TwoKey — Password Manager� with a Physical Access Token

Under supervision of: Dr. Karim Emara � TA. Abdulrahman Ali�

Team Members:

• Ahmed Yasser Abdullah
• Danya Rizk Hamouda
• Omar Hesham Fathy
• Nouran Khaled Ibrahim
• Ahmed Wael Elmayyah

Table of Content

• Introduction & Problem Definition
• Existing Solutions
• TwoKey’s Objective
• System Architecture
• Demo
• System Design and Implementation
• System Analysis
• Tools Used
• Conclusion and Future Work

Introduction & Problem Definition

The Problems: Passwords

01

​

03

Image credit: tekmanagement.com, hackingarticles.in

How many unique passwords do you have?

How many of you got this email before?

Existing Solutions

Existing Solutions: Password Managers

Old, local solutions

​

Newer, cloud-based solutions

​

KeePass

KeePassX

KeePassXC

GNOME-Keyring

Existing Solutions: 2FA - The Factors of Authentication

Something you are

Something you have

Something you know

*There are also 2 � other factors: �- Somewhere you are �- Something you do

Existing Solutions: 2FA

Image credit: zukotech.com

The Problems of Existing Solutions

Research credit: https://www.ise.io/casestudies/password-manager-hacking/

​

TwoKey’s Objective

Project Objective: Secure Programming

• TwoKey sanitises and scrubs memory.
• No artifacts(allocations) are left behind in memory.
• TwoKey is secure from programming attacks (buffer overflows, ROP, etc..)

Project Objective: Secure Communication

• Only encrypted data is transmitted between the modules.
• No decryption keys are transmitted between the modules of the project.

Project Objective: Strong Passwords

• Users are able to generate random strong passwords.
• TwoKey warns the user if a weak password is being saved.
• Users can add, edit, and remove passwords from the server.

Project Objective: Protection from 2FA/SMS Attacks

• Using a unique(per user) physical USB hardware token as the 2FA.
• This verifies that the owner of the account is the one logging in.

Project Objective: Trust

• All of TwoKey’s code is licensed under GPLv3, and available as free, open source software at github.com/satharus/TwoKey.

Image credit: publicdomainvectors.org

Target Consumer

Convenience

Security

Introducing: TwoKey

A minimal, cloud-based, secure password manager with a physical hardware-based 2FA.

​

​

​

​

System Architecture

TwoKey: System Architecture

• The desktop app acts as the middle-man between token, the server, and the extension.

​

​

Modules from Security Standpoint

Demo

TwoKey: Demo - Registration

System Design and Implementation

Modules of TwoKey

• Desktop App
• Hardware Token
• Browser Extension/Plugin
• Server Backend and Deployment

Modules: Desktop App

TwoKey: Desktop App - UI/UX

• Using the Qt Application Framework, the UI was designed

TwoKey: Desktop App - UI/UX

• Dynamic scalable UI
• Tray icon for a more intuitive and convenient UX
• Consistent on all platforms

TwoKey: Desktop App - Password Generation

• Password strength is assessed based on four factors:
• At least 11 characters long.
• A mix of lowercase [a-z] and uppercase [A-Z] characters
• At least one special character: !@#$%^&*
• At least one numeric character [0-9]

TwoKey: Desktop App - Data Encryption

• Decrypts the received credentials in memory, and cleans them after finishing what is required (ex: login).
• Derives the encryption key from the entered master password.

Key Derivation Function�PBKDF2HMAC

Master Password

Salt�(added bytes)

Number of Iterations�(10,000)

New Derived Key

TwoKey: Desktop App - Secure Programming

TwoKey: Desktop App - Hardware Communication

• Auto detecting if the token was plugged in or out.
• Sending a sequence of bytes to the token.
• Receiving a sequence of bytes from the token.

TwoKey: Desktop App - Hardware Comm. (Windows)

• USB Device Notifications
• QAbstractEventFilter

QAbstractEventFilter

Sources: https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-registerdevicenotificationw

https://doc.qt.io/qt-5/qabstractnativeeventfilter.html

​

​

USBEventHandler

TwoKey: Desktop App - Hardware Comm. (Linux)

• libudev and libusb
• QTimer

Sources: https://www.freedesktop.org/software/systemd/man/libudev.html

https://libusb.info/

​

​

​

TwoKey: Desktop App - Hardware Communication

TwoKey: Desktop App - Hardware Communication

TwoKey: Desktop App - Browser Extension Comm.

• Send data from the browser extension to the desktop app.
• Receive data from the desktop app.
• Do so without slowing down or halting the UI.

Sources: https://doc.qt.io/qt-5/qabstractnativeeventfilter.html

https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Native_messaging�

​

​

​

TwoKey: Desktop App - Browser Extension Comm.

• Using QThread and a minimal web server, the communication worked.

TwoKey Main Thread [0]

HTTP Server Thread [1]

Event Handlers in Thread 0

Sources: https://doc.qt.io/qt-5/qthread.html

https://github.com/rxi/sandbird

​

​

TwoKey: Desktop App - Server Communication

• Using QNetworkRequest and QNetworkAccessManager, encrypted traffic is transferred between the desktop app and the server.

Sources: https://doc.qt.io/qt-5/qnetworkrequest.html

https://doc.qt.io/qt-5/qnetworkaccessmanager.html

�

​

​

​

Modules: Hardware Token

TwoKey: Hardware Token - Hardware Communication

• Communicates with the desktop app using a USB port (Arduino Nano).

