Signet password manager
Let's Get Physical
At the intersection of free software and crowdfunding, a USB password manager offers an innovation in security.
Small, crowdfunded businesses creating innovative open hardware are becoming one of the technological trends of the last few years. For instance, Keyboardio [1] is shipping its first ergonomic, customizable keyboard, while Purism [2] is gaining a reputation for its high-end laptops and is currently building the security-conscious Librem 5 phone. More recently, after a successful fundraising campaign [3], a two-person startup called Nth Dimension [4] is releasing Signet, a USB device for managing passwords that brings a few new twists to security.
Neils Nesse, the founder of Nth Dimension, writes that, "I have been a user and advocate of free and open source software for my entire adult life, although I haven't made many contributions so far outside of a few bug fixes and releasing some small graphics-related libraries on GitHub [5]. I started developing Signet soon after I made a DIY hardware password manager using some instructions online. It worked okay, but the user experience had a lot of pain points, and the device had limited portability. I didn't find any other open source offline hardware password manager options that I liked, so I resolved to create my own. In the long term, I plan to produce other consumer electronic devices, particularly devices where security and privacy are desirable."
Introducing Physical Security
Signet consists of a USB device (Figure 1) and a software client for Android, GNU/Linux, OS X, or Windows (Figure 2). Like any setup designed for security, Signet is based on encryption – specifically, the AES-256 standard [6] with cipher blockchaining [7] for authentication and encryption of the database. The encryption for each database entry is encrypted as a blockchain with unique initial blocks, which eliminates the possibility that similar blocks might be used for more than one entry and makes cracking more difficult.
However, the use of an external device and the exchange of information between the device and the client allows for a number of unique security features (Figure 3). Placing the password manager on a USB thumb drive provides elements of physical security – an aspect of security that is so simple that it is often overlooked. Unless the Signet device is plugged into the system, access to the information it manages – such as logins, bookmarks, contacts, and credit card numbers – is inaccessible. That means that a system can be secured simply by removing the device and carrying it around with you.
Even when Signet is available, the information it manages can only be accessed by pressing the device's button. When the device receives any command that is "sensitive" – that is, any command that reveals private information or is destructive – the button flashes, and the command is suppressed until either the button is pressed or the time to press the button expires and the command is rejected. This arrangement means that cracking Signet's database is of no use by itself. Moreover, Nesse says, "if there is any malicious software on the system you are using, it can only intercept data when you request it, rather than it being potentially able to get a complete copy all at once."
The main potential vulnerability occurs only if you back up Signet's database to the USB device. Even then, the database is encrypted. However, even this vulnerability can be avoided by backing up the Signet database elsewhere. Nesse recommends that other "removable media backup are probably the most secure, provided you don't use the drive you select on unsecured systems."
Moreover, Signet's hardware design choices provide additional security. Information is stored inside the microcontroller's on-chip flash memory, which, according to Nesse, can only be attacked "by desoldering the memory chip and reading out the memory contents in a separate circuit." Furthermore, the microcontroller and ARM-based chip have a memory protection mode that can be enabled to prevent the chip from using its hardware debug mode and to prevent the activation of the factory boot mode.
Additionally, any firmware updates can only be applied by unlocking the device first. In theory, the data might be cracked by a brute-force attack [8], but as Nesse points out, such an effort would be "impractical." Signet uses scrypt [9], an algorithm that is so memory-intensive that each attempt at authentication takes hundreds of milliseconds. For a legitimate user who is authenticating once, this delay hardly matters. However, since a brute-force attack by definition requires multiple guesses of the password, unless an obvious password is used, the delay soon mounts up, and any attack would take too long to have much chance of success.
Still another aspect of physical security is that the device's encryption key is randomly generated by three different sources of random data: the hardware random number generator on the microcontrollers, random data from the host, and random data generated by measuring variation on two different oscillators in the microcontroller. These multiple sources not only help to ensure that the encryption key is truly random, but it also means that both the Signet device and its devices on the system must be present to access information.
To further add to the security, Signet also has restrictions that prevent two programs from accessing the USB device at the same time. Because of this restriction, communication between the device and the client software is not encrypted. "This might seem like an oversight," Nesse says, "but if the system you are using is compromised, then the communication link between the device and the application is hardly the only place where the data could be intercepted. A keylogger could capture the data as it's being typed into the GUI, or when the USB keyboard function of the device types some private data. Even if encryption was used, the client's key could be extracted from RAM at run time, or the client could be replaced with a hacked client. The only way to really counter [these possibilities] is by limiting the types of data you access on systems that you have less trust in."
