Midbar (Teensy 4.1 Version)

Advancements in cryptanalysis and hacking techniques are continuing to reduce the cost of unauthorized access to your data, making it easier and more attractive for different sides to get it.

I won't delve into the motivation of each party and the goals they're trying to achieve by obtaining your data. Instead, I would like to focus on the solution to that problem.

In my opinion, the only way to keep your data private is to raise the cost of unauthorized access to it as high as possible. The best-case scenario is to raise the costs of unauthorized access to your data so high that it would significantly outweigh any potential reward for any party.

To raise the cost of unauthorized access to your data - I've developed Midbar (which later on "evolved" into a multi-user Cipherbox, and then it kinda turned back into Midbar because I realized that a "multi-user Midbar" is superfluous and not as stable as a single-user one).

Midbar (מדבר) is a Hebrew word that means "pasture," "uninhabited land," "wilderness," "large tracts of wilderness (around cities)," and "desert." I had two reasons for choosing the word Midbar as the name of this project. First - while working on my previous projects, I noticed that the so-called "device that keeps your personal data secure in an encrypted form" market is pretty much a "desert around the oasis of the password manager market." Second - I couldn't find a better word to describe this project. At first, I wanted to call it a "Password Vault," but it's more than that. So, I decided to call it Midbar.

You can also read this tutorial on Medium and Hackster.

• Teensy 4.1 x1
• 2.4 Inch TFT LCD with ILI9341 x1
• USB Keyboard x1
• USB 2.0 Port (I took it from the panel expansion bracket) x1
• Micro SD Card x1
• EC11 Rotary Encoder x1
• 4.7k resistors x7
• 100nf capacitors x2
• Buttons x2

Recently, I got my hands on the Teensy 4.1 Development Board. And after playing with it for a couple of days, I became amazed by the board's capabilities. I've discovered that Teensy 4.1 handles a USB keyboard quite well, even if a keyboard is connected via a USB hub. In addition to that, it's compatible with lots of handy libraries and boasts a powerful 600 Mhz CPU. So, as you might've already guessed, the decision to make a Teensy 4.1 version of Midbar came to me naturally. To make it a reality, I took the source code of the Midbar V5.0 and modified it to work with the USB keyboard.

Without a doubt, this is the most powerful version of Midbar so far.

The "3DES + AES + Blowfish + Serpent" encryption algorithm in cipher block chaining mode first appeared in the Midbar V2.5. And since then has been utilized by the Midbar (Raspberry Pi Pico Version), Midbar V3.0, Midbar V4.0, KhadashPay V2.0, Midbar (Raspberry Pi Pico Version) V2.0, KhadashPay V2.0 (Raspberry Pi Pico Version), Midbar V5.0, Midbar (STM32F401CCU6 Version), KhadashPay V3.0 (STM32F401CCU6 Version), KhadashPay V3.0, Midbar (STM32F401CCU6 + Arduino Uno Version), KhadashPay V3.5, and Black Swan V2.0.

Although the "3DES + AES + Blowfish + Serpent" encryption algorithm ain't exactly what I would call "a cryptographically weak encryption algorithm," operating it in a weird derivation of the ECB mode, the way it was done by the Midbar V2.0 wasn't the best idea that I had. Even though that wouldn't've allowed the attacker to produce the legitimate ciphertext by swapping the blocks within the ciphertext, an attacker could still make a legitimate ciphertext by replacing the nth block of the ciphertext N1 with the nth block of the ciphertext N2. To fix that vulnerability (instead of just notifying the user that the decrypted ciphertext might've been forged), I made the "3DES + AES + Blowfish + Serpent" encryption algorithm work in CBC mode. So, if an attacker replaces a block of ciphertext, they spoil not just that block but also the subsequent one.

I'll be honest with you, the bit-flipping attack "kinda works," but I doubt that it would ever go unnoticed because of the "HMAC-SHA256"-based integrity verification feature

And let's not forget that this encryption algorithm performs the operation called superencryption.

As defined by NIST, superencryption is an encryption operation for which the plaintext input to be transformed is the ciphertext output of a previous encryption operation.

Such organization of the encryption algorithms makes a combined encryption algorithm that is at least as strong as the strongest one in the cascade, has a longer key, might be more resistant to some attacks, and might produce a ciphertext with higher entropy. Anyway. It won't hurt to have an additional layer of security (or several of them).

