As probably many of you, I have lots and lots of accounts for different services, shops, forums and so on. In the old times (tm) I used the classical "one password fits all" approach and then got screwed. My account details got stolen from a website, which forced me to change all other accounts as well. Nowadays I use a password manager - namely KeePass - and that works well. I can synchronize the encrypted database with DropBox and therefore access my passwords on any device I own. One problem remains: if my PC or phone gets infected with a virus, it could read out all my passwords and abuse them. So the password manager is a single point of failure, and I would like to avoid that.
Enter the USB Password Manager. Imagine a device, that securely stores all your login credentials and connects to your PC via USB. It appears as a USB keyboard, so you just have to select the right username/password combination on the device and it enters them directly to the website or program. I have been thinking about this idea for quite some time and plan on building a prototype in spring of 2013. However I'm not very proficient in writing firmware yet, so I was hoping to find some support here. If you have any suggestions or corrections for the hardware, please tell me.
The hardware will consist of the following:
- an ATmega32U4,
- a small OLED,
- a joystick,
- a SPI connected flash chip
- and a hardware random number generator.
Now for the interesting part: the random number generator (RNG). I want to be able to generate unique passwords for every website on the device. That way the password can't be manipulated by any PC side software. Using a pseudo-random number generator would be possible, but the good quality ones are computationally expensive and still need some entropy to work well. So I thought, why not use a hardware RNG to start with. The circuit I plan on using consists of two NPN transistors and some logic. You can find the circuit here http://http://web.jfet.org/hw-rng.html. The circuit is proven, but it needs a voltage in excess of 12V to work. I tried to generate this voltage with a Dickson Charge Pump (http://http://en.wikipedia.org/wiki/Voltage_multiplier#Dickson_charge_pump), but failed miserably - the charge pump was not able to deliver the necessary 520uA of current. So instead I will use a boost-converter. To reduce the BOM cost, the control circuit will be implemented in the microcontroller - and as I don't need any serious current I can use really small inductors and caps.
I plan on documenting the development process here in the forum. The level of detail will vary with how much spare time I will be able to invest in this project over the next few months.
Well, that's it so far. Now I'm eager to hear what you think about this project.