I've been thinking for a long time about making a portable password safe device. I originally thought of using the Ben for such a purpose, but it has some properties that would be undesirable for such a role.
I wonder if there may be interest in building a small computer designed specifically for such a purpose. Besides such a project being highly Zeitgeist-compatible, I think we now also have accumulated enough skills and know-how to actually be able to make it happen. The overall concept would be a small device, maybe the size of a dumbphone, that stores account information (service name, user name, password, etc.) encrypted with (a) master password(s). To use a password, one would unlock the account record by entering the master password and could then choose between displaying the password or sending it to a PC (or equivalent). The device would have a small display, a (tiny) keyboard, USB host and USB device, and RF (802.15.4, to keep things simple and cheap). USB device would be used for a HID device to "type" things to a PC. The source of such keystrokes would be a) an account record, b) the device's keyboard, c) a keyboard connected via USB host. Instead of a USB device, the password safe could also use RF to send the (encrypted and traffic-shaped) keystrokes. USB host would in this case also be used to "pair" (set up a shared secret) RF dongles with the password safe. The password safe could be stored on a removable memory card, making the device basically dataless. Power would come from a standard battery, e.g., CR2032 or AAA. If operating as USB host with an external keyboard, one would have to supply power via the USB device port. That way, one could leave an RF dongle in PCs one uses frequently, without having to mess with cables. The USB host connector could be used as part of a "bay" to carry an RF dongle with the password safe. Compared to PC-based password safes, this one would have the following advantages: - no need to replicate the content of the password safe across the systems one is using (some of which may not even be Internet-connected), - master password(s) never reach the PC and are therefore immune to key logging, - password safe content (memory card) is easily hidden and can be quickly destroyed, - could be the basis for more sophisticated authentication schemes, e.g., an end-to-end challenge-response system that can be used also if intermediate systems are compromised. The main advantages over smartphone-based safes would be better hardware integration and a simpler and more transparent system. Disadvantages: - one more item to carry around, - one more item to get lost/stolen, - requires the PC to have a USB host interface, - lacks integration with Web browser (i.e., browser selects which account record to use based on URL visited). That system probably wouldn't run Linux or be able to. MCUs that may be suitable would be STM32F205 (Cortex M3, dual USB FS OTG), or a pair of MKL24Z64VFM4 (Freescale Kinetis KL2 series, Cortex M0, single USB FS OTG). Does that sound useful ? - Werner _______________________________________________ Qi Hardware Discussion List Mail to list (members only): [email protected] Subscribe or Unsubscribe: http://lists.en.qi-hardware.com/mailman/listinfo/discussion