The Midbar (Teensy 4.1 Version) is the tenth version of Midbar that verifies the integrity of the whole record. So, the legitimate ciphertexts moved between the cells aren't much of a threat to it.

The "HMAC-SHA256"-based integrity verification feature functions in the following way:

When you add a record to Midbar, it consolidates all the data you have entered into one string, computes a tag for that string, and then saves the newly computed tag in the encrypted form.

When Midbar decrypts your data, it also decrypts the previously saved tag and computes a new one for the decrypted data. It then compares both tags. If they don't match - Midbar notifies you that the integrity verification failed.

You need to install the Arduino IDE and Teensyduino to flash Teensy 4.1.

For more information on that, please refer to: https://www.pjrc.com/teensy/td_download.html

You can download the firmware for Midbar from one of these sources.

SourceForge: https://sourceforge.net/projects/midbar/

OSDN: https://osdn.net/projects/midbar/

GitHub: https://github.com/Northstrix/Midbar

If you just need the firmware for the device alongside the RNG, then I would advise you to download a 0.2 MB archive either from SourceForge or OSDN.

But if you need the firmware for all versions of Midbar alongside the extra code, photos, and diagrams, in that case, I would advise you to download the 181 MB archive from GitHub.

Adafruit_ILI9341: https://github.com/adafruit/Adafruit_ILI9341

Adafruit-GFX-Library: https://github.com/adafruit/Adafruit-GFX-Library

Adafruit_BusIO: https://github.com/adafruit/Adafruit_BusIO

EncButton: https://github.com/GyverLibs/EncButton

The process of unpacking libraries is typical. You can unpack the content of the archive into the folder: ...\Arduino\libraries. Or open the Arduino IDE, click to the Sketch -> Include Library -> Add .ZIP Library... and select every archive with libraries.

Other required libraries are already present in one way or another.

To make the unauthorized deciphering of your data computationally infeasible - It is crucial to generate your own keys and never reuse them

It's entirely up to you how to generate the keys. I can only offer you an option to do so.

I've modified one of my previous projects to work as a random number generator, the generated output seems "random enough" for me, but I haven't run any tests. So, I can't guarantee that it's random.

Use it at your own risk!

To generate the keys - launch gen.exe from the "Teensy 4.1 Version\V1.0\Untested RNG" folder and click the "Generate keys for Midbar" button. The background turns from dark gray to light gray when you press that button.

Open the "Firmware.ino" file from the "Teensy 4.1 Version\V1.0\Firmware" folder, and then replace my keys with those you've generated.

You can also change the number of available slots for your data by modifying the value in the "#define MAX_NUM_OF_RECS 999" line.

Upload the firmware from the "Teensy 4.1 Version\V1.0\Firmware" folder into the Teensy 4.1.

Assemble the circuit and insert a Micro SD card formatted to the FAT32 filesystem into the Teensy's built-in SD card slot. When it comes to the "BL" pin of the ILI9341 display, different versions of the display have different requirements on what to do with it. Some versions specify that it must be connected to the +3.3V, some require it to be grounded, and others allow you to leave it unconnected.

According to the PJRC official website, the digital pins of Teensy 4.1 are not 5V tolerant. Because of that, I would strongly advise you to double-check that you haven't accidentally connected anything to the "5V" pin.

As for the possible component replacements:

• You can replace 4.7k resistors with 2.2k - 10k resistors;
• And you can replace the capacitors with 22nf - 100nf capacitors.

After powering the Midbar up, you should see the word "מדבר" alongside the "Midbar Teensy 4.1" and "Press Any Key" inscriptions.

The Midbar (Teensy 4.1 Version) has only one lock screen, just like the Midbar (STM32F401CCU6 + Arduino Uno Version).

Press any key on the USB keyboard or any button connected to Teensy to get to the next tab.

*Credit for the photo of Pittsburgh:

Photo by Tyler Rutherford on Unsplash

To use the Midbar, you first need to set the master password.

You can only enter the master password using the encoder and USB keyboard.

And remember that you can't change your master password without performing the factory reset first!

Midbar won't be able to decrypt your data without your master password because the keys for the encryption algorithms are partially derived from it. Perhaps, it won't even unlock without the correct master password.

