cannot be used by an intruder, even if he gains physical access to the device. There can only be one solution here: passwords must be stored encrypted, and the symmetric encryption key must be restored from several components each time the passwords are used.

Design

The software and hardware password manager was implemented on the basis of the Arduino-compatible Pro Micro board, costing about $3, built on the ATmega32U4 microcontroller. The peculiarity of this chip is the presence of a built-in USB interface, the operation of which is allowed to be controlled by the user. The board also has an SPI interface for interfacing with the necessary peripheral devices.

Fig. 2. ProMicro debug board with Micro USB connector

The first thing we need is a 4×4 matrix PIN keypad, designed to control the operating modes of the device. This is the simplest thing that will work for this task. As mentioned above, each created password must be assigned a unique identifier, determined by the user. This can be either a trivial “B2” from “Battleship” or a more intricate “8C49B” from “Star Wars”. Everything is limited only by your imagination.

If you choose a complex identifier, you will get an additional level of password protection. The attacker will not know the actual identifiers, and it will be difficult for him to guess them. Whatever identifier is entered (existing or not), the device will send a set of characters to the USB port, which can be either a real password or a pseudo-random sequence.

Additional keys * and # on the keyboard can be used to select the operating mode of the device. For example, pressing # in the standby mode will start the procedure for creating a new password. For even greater convenience, a two-line LCD screen could be connected to the Pro Micro to display the current state of the device, but the implementation would be more complicated, since the board has a limited number of soldered pins.

The second device connected to Pro Micro is a contactless reader for MIFARE-compatible cards based on the PN532 chip. Attaching the card to the device is necessary to identify the user who wants to use the saved passwords. The approach is as close as possible to a traditional ACS, where a key card must be presented to gain access. In order for the user not to forget the card and not to leave it anywhere, it is best if it is valuable to him (for example, as a bank card). A special feature of the PN532 is the support of various data transfer protocols operating on top of the ISO 14443 standard. This will allow using almost any card with an NFC or RFID tag. It is important that all these cards have a unique identifier – UID, which is “flashed” at the factory. Although the UID is not secret (it can be easily read from the card's memory and even written to another), this is enough to identify the user, because this is not the only level of protection. To access the password, an attacker must not only take possession of the user's bank card, but also enter a valid password identifier, which is not so easy.

Despite the compact size of the peripherals connected to the Pro Micro, they can be further compacted by placing them in a portable case printed on a 3D printer. The total cost of the “body kit” for the Pro Micro was $5.

Implementation nuances

So, the smart card acts as a master key required for any operation with passwords. Although you can use any ISO14443-compatible card, it will be more convenient to choose a bank card for these purposes, because everyone has one. But using smartphones that support Host-based Card Emulation (HCE) technology, alas, will not work. The UID tag will be generated differently each time it is read, hinting that smartphone manufacturers consider this technology unsafe.

Whenever a contactless card is tapped onto an NFC reader, Pro Micro scans its UID and concatenates the password ID entered by the user via the PIN pad. The resulting hash of the resulting value is converted into a cryptographic key, which is used to encrypt or decrypt a specific password. This approach means that each stored password is encrypted with its own key. This makes it difficult to recover passwords even if an attacker copies the contents of Pro Micro's non-volatile memory.

Even if an attacker gets hold of the user's card and enters a random identifier, he will not know whether he has restored the correct password. Whatever card he applies, whatever password identifier he enters, the device will send a sequence of characters to the USB port, which can be anything. Security through obscurity.

Moving on to the nuances of software implementation, we cannot help but touch upon several other aspects of security. Random number generation, which is necessary for the formation of complex symbolic sequences, requires a reliable source of entropy. Due to its low cost, the ATmega32U4 chip does not have a random number generator, so one cannot count on the proposed mechanisms for generating pseudo-random numbers. For example, the manufacturer suggests using the analog pins of the chip routed on the board as a source of entropy: the read values of atmospheric noise should, in theory, be random. Research has shown that they are highly predictable.

As it often happens, the developer community found another solution: ATmega32U4, like most microcontrollers of this class, has a Watchdog Timer (WDT). WDT is a hardware counter that must be periodically reset by the controlled system. If the reset does not occur, then the system itself has hung and needs a hard reset. According to the results of several studies, it turned out that the read values of timers with certain tricks can be considered highly random. The size of the entropy pool formed by the data from the counters is small. However, the generation of random numbers is a rare operation for a password manager.

The Entropy library used in the project made it possible to apply the non-standard method described above for filling the entropy pool, which is necessary for generating random numbers.

Since different systems and applications understand passwords of varying complexity, their classification was introduced: from legacy level (without support for special characters) to complex (without restrictions on length and use of special characters). The choice of password complexity category was assigned to keys from “A” to “D” of the matrix keyboard.

To protect the Pro Micro memory from unauthorized copying, its contents were randomized, with a random sequence of bytes written into each memory cell allocated for storing passwords. When decrypted with an incorrect key, this would produce a random password phrase every time.

All cryptographic methods, including symmetric encryption and hashing, were implemented using the third-party Spritz library. It also helped generate complex passwords, supplement the entropy pool, and clear memory.

And as a conclusion

It should be noted that, in addition to obvious problems with practicality (password identifiers still have to be remembered) and fault tolerance (it is advisable to have a backup copy of saved passwords), software and hardware password managers do not eliminate some security problems. For example, if the host to which such a device is connected is compromised, the attacker will be able to intercept the entered passwords using a keylogger.

The key card used to identify the user must guarantee that it cannot be used without authorization, including copying. To do this, it is necessary to switch from reading UID tags to working according to the EMV standard, which will allow offline authentication of the card, as is the case with payment cards when paying for purchases. A nice bonus of this step would be the ability to use a smartphone instead of a physical card.

At the same time, trying to keep password authentication technology viable is like bailing out a sinking ship. The outcome is inevitable, so the best direction to apply efforts lies in the area of distributing passwordless authentication methods, such as FIDO2. The modern software stack is already prepared for this.