doc: fix typo
This commit is contained in:
parent
5adb4421ef
commit
47528d2b7e
40
README.rst
40
README.rst
|
@ -4,28 +4,28 @@ purpose
|
|||
=======
|
||||
|
||||
passkey is a USB dongle to paste credentials.
|
||||
It appears a serial port to enter the credentials, and HID keyboard to paste them.
|
||||
It appears as a serial port to enter the credentials, and HID keyboard to paste them.
|
||||
|
||||
Usage:
|
||||
|
||||
- insert the passkey dongle in the USB port, buttons facing up
|
||||
- insert the passkey dongle in the USB port, with "passkey" text facing up
|
||||
- it will appear as serial port to enter the credentials, and HID keyboard to paste them
|
||||
- the red light will blink, indicating it no credentials have been entered yet
|
||||
- connect to it using your favorite serial terminal (e.g. [putty](https://putty.org/) or [picocom](https://github.com/npat-efault/picocom)) using any baud rate
|
||||
- the red light will blink, indicating no credentials have been entered yet
|
||||
- connect to it using your favourite serial terminal (e.g. [putty](https://putty.org/) or [picocom](https://github.com/npat-efault/picocom)) using any baud rate
|
||||
- press 'c' to enter your credentials to paste (username and password)
|
||||
- the light will remain on
|
||||
- press one button of the dongle for it to just paste the password
|
||||
- press the other button to paste the username and password (tab separated)
|
||||
|
||||
You can configure it over the serial terminal:
|
||||
You can configure passkey over the serial terminal:
|
||||
|
||||
- press 'h' to list all available options
|
||||
- press 'b' to swap the button, changing which is for the password or username and password
|
||||
- press 'l' to set using keyboard layout should be used: use the same are configured in your OS, else the pasted credentials might not be exactly the ones you entered
|
||||
- press 'b' to swap the buttons, changing which is for the password or username and password
|
||||
- press 'l' to set which keyboard layout should be used: use the same are configured in your OS, else some letter in the pasted credentials might be different
|
||||
- by default the credentials will be cleared 12 hours after they have been entered. Press 'g' to change this time, up to 12 hours
|
||||
- by default the credentials will be cleared 3 hours after the last time they have been pasted. Press 'r' to change this time, up to 3 hours
|
||||
- press 'a' to authenticate the device. Enter a random word, and it will provide a corresponding result. Copy the provided text to the [homepage](https://passkey.cuvoodoo.info/). If the response is the same, the device is running the original firmware.
|
||||
- press 'k' to enter your own key, which you need to remember. You can then authenticate the device locally (without using the homepage), using any SHA256 calculator.
|
||||
- press 'a' to authenticate the device. Enter a random word, and it will provide an URL and a corresponding result. Click on the link, and if the response is the same, the device is running the original firmware.
|
||||
- press 'k' to enter your own key, which you need to remember. You can then authenticate the device locally (without using the link), using any SHA256 calculator.
|
||||
|
||||
security
|
||||
========
|
||||
|
@ -43,36 +43,40 @@ You can clear the credentials by:
|
|||
|
||||
- unplugging the dongle
|
||||
- pressing both buttons at the same time
|
||||
- pressing 4 times CapsLock within 2 seconds on your keyboard
|
||||
- pressing 4 times NumLock within 2 seconds on your keyboard
|
||||
- pressing 4 times CapsLock or NumLock within 2 seconds on your keyboard
|
||||
|
||||
The credentials will be cleared up to 12 hours after they have been entered.
|
||||
The credentials will be cleared up to 3 hours after the last time they have been pasted.
|
||||
This decreases the risk of having them leaked if the device is left unattended for too long.
|
||||
This decreases the risk of having them leaked if the dongle is left unattended for too long.
|
||||
These timeouts can be configured over the serial port.
|
||||
|
||||
The dongle is locked after been programmed.
|
||||
The dongle can be locked after been programmed.
|
||||
This prevents from:
|
||||
|
||||
- using the SWD interface to attach a debugger on the test point and dump the credentials from the running system
|
||||
- using the SWD interface to attach a debugger on the test points and dump the credentials from the running system
|
||||
- using the bootloader to flash a new malicious firmware (e.g. that could store the credentials on non-volatile memory and reveal them later)
|
||||
- mass erase the device, to re-enable debugging and flashing
|
||||
|
||||
The flash memory is also write protected.
|
||||
Only the last 4 kB of flash are re-writable, as the are used to store the configuration set over serial.
|
||||
The makes it very hard from exploiting the runtime firmware and overwrite.
|
||||
The flash memory can also write protected.
|
||||
Only the last 4 kB of flash are re-writable, as they are used to store the configuration set over serial.
|
||||
This makes it very hard from exploiting the runtime firmware and overwriting it.
|
||||
|
||||
To verify if the firmware is original, use the authentication menu.
|
||||
If you get the passkey from CuVoodoo, you will also has received it's ID per email.
|
||||
This ID should the prefix of the authentication token.
|
||||
Each device has been programmed with an individual key before being locked.
|
||||
Matching the result with the website ensures the key is the same.
|
||||
To avoid using the website, you can set a user key, and perform the authentication locally using any SHA256 calculator.
|
||||
|
||||
risks
|
||||
-----
|
||||
|
||||
The [STM32F042F6P](https://www.st.com/en/microcontrollers-microprocessors/stm32f042f6.html) micro-controller does not have security certifications.
|
||||
If the device locking mechanism can be circumvented (e.g. using fault injection), a malicious firmware could be installed.
|
||||
Because of that, it is not recommended to leave the dongle unattended.
|
||||
It has a hole to pass a string through and attach it to a key-chain you keep with you.
|
||||
This string also allows to easily unplug the device from the computer.
|
||||
It is also recommend to draw on the back of the device, so it becomes unique and hard to tamper with unnoticed.
|
||||
It is also recommended to draw on the back of the device, so it becomes unique and hard to tamper with unnoticed.
|
||||
|
||||
firmware
|
||||
========
|
||||
|
|
Loading…
Reference in New Issue