When you're done entering your master password, either quad-click the encoder button or press the "Enter" on the USB keyboard.

After you've unlocked the vault and got to the main menu:

• Either turn the rotary encoder to the right or press the "↓" (DOWNWARDS ARROW) key on the USB keyboard to go down the menu.
• Either turn the rotary encoder to the left or press the "↑" (UPWARDS ARROW) key on the USB keyboard to go up the menu.
• Press either the "A" button or the "Enter" key on the USB keyboard to open the selected menu.
• While in the submenu, press either the "B" button or the "Esc" key on the USB keyboard to return to the main menu.

While entering a text in a tab:

• Either quad-click the encoder button four or press "Enter" on the USB keyboard to continue;
• Either quintuple-click the encoder button (click it five times in quick succession) or press the "Esc" button on the USB keyboard to cancel the current operation.

*If the hex value decreases when you rotate the encoder to the right, I would advise you to swap the wires connected to the "37" and "38" pins.

The Midbar (Teensy 4.1 Version) utilizes the 3DES + AES + Blowfish + Serpent encryption algorithm in CBC mode with an integrity verification feature alongside the Micro SD card to keep your data safe and organized.

To add a login from the encoder and USB keyboard:

1. Select the "Logins" line in the main menu;
2. Press either the "A" button or the "Enter" key on the USB keyboard;
3. Select the "Add" line;
4. Press either the "A" button or the "Enter" key on the USB keyboard;
5. Choose the slot you want to put the login to either by rotating the encoder or by pressing the "←" (Leftwards Arrow) and "→" (Rightwards Arrow) keys on the USB keyboard;
6. Press either the "A" button or the "Enter" key on the USB keyboard;
7. Select the "Encoder + Keyboard" line;
8. Press either the "A" button or the "Enter" key on the USB keyboard;
9. Enter the title;
10. Either quad-click the encoder button or press "Enter" on the USB keyboard;
11. Enter the username;
12. Either quad-click the encoder button or press "Enter" on the USB keyboard;
13. Enter the password;
14. Either quad-click the encoder button or press "Enter" on the USB keyboard;
15. Enter the website;
16. Either quad-click the encoder button or press "Enter" on the USB keyboard.

Based on the tests I've conducted, the Teensy 4.1 is capable of encrypting and decrypting a string of 10 000 characters using the 3DES + AES + Blowfish + Serpent encryption algorithm in CBC mode. Technically, you can put 10 000 characters into a field of a record.

*All credentials demonstrated here are entirely fictitious. Any similarity to actual credentials is purely coincidental.

To view a login:

1. Select the "Logins" line in the main menu;
2. Press either the "A" button or the "Enter" key on the USB keyboard;
3. Select the "View" line;
4. Press either the "A" button or the "Enter" key on the USB keyboard;
5. Choose the slot you want to view login from either by rotating the encoder or by pressing the "←" (Leftwards Arrow) and "→" (Rightwards Arrow) keys on the USB keyboard;
6. Press either the "A" button or the "Enter" key on the USB keyboard;
7. Press either the "↑" (Upwards Arrow) key on the USB keyboard or the encoder button to print the record to the serial terminal.

*All credentials demonstrated here are entirely fictitious. Any similarity to actual credentials is purely coincidental.

To edit a login:

1. Select the "Logins" line in the main menu;
2. Press either the "A" button or the "Enter" key on the USB keyboard;
3. Select the "Edit" line;
4. Press either the "A" button or the "Enter" key on the USB keyboard;
5. Select the login you would like to edit either by rotating the encoder or by pressing the "←" (Leftwards Arrow) and "→" (Rightwards Arrow) keys on the USB keyboard;
6. Press either the "A" button or the "Enter" key on the USB keyboard;
7. Select the input source;
8. Press either the "A" button or the "Enter" key on the USB keyboard;
9. Depending on the chosen input source, either enter the new password you'd like to set on the encoder and USB keyboard or paste it to the Serial Terminal;
10. Depending on the chosen input source, either quad-click the encoder button (or press "Enter") or press the "Send" button in the Serial Terminal.

*All credentials demonstrated here are entirely fictitious. Any similarity to actual credentials is purely coincidental.