TwoKey: Hardware Token - Hardware Communication

• Trying to use an ATtiny failed, as it doesn’t support USB Serial and has a very small ROM which couldn’t handle the AES code in the .text section.

TwoKey: Hardware Token - Security

• Keys never leave the token itself.
• The token uses 128-Bit AES encryption with a unique key and serial number per user.

Modules: Browser Extension

TwoKey: Browser Extension - Architecture

TwoKey: Browser Extension - Autofill

• Auto filling the credentials in websites.
• Allowing the user to choose alternate credentials for the same website.
• Was a huge challenge due to poor documentation and deprecated APIs.

TwoKey: Browser Extension - UI

• The user can log in from the extension itself and it will handle the communication with the desktop app.

Modules: Server Side

TwoKey: Server-Side - Registration

• Link serial number of the device with the encryption key

​

​

Serial no.

Physical ID

TwoKey: Server-Side - Login/2FA

​

• Username enumeration prevention
• Save login attempts in database (JWT)

​

TwoKey: Server-Side - Authentication

​

• Token-Based Authentication (JWT)

TwoKey: Server-Side - Secure Communication

• How does it work ?

​

TwoKey: Server-Side - Web Hosting

• Using Digital Ocean

​

TwoKey: Server-Side - Secure Communication

• Applying SSL/TLS and DDoS Mitigation using Cloudflare

​

TwoKey: Server-Side - Secure Communication

• Qualys SSL Labs Test Results

​

TwoKey: Server-Side - Secure Communication

​

• HTTPS - Secure Communication

​

TwoKey: Server-Side - Multiple Concurrent Connections

• Deploy uWSGI/Flask with Nginx

​

Desktop App

​

​

​

​

​

​

​

​

​

​

Invoke the callable object

Unix socket

Unix socket

Request from client

Request from response

Reverse Proxy

TwoKey: Server-Side Functionalities - Database

• The user’s data is stored encrypted in the database�Before:������After:

​

System Analysis

TwoKey: System Analysis - User Features

TwoKey: System Analysis - Session Initialisation

Stored/Spec:

- 2FA Key

- Master Password Hash

- Encrypted Credentials

- Can generate random� challenges

- Can encrypted any� generated challenge

Stored/Spec:

- 2FA Key

- Can encrypt the given

challenge with a unique key

TwoKey: System Analysis - Session Initialisation

TwoKey: System Analysis - Credentials Retrieval

Knows:

- Master Password

User

⓹ Extension autofills the form

TwoKey: System Analysis - Desktop Class Diagram

Tools Used

Used Tools and Frameworks

• Desktop App
• Qt Application Framework (qt.io)
• C++11 (isocpp.org/wiki/faq/cpp11)
• Win32 APIs (Ex: docs.microsoft.com/en-gb/windows/win32/devio/registering-for-device-notification)
• Sandbird (Embeddable HTTP Server) by rxi (github.com/rxi/sandbird)
• libudev (freedesktop.org/software/systemd/man/libudev.html)
• libusb (libusb.info)
• OpenSSL (openssl.org)
• Hardware Token
• AESLib (github.com/DavyLandman/AESLib)
• Arduino Nano (store.arduino.cc/usa/arduino-nano)
• Arduino IDE (arduino.cc/en/guide/windows)

Cont.: Used Tools and Frameworks

• Browser Extension
• WebExtension Javascript APIs (developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API)
• Browser Extension APIs (developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions)
• Javascript, HTML, CSS (w3schools.com)
• Server Backend
• Python 3 (python.org)
• Python Flask (pypi.org/project/Flask)
• pyaes (pypi.org/project/pyaes)
• MongoDB (mongodb.com)
• CloudFlare DDoS Protection and SSL (digitalocean.com)
• Digital Ocean Cloud Hosting (cloudflare.com/en-gb)
• .tech domain name (get.tech)
• Nginx (nginx.org/en)

Conclusion and Future Work

TwoKey: The Big Picture

Hardware Token

�[0]�TwoKey(GUI)�

[0]�USBCommunicator*��USBEventHandler

[1]�BrowserExtensionCommunicator

[0] - Main thread , [1] - Secondary Thread�*Creates a thread for each event handling.

�[0]�BackendClient�

On tab update or login

TwoKey: Future Work

• Auto filling credentials in native apps
• Integration with data breach notification services such as havibeenpwned.com
• The use of hardware-base securing of application data (e.g. Intel® SGX)
• Physical tamper protection
• Adding NFC to the token to support mobile phones
• Adding Biometrics as a third factor of authentication

Image credit: fierceelectronics.com

TwoKey: Desktop Application

• Auto Filling Credentials in Native apps
• Reminding users to change their passwords
• Integration with service for checking whether personal data has been compromised by data breaches (such as havibeenpwned.com)
• Employing the use of hardware-based features for securing application data and binaries (like Intel® SGX)

Image credit: fierceelectronics.com

TwoKey: Hardware Token

• Adding a elegant cover and a suitable casing for a modern look and physical tamper protection support
• Improving AES 128bit to be AES 256bit
• Integrating a physical HSM
• Adding NFC to the token to support mobile phones

Image credit: fierceelectronics.com

TwoKey: Browser Extension

• UI Enhancement
• Website Certificate Check
• Unlock with Biometrics
• Launch a website from history

TwoKey: Server Side and Infrastructure

• Adding multiple servers for load balancing and backup
• Applying system administration such as regular backups

TwoKey: Additional Modules

• Enabling TwoKey’s hardware token as an option of 2FA without having to use TwoKey’s software itself by creating an API for service vendors

Thank you!