Anelok: OTF proposal

Werner Almesberger werner at almesberger.net
Tue Sep 1 21:53:19 UTC 2015


Paul Boddie wrote:
> [...] the Open Technology Fund [2].
[...]
> [2] https://www.opentechfund.org/

This looks interesting indeed. During the last days, Dave and I
have prepared a proposal and I've submitted it just now.

I hope the submission went through - the deadline said tonight
just before midnight, but the status changed to "Closed" before
that. The system accepted the submission anyway, so there's
hope that I made it in time.

Below is the submitted material.

Thanks a lot !

- Werner

---------------------------------- Cut here -----------------------------------

Project name: Anelok
Duration: 7 months
Contact name: Werner Almesberger
Contact email: werner at almesberger.net [1]

Descriptors:
    Status: It Exists! (Alpha/Beta)
    Focus: Awareness of privacy and security threats, Security from danger or
threat online
    Objective(s): Technology development, Deploying technology, Software or
hardware development, Training
    Beneficiaries: General public
    Addressed problems: Other
    Technology attributes: Browser plugin, Cryptography, Sensitive data,
Wireless Communication, Hardware/Embedded device(s)
    Region: Global

Project description:
Passwords are a daily necessity in modern life. We use them to protect our
own secrets and these of those who confide in us. We use them to ensure no
unwanted actions are performed on our behalf, and that the powers entrusted
to us are not abused.

Passwords are so successful and essential as a concept that we meet them
everywhere and are constantly required to generate and remember new ones as
we go through our digital lives.

This ultimately causes users to experience frustration (cheerfully called
“password fatigue”, “password chaos”, etc.) and to adopt unsafe
practices when choosing and handling passwords potentially resulting in risks
to their privacy and freedoms.

The Anelok project aims to build a small device, the size of a cigarette
lighter, that acts as a portable password safe. Anelok stores accounts and
passwords, and protects this information from unauthorized access.

Anelok is designed to work in many different scenarios, ranging from
displaying account information with the user entering it manually (this does
not only work with the logins usually required on a PC or smartphone, but
also with ATMs, door locks, etc.), to automatic account selection and
communication over an encrypted channel.

Anelok displays information on its display, it can act as USB device when
connected to a PC, and it has a radio (BTLE) interface to communicate with
smartphones. Encrypted account information is stored on a removable memory
card, and corresponding secret keys are secured inside the microcontroller -
never leaving the Anelok device.

Anelok’s encrypted password database can be backed-up and additional
devices, Anelok or other, can be granted access to the database. This way,
the loss of an Anelok device doesn’t imply (catastrophic) loss of the
passwords stored on it.

We also envision the addition of authentication schemes that complement or go
beyond passwords, such as 2nd-factor key generation or
challenge-response protocols.

The project follows an “open everything” approach, with source code,
hardware design, artwork, development process, and the tools we use being
openly available.

This ensures that every part of the project and every step of its evolution
can be reviewed, it offers a low barrier of entry for
developers who wish to contribute improvements, and it ensures that nobody,
not even its creators, can force the project in a direction the community
strongly disagrees with.

We also encourage use of Anelok as a platform for enhancements or product
variants, to better meet the needs and preferences of specific groups
of users.

Anelok is intended for the general public, but we also recognize that proper
security is not achieved with technology alone. We
therefore expect to maintain close contact with the Anelok user community,
and to produce educational material providing guidance on and motivation for
proper operational security when using Anelok.

Project how:
The project has already produced a number of prototypes and verified several
of the key components. This has been largely a one man effort so far.

The next steps will be a final major design revision and the production of a
number of developer kits. With the latter, we expect to be able to attract
wider interest and evolve the current group of excited spectators into a
community of developers and knowledgeable supporters.

This will be followed by a phase with a stronger focus on software
development, with the goal of implementing sufficient functionality that the
product will be useful for end users. We also expect some remaining hardware
issues to surface in this phase, especially where outside-the-lab usability
is concerned.

Finally, the design will be readied for manufacturing, and we then anticipate
an initial production run from a crowdfunding campaign. That campaign will
have two main deliverables: somewhat rough devices for early adopters who
will also act as beta testers, and finally “polished” devices for the
general public.

The funds we apply for are required to complete our R&D, and progress the
project as far as that crowdfunding. Our “open everything” approach
positions us well to benefit from community involvement, and we intend to
capitalize on this. Certain core activities are unlikely to be met purely by
community contributions, and we expect that we will need to cover these with
remunerated roles - enabling them to commit the effort required for delivery
of the project.

Project who:
Anelok will benefit end users of all kinds by allowing them to better manage
their passwords, and achieve effective protection of their digital lives. We
aim to supplement Anelok with educational material to assist them in
effectively incorporating this tool in their daily practices such that their
security needs are indeed met.

Project why:
Passwords and related authentication methods are a key element in
establishing privacy and security in the digital world. Privacy and security
in turn enable us to function meaningfully as individuals in modern society.

Technology is getting more pervasive all the time but password management has
not kept up with user needs and things are likely to get worse.

The project aims to help users to find a pragmatic solution for their present
password management needs, and its open nature ensures that this solution can
also adapt to future challenges.

Availability of a trustworthy password safe touches on most of the high-level
problems listed below in the questionnaire (and several others), although in
many cases its benefit is indirect - by assisting users in proper password
security, we support their
effective use of other security and privacy tools. Many of those tools are
only as strong as the (often weak) passwords users choose.

Other information:
This project is the brainchild of Werner Almesberger, who has been
responsible for driving progress to date. Werner is being joined by Dave Ball
in setting up a UK Ltd to support Anelok’s development and fostering a
global community. Werner and Dave have long been members of the Qi-Hardware
hackers community and have collectively previously worked on open-hardware
projects such as the Openmoko phone, it’s successors, Ben NanoNote and the
Ben-WPAN fully-open wireless network devices.

Further details, including links to technical information can be found at the
project’s main Web site at https://www.anelok.com/



More information about the discussion mailing list


interactive