the making of a secure open source password keeper
play

The Making of a Secure Open Source Password Keeper from the - PowerPoint PPT Presentation

Sep 07, 2023 •389 likes •913 views

The Making of a Secure Open Source Password Keeper from the electronics to the high-level software Mathieu Stephan Hello! I am Mathieu Stephan - Embedded systems engineer - Former writer for Hackaday - www.limpkin.fr - Mooltipass

  1. The Making of a Secure Open Source Password Keeper … from the electronics to the high-level software Mathieu Stephan

  2. Hello! I am Mathieu Stephan - Embedded systems engineer - Former writer for Hackaday - www.limpkin.fr - Mooltipass project founder

  3. What is the Mooltipass? - Secure credential & file storage - Native browser integration - Recognized as a keyboard - Multiple users - Cross platform - Open software & hardware

  4. The Internals Mooltipass Mini USB HID Microcontroller OLED screen Flash memory Clickable wheel PIN-locked smart card, containing the user’s AES-256 key

  5. Usage Example

  6. Usage Example

  7. Presentation Outline Here’s how... … this adventure started … 20 people collaborated without meeting each other … we produced two devices from the ground up … we created the Mooltipass security model … the Mooltipass hard-, firm- and software was designed ...and what’s next!

  8. 1. Starting The Project Getting contributors and setting up the project infrastructure

  9. Beginning The Mooltipass Adventure First call for contributors was in December 2013 - First article on hackaday.com describing the concept - “Developed on Hackaday” but not associated with it - Received 30 applications! Work was assigned based on the applicants’... 1) Preferences 2) Available spare time 3) Area of expertise

  10. Globally Distributed Contributors me

  11. The Ground Rules - Implement features as determined by consensus - Use GitHub for code versioning and source control - Document the produced code (doxygen) - Work in a dedicated file or folder - Follow the chosen coding convention

  12. Group Communications Constraint: people have different availabilities! - Separate general and development discussion groups - Direct contact via IM service (sparingly) Challenge: keep the momentum going! - Show off contributors’ progress - Ensure the community feels involved

  13. Management Infrastructure Trello - a free online Kanban board

  14. Management Infrastructure Based on the Japanese kanban process - Respect the roles, responsibilities and titles - Leadership at all levels - Document & encourage evolutions - Maintain a community atmosphere - Obtain & manage ETAs without contributors feeling pressured

  15. 2. The Mooltipass Hardware

  16. Functional Prototype Hand soldered and shipped to contributors

  17. Mooltipass - Case Choice Designs made by the community

  18. Mooltipass - Final Design 110% funded in Dec. 2014

  19. Mooltipass Mini 300% funded in Oct. 2016

  20. Mooltipass Mini - Tests Testing the adhesive strength

  21. Mooltipass Mini - Tests ...but some people double checked!

  22. Mooltipass Mass Production Chinese assembly lines

  23. Mooltipass Mass Production CNC shops

  24. Mooltipass Mass Production Video instructions for the assembler

  25. Mooltipass Mass Production … and a lengthy quality control document

  26. 3. The Mooltipass Firmware

  27. Firmware - AES Encryption - Using AVR-Cryptolib, CTR mode - Checked against NESSIE vector sets

  28. Firmware - Encrypted Storage - Dedicated flash memory used for storage - 2 types of data - Credentials - Encrypted blobs - Sorted linked list data structure

  29. Firmware - Data Structure Service A Service B ... Login 1 Login 2 Login 3 Login 4 Encryption key stored inside the smart card

  30. Firmware - Smartcard Use - Ubiquitous form of read-protected memory - 16-bit PIN access (“0000” to “FFFF”) - Permanently locked after 4 incorrect PINs - Cheap (<$1) in volume

  31. Firmware - RNG - Uses watchdog timer’s natural jitter - Generate 8 bytes per second (!)

  32. Firmware - USB - USB composite: HID keyboard and ‘proprietary’ - Proprietary channel for integration plugins - Keyboard channel for manual password recall - USB Keyboards are natively supported by all OSes... - ...but LUTs needed for different locales

  33. Firmware - LUT Generation Tool … basically bruteforcing a given layout

  34. Firmware - Graphics Library - Designed from the ground up - Optimized for speed - Features: - RLE compression for bitmaps - Bitmaps, fonts stored inside the external flash - Python scripts to generate the graphics bundle - Can be securely updated