To delete a login:

1. Select the "Logins" line;
2. Press either the "A" button or the "Enter" key on the USB keyboard;
3. Select the "Delete" line;
4. Press either the "A" button or the "Enter" key on the USB keyboard;
5. Select the login you would like to delete either by rotating the encoder or by pressing the "←" (Leftwards Arrow) and "→" (Rightwards Arrow) keys on the USB keyboard;
6. Press either the "A" button or the "Enter" key on the USB keyboard.

The process of working with records of other types is very similar to the process of working with logins.

The Midbar (Teensy 4.1 Version) utilizes seven encryption algorithms. You can use any of them to encrypt your data.

To encrypt string:

1. Open the Serial Terminal (because the ciphertext is printed to it);
2. Select the "Encryption Algorithms" line in the main menu;
3. Press either the "A" button or the "Enter" key on the USB keyboard;
4. Select the line with the name of the encryption algorithm you would like to use;
5. Press either the "A" button or the "Enter" key on the USB keyboard;
6. Select the "Encrypt String" line;
7. Choose the input source;
8. Press either the "A" button or the "Enter" key on the USB keyboard;
9. Depending on the chosen input source, either enter the text you'd like to encrypt on the encoder and USB keyboard or paste it to the Serial Terminal;
10. Depending on the chosen input source, either quad-click the encoder button (or press "Enter") or press the "Send" button in the Serial Terminal.

Plaintext:

Just in case you've forgotten why I called this project Midbar - Midbar is a Hebrew word that means "pasture," "uninhabited land," "wilderness," "large tracts of wilderness (around cities)," and "desert." I had two reasons for choosing the word Midbar as the name of this project. First - while working on my previous projects, I noticed that the so-called "device that keeps your personal data secure in an encrypted form" market is pretty much a "desert around the oasis of the password manager market." Second - I couldn't find a better word to describe this project. At first, I wanted to call it a "Password Vault," but it's more than that. So, I decided to call it Midbar.

Ciphertext:

04cd5135786a2fcdb7eb70d4abe58cdb20226c5baafc18c4cd0e857ec2d5d43f3b8129f6e9654a5c8b61bcc45c0aa4164fa724469db2ff7c4d0fb68fa24f1f1b61d5a37e0d6370884764f927e3664ac3f641366d3930f7119bc22ed91b43ddd83ef8aa16a9df1515a82a6906f2717b772de1a1740290451f44fed99ba9a76e7f1fbd182f7b758723b2977f4cc728d362bb2aa03d420eaea3a3c3c8f9e79f64921a774584d2218cda135cc44f0f330faa9f1c6720f2a8c9e0bbc0a9c96d189a488a258956aedc351935ad462d3f5627d3b7d8156f9aaf979c9b1210301da6cee00d126764538c9ee1ee687fcc181a56e78c239b9ba472c119e42648f3ec21bc7c78dee5286e3008aab59d145c92625bfdff593e97b10b654acadee0a8263f8bb38d7cbc6eaa2068ee53435d9fcacdf22f60ab4e82262dd806aede6a4672d393ef30e9e37ae4449c0061481fd1e6802e85dfeac6c566d469a0e707872b44f6c5edd5d50d228fca6e6523377c74cb6609df65870684e244d0bb2f59e188869e816adec1ba7d7bd1f51b29bf947480a8694f43fa95d43edcf74dca42531ffcdd0a8642fafa574e736c14d6f83a4fc507a0c46a6df94bc69b08716590003d1d87f75a551608b472f320b8176fcd7828437fd1694c14f55077dea8e47e6882333766144843cdd7da72a56ec24d23b10254c0cd220588b456bf75adc4febfda856d77e1211471f5130ca634418deab12e15fcfd4bf24783500d7d3390c1d7a242bd4399c01bc41db841c06ac51b9c29c7b5c453155bd98e8a87ce566720d77e949ab6b40f03b5008a9cf14641573823845524a3252256018bc2967d211afe76e752321bc3273def4258552e5f4c9ca21ee72e4c31047a31b8e5caf1f9d86b739623aa641a17b4dd423099fd7166260081acb0961b15a3f62021ae184c49accbe21a74d4a3b1e7f7b35cd51ea2ffcb2d9a5fde67e2e8e758aab9b4f2f6b16e8c27fc21b7fa76d78a5b2fa06ec2550ef7dbeefc5febc77f1c6e77d53e520283700da4600cb2447da01d276d3c585b9d75eceebbfb3adca751885ef829106649077131b09c9ce40bfa41f5f2d209f7971ed7690a726258539d659d74e01594ad2557dbb6b7ba82fe54bc3cc10b3ca2bb81a4cd761c9a3d3c7ca7719c20b01c1d67e24f1e1552f2d188360bd62869cdacc995f14305ce6bf23f447c623f8cc9ddeca5414fceef3832693fee243460e3d8f2314a86f50502b21e44d5c745961668eb63a9731c5dedbcb701765e886fc4ca3c98e87ec41c79094510d63f5e6150e192d0b56b0b1a77d47ce7836abd0da59e9199ee615cf5eaa6908a263a3b712660be021fc2d0adda879fbdb6de6162090cbadbe339d50c7709ecab9e5d6092172aaa12a66d1c1869f9154771d7f32d2778ca80a34fe1182ca3aeb0869d1678a26a9f2f024732592ae4bbc2a5f89bd31d0fd9a9984d894241170298ae4aeefa59416e623d722c7ed68074fa29da50b52c2812a5d5c573512e9a32e072c6cce17383c2f597d2d94ca9264f74b5a2c474c15af45fff6bdbc9660f3946118ac5bc3fb257230adf7ec051917d4cdf71e95b7d52da90797061146a7c68637fa54016976b8c2cdd14236b09402824a4a7c597fd019b5867be7e

