project idea: portable password safe

Werner Almesberger werner at almesberger.net
Mon Sep 9 02:11:11 EDT 2013


Paul Boddie wrote:
> https://www.bankid.no/Dette-er-BankID/BankID-in-English/This-is-how-BankID-
> works/

Hmm, seems a little odd to have the keys both at the bank and in your
device. But well, it's a possibility. If they leak somehow, this
should be fun to figure out where that happened :)

> http://ob-security.info/?p=631

Nice and simple ! There are interesting thoughts on more
advanced challenge-response modes. He (?) also mentions that
his device will see if other keyboards are changing *-lock
modifiers. Yet another interesting HID feature I didn't know
yet :-)

It's interesting to see the first comment suggest use of a
rotary encoder. After reading the article and even before
noticing the comment, I did in fact go to my box of buttons
and started to dig for these critters that I had bought a
while ago:

http://www.digikey.com/product-detail/en/EVQ-WKA001/P13381SCT-ND/822317

A design with the wheel below the PCB, a 7-segment LED and
the rest of the electronics on top should allow shrinking
the PCB from what looks like about 2 x 7 cm to little over
2 x 2 cm.

A bit more elegant and with half the force, but larger, there
would also be:

http://www.digikey.com/product-detail/en/TSWA3NCB11LFS/CKN10342-ND/2627681

> https://www.thinkgeek.com/edm/20060222.shtml

A bit more polished. I wonder at how much such a critter retails:

Let's see how they compare to what I have in mind:

Pass-Pal:
+ simplicity
+ adds interesting challenge-response modes
- can't be used without USB, e.g., you need "a PC" either as the
  endpoint of the authentication dialog, or - in the case of a
  traditional password - at least to visualize the password.
- needs easy access to PC's USB port
- needs a trusted PC for setup

Mandylion:
+ compact
- limited to traditional passwords (no challenge-response)
- no selection input from application
- user sees passwords
- password entry may be clumsy with just five buttons

The Pass-Pal got me thinking, though. If we accept the concept of
a trusted PC for setup, things get a LOT simpler. Almost
watch-level simple ;-)

Thanks,
- Werner



More information about the discussion mailing list


interactive