  35. Firmware - Update File Format graphics bundle (bitmaps, fonts, strings…) padding new firmware version number AES key update flag new firmware padding (new AES key, encrypted) CBC MAC Fixed size to mitigate CBC MAC weakness

  36. Firmware - Bootloader - Checks signed firmware updates - Stored on the device: - One unique AES key for firmware signing - One unique AES key for hash generation - Read-protected UID for device non-tamper check

  37. Firmware - Security Model Relies on the fact that : - Physical tampering with the device leaves traces - Microcontroller programming first requires chip erase Firmware integrity is therefore checked by: - Reading the read-protected UID at device reception - Reading user card-dependent hashes

  38. Firmware - Static Analyses - Performed by security groups, researchers... - We had access to some of them...

  39. Flashing the Firmware Custom-made programming jig

  40. 4. The Mooltipass Software

  41. Python Tool - MooltiPy Created by one contributor: - Can use all Mooltipass features - Can be called from other apps - Pure command line interface - Store / recall small files

  42. Chrome App & Extension - Cross-platform - Unfortunately Chrome-only - Two-click installation:

  43. Chrome App - MooltiApp ...converted into a standalone App using Electron

  44. Cross Platform Tool - Moolticute Chrome SSH agent Safari Moolticute App Firefox Moolticute CLI Daemon Mooltipass HW

  45. Cross Platform Tool - Moolticute Qt & C++ - Created by a contributor

  46. Cross Platform Tool - Moolticute … and now being developed by the Mooltipass team

  47. 4. The Next Mooltipass Device!

  48. Next Generation Mini Secure Domain OLED LIS2HH12TR Data Flash DB Flash Secure MCU SMARTCARD “Unsafe” MCU ATBTLC1000 UART May be disabled U S B

  49. Contributors Wanted! Firmware: - New database model implementation - Unicode support implementation - Bootloader implementation - User interface design - U2F implementation - < your idea[s] here >

  50. Contributors Wanted! - C++ & QT: frontend for the new firmware features - Web: implement a user space on mooltipass.com - Python: security implementation checks - GIMP: create Mooltipass graphics - Android & iOS: App development

  51. Thanks! Questions? You can find me at: limpkin on freenode.net mathieu@themooltipass.com

Recommend

Open source password manager for teams 80% of security incidents are due to poor password

Open source password manager for teams 80% of security incidents are due to poor password

Open source password manager for teams 80% of security incidents are due to poor password management policies. ~ Trustwave Each year, over 125 millions hours of productivity are lost due to passwords management problematics. ~

950 views • 25 slides
Challenges in making Challenges in making Free and Open Source Accessibility work Free and Open

Challenges in making Challenges in making Free and Open Source Accessibility work Free and Open

Challenges in making Challenges in making Free and Open Source Accessibility work Free and Open Source Accessibility work Peter Korn Accessibility Architect Sun Microsystems, Inc. Agenda Some History Funding model in US, Europe,

428 views • 11 slides
Free and Open Source Software T ools for Making Open Source Hardware Leon Anavi Konsulko Group

Free and Open Source Software T ools for Making Open Source Hardware Leon Anavi Konsulko Group

Free and Open Source Software T ools for Making Open Source Hardware Leon Anavi Konsulko Group leon.anavi@konsulko.com Embedded Linux Conference Europe 2017 23-25 October, Prague, Czech Republic Agenda Open source hardware Free and

488 views • 34 slides
Leading ticketing to open source A challenge for Calypso Calypso, an Open and Secure Contactless

Leading ticketing to open source A challenge for Calypso Calypso, an Open and Secure Contactless

Leading ticketing to open source A challenge for Calypso Calypso, an Open and Secure Contactless Ticketing Standard Calypso deployement 125 cities &amp; regions 25 countries 150 million transportation smart cards 490 000 readers Challenges

287 views • 16 slides
Formal Verification of an Open-Source Secure Enclave Pranav Gaddamadugu pranavsaig@berkeley.edu

Formal Verification of an Open-Source Secure Enclave Pranav Gaddamadugu pranavsaig@berkeley.edu