To decrypt string:

1. Open the Serial Terminal (because you'll need to paste the ciphertext to it);
2. Select the "Encryption Algorithms" line in the main menu;
3. Press either the "A" button or the "Enter" key on the USB keyboard;
4. Select the line with the name of the encryption algorithm you've used to encrypt the text;
5. Press either the "A" button or the "Enter" key on the USB keyboard;
6. Select the "Decrypt String" line;
7. Choose where to display the decrypted string;
8. Press either the "A" button or the "Enter" key on the USB keyboard;
9. Paste the ciphertext to the Serial Terminal;
10. Press the "Send" button in the Serial Terminal.

Ciphertext:

04cd5135786a2fcdb7eb70d4abe58cdb20226c5baafc18c4cd0e857ec2d5d43f3b8129f6e9654a5c8b61bcc45c0aa4164fa724469db2ff7c4d0fb68fa24f1f1b61d5a37e0d6370884764f927e3664ac3f641366d3930f7119bc22ed91b43ddd83ef8aa16a9df1515a82a6906f2717b772de1a1740290451f44fed99ba9a76e7f1fbd182f7b758723b2977f4cc728d362bb2aa03d420eaea3a3c3c8f9e79f64921a774584d2218cda135cc44f0f330faa9f1c6720f2a8c9e0bbc0a9c96d189a488a258956aedc351935ad462d3f5627d3b7d8156f9aaf979c9b1210301da6cee00d126764538c9ee1ee687fcc181a56e78c239b9ba472c119e42648f3ec21bc7c78dee5286e3008aab59d145c92625bfdff593e97b10b654acadee0a8263f8bb38d7cbc6eaa2068ee53435d9fcacdf22f60ab4e82262dd806aede6a4672d393ef30e9e37ae4449c0061481fd1e6802e85dfeac6c566d469a0e707872b44f6c5edd5d50d228fca6e6523377c74cb6609df65870684e244d0bb2f59e188869e816adec1ba7d7bd1f51b29bf947480a8694f43fa95d43edcf74dca42531ffcdd0a8642fafa574e736c14d6f83a4fc507a0c46a6df94bc69b08716590003d1d87f75a551608b472f320b8176fcd7828437fd1694c14f55077dea8e47e6882333766144843cdd7da72a56ec24d23b10254c0cd220588b456bf75adc4febfda856d77e1211471f5130ca634418deab12e15fcfd4bf24783500d7d3390c1d7a242bd4399c01bc41db841c06ac51b9c29c7b5c453155bd98e8a87ce566720d77e949ab6b40f03b5008a9cf14641573823845524a3252256018bc2967d211afe76e752321bc3273def4258552e5f4c9ca21ee72e4c31047a31b8e5caf1f9d86b739623aa641a17b4dd423099fd7166260081acb0961b15a3f62021ae184c49accbe21a74d4a3b1e7f7b35cd51ea2ffcb2d9a5fde67e2e8e758aab9b4f2f6b16e8c27fc21b7fa76d78a5b2fa06ec2550ef7dbeefc5febc77f1c6e77d53e520283700da4600cb2447da01d276d3c585b9d75eceebbfb3adca751885ef829106649077131b09c9ce40bfa41f5f2d209f7971ed7690a726258539d659d74e01594ad2557dbb6b7ba82fe54bc3cc10b3ca2bb81a4cd761c9a3d3c7ca7719c20b01c1d67e24f1e1552f2d188360bd62869cdacc995f14305ce6bf23f447c623f8cc9ddeca5414fceef3832693fee243460e3d8f2314a86f50502b21e44d5c745961668eb63a9731c5dedbcb701765e886fc4ca3c98e87ec41c79094510d63f5e6150e192d0b56b0b1a77d47ce7836abd0da59e9199ee615cf5eaa6908a263a3b712660be021fc2d0adda879fbdb6de6162090cbadbe339d50c7709ecab9e5d6092172aaa12a66d1c1869f9154771d7f32d2778ca80a34fe1182ca3aeb0869d1678a26a9f2f024732592ae4bbc2a5f89bd31d0fd9a9984d894241170298ae4aeefa59416e623d722c7ed68074fa29da50b52c2812a5d5c573512e9a32e072c6cce17383c2f597d2d94ca9264f74b5a2c474c15af45fff6bdbc9660f3946118ac5bc3fb257230adf7ec051917d4cdf71e95b7d52da90797061146a7c68637fa54016976b8c2cdd14236b09402824a4a7c597fd019b5867be7e

