doc: fix typo
This commit is contained in:
parent
5adb4421ef
commit
47528d2b7e
40
README.rst
40
README.rst
|
@ -4,28 +4,28 @@ purpose
|
||||||
=======
|
=======
|
||||||
|
|
||||||
passkey is a USB dongle to paste credentials.
|
passkey is a USB dongle to paste credentials.
|
||||||
It appears a serial port to enter the credentials, and HID keyboard to paste them.
|
It appears as a serial port to enter the credentials, and HID keyboard to paste them.
|
||||||
|
|
||||||
Usage:
|
Usage:
|
||||||
|
|
||||||
- insert the passkey dongle in the USB port, buttons facing up
|
- insert the passkey dongle in the USB port, with "passkey" text facing up
|
||||||
- it will appear as serial port to enter the credentials, and HID keyboard to paste them
|
- it will appear as serial port to enter the credentials, and HID keyboard to paste them
|
||||||
- the red light will blink, indicating it no credentials have been entered yet
|
- the red light will blink, indicating no credentials have been entered yet
|
||||||
- connect to it using your favorite serial terminal (e.g. [putty](https://putty.org/) or [picocom](https://github.com/npat-efault/picocom)) using any baud rate
|
- connect to it using your favourite serial terminal (e.g. [putty](https://putty.org/) or [picocom](https://github.com/npat-efault/picocom)) using any baud rate
|
||||||
- press 'c' to enter your credentials to paste (username and password)
|
- press 'c' to enter your credentials to paste (username and password)
|
||||||
- the light will remain on
|
- the light will remain on
|
||||||
- press one button of the dongle for it to just paste the password
|
- press one button of the dongle for it to just paste the password
|
||||||
- press the other button to paste the username and password (tab separated)
|
- press the other button to paste the username and password (tab separated)
|
||||||
|
|
||||||
You can configure it over the serial terminal:
|
You can configure passkey over the serial terminal:
|
||||||
|
|
||||||
- press 'h' to list all available options
|
- press 'h' to list all available options
|
||||||
- press 'b' to swap the button, changing which is for the password or username and password
|
- press 'b' to swap the buttons, changing which is for the password or username and password
|
||||||
- press 'l' to set using keyboard layout should be used: use the same are configured in your OS, else the pasted credentials might not be exactly the ones you entered
|
- press 'l' to set which keyboard layout should be used: use the same are configured in your OS, else some letter in the pasted credentials might be different
|
||||||
- by default the credentials will be cleared 12 hours after they have been entered. Press 'g' to change this time, up to 12 hours
|
- by default the credentials will be cleared 12 hours after they have been entered. Press 'g' to change this time, up to 12 hours
|
||||||
- by default the credentials will be cleared 3 hours after the last time they have been pasted. Press 'r' to change this time, up to 3 hours
|
- by default the credentials will be cleared 3 hours after the last time they have been pasted. Press 'r' to change this time, up to 3 hours
|
||||||
- press 'a' to authenticate the device. Enter a random word, and it will provide a corresponding result. Copy the provided text to the [homepage](https://passkey.cuvoodoo.info/). If the response is the same, the device is running the original firmware.
|
- press 'a' to authenticate the device. Enter a random word, and it will provide an URL and a corresponding result. Click on the link, and if the response is the same, the device is running the original firmware.
|
||||||
- press 'k' to enter your own key, which you need to remember. You can then authenticate the device locally (without using the homepage), using any SHA256 calculator.
|
- press 'k' to enter your own key, which you need to remember. You can then authenticate the device locally (without using the link), using any SHA256 calculator.
|
||||||
|
|
||||||
security
|
security
|
||||||
========
|
========
|
||||||
|
@ -43,36 +43,40 @@ You can clear the credentials by:
|
||||||
|
|
||||||
- unplugging the dongle
|
- unplugging the dongle
|
||||||
- pressing both buttons at the same time
|
- pressing both buttons at the same time
|
||||||
- pressing 4 times CapsLock within 2 seconds on your keyboard
|
- pressing 4 times CapsLock or NumLock within 2 seconds on your keyboard
|
||||||
- pressing 4 times NumLock within 2 seconds on your keyboard
|
|
||||||
|
|
||||||
The credentials will be cleared up to 12 hours after they have been entered.