Formal Verification of an Open-Source Secure Enclave Pranav Gaddamadugu pranavsaig@berkeley.edu Problem Definition Verifying hyperproperties about the Keystone Security monitor Secure Remote Execution (SRE) : a 2-safety hyperproperty

446 views • 10 slides
KeePass 2 A free, open-source, light-weight and easy-to-use password manager Felix Morsbach

KeePass 2 A free, open-source, light-weight and easy-to-use password manager Felix Morsbach

KeePass 2 A free, open-source, light-weight and easy-to-use password manager Felix Morsbach Uppsala University Sweden CryptoParty #1 presentation of 22nd February 2019 Outline Why? 1. Why? How? What (not)? Demo 2. How? Where? 3. What

522 views • 14 slides
Exercise /* A lockbox can be open or closed. If closed, only a valid password will open the box.

Exercise /* A lockbox can be open or closed. If closed, only a valid password will open the box.

Exercise /* A lockbox can be open or closed. If closed, only a valid password will open the box. Once the box is open, the contents can be retrieved. */ interface LockBox { boolean openBox(String password); // attempt to open, return true if

482 views • 27 slides
Secure Drupal Development Steven Van den Hout Steven Van den Hout

Secure Drupal Development Steven Van den Hout Steven Van den Hout

Secure Drupal Development Steven Van den Hout Steven Van den Hout @stevenvdhout http://dgo.to/@svdhout SECURE? 1 IS D DRUPAL AL S IS OPEN SOURCE SECURE? MANY EYES MAKE FOR SECURE CODE - Security by obscurity - Open

641 views • 51 slides
Towards an Open-Source, Formally-Verified Secure Processor Srini Devadas Massachusetts

Towards an Open-Source, Formally-Verified Secure Processor Srini Devadas Massachusetts

Towards an Open-Source, Formally-Verified Secure Processor Srini Devadas Massachusetts Institute of Technology Architectural Isolation of Processes Fundamental to maintaining correctness and privacy! 2 Performance Dictates

959 views • 43 slides
Make Money With Open Source What is Open Source? Community Free software vs. open source

Make Money With Open Source What is Open Source? Community Free software vs. open source

Make Money With Open Source What is Open Source? Community Free software vs. open source Licenses: GPL vs. LGPL vs. MIT/Apache Foundations: Linux, Apache, Eclipse, Similar: Open Data, Open Hardware, Open Knowledge, ... Advantages of OS

508 views • 13 slides
The Story of an Insecure Module Secure Drupal Development Intros Mark Shropshire (shrop) Open

The Story of an Insecure Module Secure Drupal Development Intros Mark Shropshire (shrop) Open

The Story of an Insecure Module Secure Drupal Development Intros Mark Shropshire (shrop) Open Source Security Lead Mark brings 20 years of experience leading technical teams to his role as Mediacurrents Open Source Security Lead. He is a

594 views • 38 slides
Open Source Databases Peter Zaitsev, CEO Percona What a Year! Huge changes for Open Source and

Open Source Databases Peter Zaitsev, CEO Percona What a Year! Huge changes for Open Source and

The State of Open Source Databases Peter Zaitsev, CEO Percona What a Year! Huge changes for Open Source and Open Source databases RedHat Acquired by IBM Image Source: https://techcrunch.com/story/ibm-acquires-red-hat/ Open Source

663 views • 29 slides
Goals Enable consumers &amp; enterprises to move to a secure, password free world inclusive

Goals Enable consumers &amp; enterprises to move to a secure, password free world inclusive

Goals Enable consumers &amp; enterprises to move to a secure, password free world inclusive of device unlock, payments, and secure content Develop hardware solutions that meet or exceed customer expectations for seamlessness,

459 views • 27 slides
Open Source secure software updates for Linux-based IVI systems Arthur Taylor, CTO, ATS Advanced

Open Source secure software updates for Linux-based IVI systems Arthur Taylor, CTO, ATS Advanced

Open Source secure software updates for Linux-based IVI systems Arthur Taylor, CTO, ATS Advanced Telematic Systems Abstract Cyber security and vehicle recalls are two of the hottest topics in automotive software development right now.