Plaintext:

Just in case you've forgotten why I called this project Midbar - Midbar is a Hebrew word that means "pasture," "uninhabited land," "wilderness," "large tracts of wilderness (around cities)," and "desert." I had two reasons for choosing the word Midbar as the name of this project. First - while working on my previous projects, I noticed that the so-called "device that keeps your personal data secure in an encrypted form" market is pretty much a "desert around the oasis of the password manager market." Second - I couldn't find a better word to describe this project. At first, I wanted to call it a "Password Vault," but it's more than that. So, I decided to call it Midbar.

The Midbar utilizes two hash functions: SHA-256 and SHA-512.

If you're not familiar with the hash functions, let me give you a simple explanation of what the hash function is.

A hash function is a mathematical function that takes some data as an input and produces a fixed-size, unique output value, known as a hash. The hash function always produces the same output given the same input.

To hash a string:

1. Select the "Hash Functions" line in the main menu;
2. Press either the "A" button or the "Enter" key on the USB keyboard;
3. Select the "SHA-256" or "SHA-512" line depending on the hash function you'd like to use;
4. Press either the "A" button or the "Enter" key on the USB keyboard;
5. Enter the string you'd like to hash;
6. Either quad-click the encoder button or press "Enter" on the USB keyboard.

Input data:

Midbar Teensy 4.1 Version

Hash:

a1a6b50189479bede22fe67633d88ee1a6cb2d206995990ab13e97ceeb5c5bdad8db3f3a97cdf321ea9648f9a6f5510c01c7ebfb8eb1cef8d44ae30ec4993c67

The Midbar (Teensy 4.1 Version) is the first version of Midbar that allows you to interact with it using a USB keyboard. Besides that, it enables you to easily back your data up since it's all stored on the Micro SD card. And judging by the CPU clock speed and the CoreMark benchmark performance, this is the most powerful version of Midbar (so far). More than that, the Midbar (Teensy 4.1 Version) can easily encrypt and decrypt a string of 10 000 characters without any problems whatsoever.

And although I wouldn't call the Midbar (Teensy 4.1 Version) perfect in any possible way, I would still claim that as flawed as it may be, it is, in my opinion, a kind of cryptographic fortress that can significantly increase the cost of unauthorized access to your data.

It's also worth mentioning that Midbar's source code is distributed under the MIT license. That grants you the freedom to customize and modify Midbar according to your preferences. So if you want to make your own version of Midbar or use it as a base for your own project, don't wait for anyone else to do it for you. Take the initiative into your own hands and do it.

If you found this tutorial to be useful, please consider sharing it.

Thank you for reading this tutorial.