I'm about to put #Signet devices on #sale. Actually no, not sale, I'm just going to lower the price on my store, where people pay in #bitcoin. #Fiat prices will remain the same.
https://hax0rbana.org/signet to buy, but might as well wait until tomorrow when the price drops.
#security #infosec #cyber #cybersec #cybersecurity #OpenSource #hardware #privacy
Has this hardware/software solution been audited? How does it work? Is there a secure element chip inside?
It works by storing your passwords and any other data you put in there encrypted (aes256-cbc) on the persistent storage. The device does not contain the secret key and there is no secure element, by design.
The device password is used to generate the key to decrypt the storage. https://gitlab.hax0rbana.org/signet/signet-base/-/blob/trunk/firmware/commands.c#L411
The password is hashed by scrypt to generate the key. https://gitlab.hax0rbana.org/signet/signet-client/-/blob/trunk/client/signetapplication.cpp#L213
As for has it been audited, well, yes and no. If your definition of an audit is that someone who did not write the code reviewed it for security, and this reviewer was experienced in cryptographic audits, then yes. If you mean, were they paid for their work, and did they write up a report, then no.
Also, I am the person who did the audit, because I wasn't going to trust the device without doing a code review first. So there's some bias here in me saying it's audited, but I didn't design or implement the code. I'm merely the maintainer of all software and firmware and the builder of hardware.
By not having a secure element that stores some secret, it means there's no secure element that needs to be audited (which is good because they're difficult to audit and nearly impossible to get access to in order to do the audit). It also makes it easier to backup & restore the device. The trade off here is that it means offline attacks are possible. If you chose a weak password, it'd be possible to brute force if someone got a backup of your device. So, yeah, a 6 digit PIN isn't going to cut it here.
For people who have NOT joined the #Signet project, nor bought a device. I want to hear from you.
Too expensive ($45)?
Don't feel it's more secure than pure software?
Don't feel you can trust it?
Don't use a password database?
Not enough time to help (provide feedback, report bugs, contribute code, etc.)?
What's holding you back and how can we fix it?
OK, price drop for #BTC users, as promised.
I can't go any lower than this. This is the cost of parts & average shipping cost. No money for the hour I spend building, testing and reworking each device. Nothing for maintaining the client & firmware.
OK, price drop as promised for #bitcoin users
This is as low as I can go. It's the cost of the components and the average shipping price.
No compensation for the hour I spend building, testing and reworking each board or the hundreds of hours working of the software or firmware. But if it helps encourage more people to pay and accept bitcoin, it'll be worth it. Besides, if bitcoin goes up by 50%, I'll have made minimum wage. 🤣 It's all good, it's a labor of love. 🫂
OK, price drop as promised for #bitcoin users
This is as low as I can go. It's the cost of the components and the average shipping price.
No compensation for the hour I spend building, testing and reworking each board or the hundreds of hours working of the software or firmware. But if it helps encourage more people to pay and accept bitcoin, it'll be worth it. Besides, if bitcoin goes up by 50%, I'll have made minimum wage. 🤣 It's all good, it's a labor of love. 🫂
I can't get to your site... Maybe I'm out of data.
Also, this is my first time hearing about it. Does it work in Linux?