351 views • 23 slides
TrustOTP: Transforming Smartphones into Secure One-Time Password

TrustOTP: Transforming Smartphones into Secure One-Time Password

TrustOTP: Transforming Smartphones into Secure One-Time Password Tokens He Sun, Kun Sun, Yuewu Wang, and Jiwu Jing Presented by Fengwei

474 views • 26 slides
Team Password Manager Password Management Software for Groups http://teampasswordmanager.com

Team Password Manager Password Management Software for Groups http://teampasswordmanager.com

Team Password Manager Password Management Software for Groups http://teampasswordmanager.com What is Team Password Manager - Password manager for groups and projects - Uses projects to group passwords - Secure, fine grained password sharing -

712 views • 9 slides
Honeywords Making Password-Cracking Detectable By Ari Juels and Ronald L. Rivest Presented by

Honeywords Making Password-Cracking Detectable By Ari Juels and Ronald L. Rivest Presented by

Honeywords Making Password-Cracking Detectable By Ari Juels and Ronald L. Rivest Presented by Nunzio Cicone and Hans-Peter Hllwirth Setting Password Attacks Passwords are a notoriously weak authentication mechanism One significant

422 views • 20 slides
Making Your Own Open Source Raspberry Pi HAT Leon Anavi Konsulko Group leon.anavi@konsulko.com

Making Your Own Open Source Raspberry Pi HAT Leon Anavi Konsulko Group leon.anavi@konsulko.com

Making Your Own Open Source Raspberry Pi HAT Leon Anavi Konsulko Group leon.anavi@konsulko.com leon@anavi.org FOSDEM 2017 Agenda Raspberry Pi HAT Designing an open source hardware Software support Raspberry Pi HAT != HAT Hat

425 views • 27 slides
While Using Open Source Guy Bar Gil, Product Manager 1 2 3 SmallComp s M&amp;A Staying

While Using Open Source Guy Bar Gil, Product Manager 1 2 3 SmallComp s M&amp;A Staying

How to Sleep Soundly at Night While Using Open Source Guy Bar Gil, Product Manager 1 2 3 SmallComp s M&amp;A Staying Secure The Equifax Breach 2 Introduction Slide Two dogs + one cat In my free time I enjoy: Sports

739 views • 41 slides
Robust Pseudonymous Identity for the Internet (A Practical Username &amp; Password Replacement) S

Robust Pseudonymous Identity for the Internet (A Practical Username &amp; Password Replacement) S

Robust Pseudonymous Identity for the Internet (A Practical Username &amp; Password Replacement) S Q R L S ecure Q uick R eliable L ogin A simple, straightforward, open, intellectual property unencumbered, easily explained, provably secure,

898 views • 41 slides
Reinventing How America Votes Through Open Source Solutions Deborah Bryant OSU Open Source Lab

Reinventing How America Votes Through Open Source Solutions Deborah Bryant OSU Open Source Lab

Reinventing How America Votes Through Open Source Solutions Deborah Bryant OSU Open Source Lab Joseph Hall Center for Information Technology Policy, Princeton University Gregory Miller Open Source Digital Voting Foundation Visionaries on

942 views • 29 slides
Long running OpenSource projects Survival guide Topics The Open Source economy Making

Long running OpenSource projects Survival guide Topics The Open Source economy Making

Long running OpenSource projects Survival guide Topics The Open Source economy Making money for free Surviving technical debt Choosing and maintaining a technology stack The art of compromises Building a

448 views • 40 slides
Creating an Open Source Project Thiago Macieira Who am I? Open Source developer for 15 years

Creating an Open Source Project Thiago Macieira Who am I? Open Source developer for 15 years

Creating an Open Source Project Thiago Macieira Who am I? Open Source developer for 15 years Sofuware Architect at Intels Open Source Technology Center (OTC) and Tizen Platgorm Community Manager Maintainer of two modules in the Qt

649 views • 33 slides
1 A Comparison of Open Source Search A Comparison of Open Source Search Engines Engines

1 A Comparison of Open Source Search A Comparison of Open Source Search Engines Engines

Open Source Search Engines Why? Low cost: No licensing fees Source code available for customization Good for modest or even large data sizes Open-Source Search Engines and Challenges: Lucene/Solr Performance, Scalability

347 views • 13 slides

More recommend