Advantages over Local and Cloud Password Managers
As Nesse notes, both hard drive and cloud-based password managers are widely used. However, Signet has advantages over both.
"For a user who keeps their offline database only on their home systems and secures them well," Nesse says, "the physical security offered by Signet might not matter as much. However, many people have to use a number of computes and networks that they don't have much control over: both work and school systems, often with proprietary operating systems. This reality forces a choice between not logging in outside of the home, choosing duplicated or easy to remember passwords to make the password manager less essential, or making copies of their password database. Signet, on the other hand, takes away the incentive to accept these kinds of security risk factors."
Moreover, a password manager installed on the same system as the data it is protecting is only as secure as the system itself. The introduction of a secure external device makes an intrusion much more difficult. Signet reduces the risk even further by receiving only a set of metadata when databases are unlocked – not a complete copy of the database.
Similarly, while cloud storage or services are convenient for users who regularly work from more than one system, as Nesse notes, "the question is whether or not it makes sense to store all of your passwords and other identifying information outside of your physical control." Unless you use some additional security measures such as Least-Authority File Store (LAFS) [10], only one source needs to be cracked for an intruder to have complete access to your data – and you may not know what has happened until long after the fact, if ever. "It's difficult to determine the likelihood of this happening," Nesse says, "but every service I've looked into has a spotty track record."
True, as Nesse admits, Signet is also a single source for your data. However, he adds, "it's a physical one, and you can study or even modify how it works," since it is open source. Any attack "would still require the attacker to get a hold of your device or gain access to the backup of the device's data. Even if you are being personally targeted, it's a risky operation. Going after all or a significant number of Signet users would be even more difficult and impractical," because each Signet device would have to be cracked individually. By contrast, a cloud database is centralized, and the sheer number of users makes it a far better target for an intruder. Nor do users have anything beyond a vendor's assurances about a cloud database's security, especially if it uses proprietary software.
Next Steps
Nth Dimension has exceeded its fundraising goal of $2,000 by over 500 hundred percent. As a result, Nesse is currently taking a break from his day job to fulfill the campaign's stretch goals. These goals include command-line tools, which should be ready for the first shipment of Signet, and browser plugins, which Nesse expects to be ready by early 2018. Nesse also hopes eventually to add support for GPG encryption, which "would allow Signet to manage the encryption of media and communications, keeping sensitive private encryption keys off the host system."
Other enhancements Nesse hopes to add at an unspecified future date are a feature that indicates password strength and the ability to start the client automatically when the USB device is inserted. "Other than that, I'm pretty happy with the desktop experience," he says. "I've been using Signet personally in various forms almost a year, so when things happen that bother me, I fix them fast."
Whether Nth Dimension will be a success remains to be seen, although the number of backers for its fundraising campaign gives the new company a chance for at least modest success. However, whether or not Nth Dimension is a financial success, in Signet, the company has already proved itself a source of technological innovation – and one that wouldn't exist without the intersection of free software and crowdfunding.
Infos
- Keyboardio: https://shop.keyboard.io/
- Purism: https://puri.sm/
- Crowdfunding campaign: https://www.crowdsupply.com/nth-dimension/signet
- Nth Dimension: http://nthdimtech.com/
- GitHub repositories: https://github.com/nthdimtech
- AES-256: https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
- Cipher block chaining: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#CBC
- Brute-force attacks: https://en.wikipedia.org/wiki/Brute-force_attack
- LAFS: https://en.wikipedia.org/wiki/Scrypt
- scrypt: https://tahoe-lafs.org/trac/tahoe-lafs
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Gnome Fans Everywhere Rejoice for the Latest Release
Gnome 47.2 is now available for general use but don't expect much in the way of newness, as this is all about improvements and bug fixes.
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.
-
Red Hat Enterprise Linux 9.5 Released
Notify your friends, loved ones, and colleagues that the latest version of RHEL is available with plenty of enhancements.
-
Linux Sees Massive Performance Increase from a Single Line of Code
With one line of code, Intel was able to increase the performance of the Linux kernel by 4,000 percent.
-
Fedora KDE Approved as an Official Spin
If you prefer the Plasma desktop environment and the Fedora distribution, you're in luck because there's now an official spin that is listed on the same level as the Fedora Workstation edition.
-
New Steam Client Ups the Ante for Linux
The latest release from Steam has some pretty cool tricks up its sleeve.