Hardware components | ||||||
 |
| × | 1 | |||
Software apps and online services | ||||||
 |
| |||||
I have always found it difficult to remember passwords and with the increasing demands on security, passwords are becoming longer and more complicated. To aid with the entry of passwords on any system, this project has utilised a USB-with-BLE development dongle from Nordic Semiconductor to emulate a HID keyboard that relays password info from a wireless device onto the cursor prompt.
Please watch the video to see this product in action. Note that, although the keyboard was used to enter the master password used to decrypt the credentials file, it was not used to enter the password into the target login page (polaris). The terminal displays the debug logs from the dongle which shows the use of a 16-byte encrypted token authenticating the user application.
The code can be found at p-dial8891/Prism.
ConceptThe USB-Bluetooth dongle behaves as a secure link between the smartphone (or any Bluetooth computer) and the target terminal.
SetupThere are two main components
1. The user application which maintains a database of passwords in an encrypted file (AES-128) and creates a BLE link with the dongle. The BLE connection is encrypted using level 2. In the repo, there is a webpage (webapp.html) that acts as the user application. A command line (cliapp_rs) version is also under development for use on linux based distributions.
2. The dongle firmware which uses the NRF51 SDK from Nordic. To compile and download the firmware you will need the programmer from NRF Connect for Desktop to download and the GCC compiler for ARM to compile. The mingw32 arm compiler can be obtained using the MSYS2 project.
Usage- In the source code, the key used for authenticating is present. This has to be edited to a value which is kept secret and only known to the user. This same value should be updated in the webapp.html
- After updating the keys, the code should be compiled and a .hex file generated. The makefile is available and can has to be passed to GCC make. More detailed instructions will be given in the future on this page.
- The ,hex file should be programmed onto the dongle using the nrf connect for desktop programmer. To program the dongle, you need to press the reset button while the dongle is plugged in.
- Once programmed, the dongle will be detected as a USB HID keyboard. It should also be detectable as a bluetooth peripheral if a device like a smartphone was to scan for it.
- Copy the webapp.html file to any device that has a browser like Chrome (Linux support is not available but a command line tool is under development). Open the page in the browser and use the buttons to enter passwords to be stored. Three pieces of information are needed for every credential - email, username and password (in that order).
- Enter a master password and 'encrypt and save' to a file which can be stored locally or on the cloud.
- Once a file is created, load the file by entering the master password again and pressing the decrypt button. Any changes can still be made in the text box displaying the database of passwords. (It is in JSON format so it is human readable and editable).
- Press the connect button once you are ready and select the bluetooth device - 'Nordic_Blinky'.
- Press the button on the dongle. This is to verify that the user of the webapp is also the user of the dongle. Behind the scenes, there is a challenge/response mechanism which is initiated from the dongle on pressing the button.
- Type in the name of the credential and press the 'Write to BLE' button to send the password. Before doing so, ensure that the terminal on the target computer is in focus and that the cursor is on the password field.
- If the dongle is reconnected, then make sure to unpair the device from the user device and repeat from start.
Make sure to watch the video above to see an example of how it works.
DISCLAIMER: Attempts are being made to improve the security aspects of this project, but there is no warranty or guarantees as to the effectiveness of the measures taken and the use of the device is at the user's own risk.
Comments