HackerTrans
TopNewTrendsCommentsPastAskShowJobs

Brisk4t

6 karmajoined 4 mesi fa

Submissions

Show HN: I built an encrypted BLE dongle for pasting stuff to air-gapped devices

github.com
5 points·by Brisk4t·8 giorni fa·6 comments

comments

Brisk4t
·7 giorni fa·discuss
Glad you liked it!

I haven't really set up a way to commercialize it yet but setting one up for yourself is pretty easy - you just need an ESP32-S3 from amazon / aliexpress or somewhere similar, the website handles the firmware flashing for you (follow the quick start guide on github).

If I do see some more interest I might set up a way for people to but the custom version, definitely a first for me though.
Brisk4t
·7 giorni fa·discuss
Thanks for the detailed feedback! Glad you liked the idea.

A lot of these are me not updating the Readme often enough :p I'll be updating it based on your feedback but I'll also address the points here.

1. It used to be the AES key but I switched to storing the pubkey and local private key, its encrypted with a hardcoded credential even in "passwordless" mode and uses the same encryption scheme as 2.

2. Yup its salted. I'll look into Argon2id, should be a trivial change.

3. Pasted strings are sent as a bulk packet (200 chars at a time + overhead), the gif demo is me typing + pasting so it isn't very obvious. I do agree that typed passwords are still susceptible to the length check, sending noise like you mentioned sounds like a good plan.

4,5. Yeah another readme thing, it is indeed AES-256-GCM. I've considered replay protection but for now I think the tradeoff for managing senders easily just based on pubkey is worth because of the next point

6. Readme moment pt.3 :p, the key is generated from the stored ECDH credentials each time along with a session-specific salt (so replay attacks are only possible within the same session).

Let me know if you have any more ideas though, I'm currently working on the FIDO support but I'll definitely work on your suggestions!
Brisk4t
·mese scorso·discuss
I'm rooting for them HARD but they've been quiet since their last (and only) blog. X and LinkedIn are empty too. I really hope it wasn't a pipe dream.