|
The credentials will be cleared up to 12 hours after they have been entered.
|
||||||
The credentials will be cleared up to 3 hours after the last time they have been pasted.
|
The credentials will be cleared up to 3 hours after the last time they have been pasted.
|
||||||
This decreases the risk of having them leaked if the device is left unattended for too long.
|
This decreases the risk of having them leaked if the dongle is left unattended for too long.
|
||||||
These timeouts can be configured over the serial port.
|
These timeouts can be configured over the serial port.
|
||||||
|
|
||||||
The dongle is locked after been programmed.
|
The dongle can be locked after been programmed.
|
||||||
This prevents from:
|
This prevents from:
|
||||||
|
|
||||||
- using the SWD interface to attach a debugger on the test point and dump the credentials from the running system
|
- using the SWD interface to attach a debugger on the test points and dump the credentials from the running system
|
||||||
- using the bootloader to flash a new malicious firmware (e.g. that could store the credentials on non-volatile memory and reveal them later)
|
- using the bootloader to flash a new malicious firmware (e.g. that could store the credentials on non-volatile memory and reveal them later)
|
||||||
- mass erase the device, to re-enable debugging and flashing
|
- mass erase the device, to re-enable debugging and flashing
|
||||||
|
|
||||||
The flash memory is also write protected.
|
The flash memory can also write protected.
|
||||||
Only the last 4 kB of flash are re-writable, as the are used to store the configuration set over serial.
|
Only the last 4 kB of flash are re-writable, as they are used to store the configuration set over serial.
|
||||||
The makes it very hard from exploiting the runtime firmware and overwrite.
|
This makes it very hard from exploiting the runtime firmware and overwriting it.
|
||||||
|
|
||||||
To verify if the firmware is original, use the authentication menu.
|
To verify if the firmware is original, use the authentication menu.
|
||||||
|
If you get the passkey from CuVoodoo, you will also has received it's ID per email.
|
||||||
|
This ID should the prefix of the authentication token.
|
||||||
Each device has been programmed with an individual key before being locked.
|
Each device has been programmed with an individual key before being locked.
|
||||||
Matching the result with the website ensures the key is the same.
|
Matching the result with the website ensures the key is the same.
|
||||||
To avoid using the website, you can set a user key, and perform the authentication locally using any SHA256 calculator.
|
To avoid using the website, you can set a user key, and perform the authentication locally using any SHA256 calculator.
|
||||||
|
|
||||||
|
risks
|
||||||
|
-----
|
||||||
|
|
||||||
The [STM32F042F6P](https://www.st.com/en/microcontrollers-microprocessors/stm32f042f6.html) micro-controller does not have security certifications.
|
The [STM32F042F6P](https://www.st.com/en/microcontrollers-microprocessors/stm32f042f6.html) micro-controller does not have security certifications.
|
||||||
If the device locking mechanism can be circumvented (e.g. using fault injection), a malicious firmware could be installed.
|
If the device locking mechanism can be circumvented (e.g. using fault injection), a malicious firmware could be installed.
|
||||||
Because of that, it is not recommended to leave the dongle unattended.
|
Because of that, it is not recommended to leave the dongle unattended.
|
||||||
It has a hole to pass a string through and attach it to a key-chain you keep with you.
|
It has a hole to pass a string through and attach it to a key-chain you keep with you.
|
||||||
This string also allows to easily unplug the device from the computer.
|
This string also allows to easily unplug the device from the computer.
|
||||||
It is also recommend to draw on the back of the device, so it becomes unique and hard to tamper with unnoticed.
|
It is also recommended to draw on the back of the device, so it becomes unique and hard to tamper with unnoticed.
|
||||||
|
|
||||||
firmware
|
firmware
|
||||||
========
|
========
|
||||||
|
|
Loading…
Reference in New Issue