Signet password manager

Let's Get Physical

Lead Image © Anja Kaiser,

Lead Image © Anja Kaiser,

Article from Issue 206/2018

At the intersection of free software and crowdfunding, a USB password manager offers an innovation in security.

Small, crowdfunded businesses creating innovative open hardware are becoming one of the technological trends of the last few years. For instance, Keyboardio [1] is shipping its first ergonomic, customizable keyboard, while Purism [2] is gaining a reputation for its high-end laptops and is currently building the security-conscious Librem 5 phone. More recently, after a successful fundraising campaign [3], a two-person startup called Nth Dimension [4] is releasing Signet, a USB device for managing passwords that brings a few new twists to security.

Neils Nesse, the founder of Nth Dimension, writes that, "I have been a user and advocate of free and open source software for my entire adult life, although I haven't made many contributions so far outside of a few bug fixes and releasing some small graphics-related libraries on GitHub [5]. I started developing Signet soon after I made a DIY hardware password manager using some instructions online. It worked okay, but the user experience had a lot of pain points, and the device had limited portability. I didn't find any other open source offline hardware password manager options that I liked, so I resolved to create my own. In the long term, I plan to produce other consumer electronic devices, particularly devices where security and privacy are desirable."

Introducing Physical Security

Signet consists of a USB device (Figure 1) and a software client for Android, GNU/Linux, OS X, or Windows (Figure 2). Like any setup designed for security, Signet is based on encryption – specifically, the AES-256 standard [6] with cipher blockchaining [7] for authentication and encryption of the database. The encryption for each database entry is encrypted as a blockchain with unique initial blocks, which eliminates the possibility that similar blocks might be used for more than one entry and makes cracking more difficult.

Figure 1: The first part of Signet is an external USB device, which must be present for a login to work.
Figure 2: The second part of Signet is a software client.

However, the use of an external device and the exchange of information between the device and the client allows for a number of unique security features (Figure 3). Placing the password manager on a USB thumb drive provides elements of physical security – an aspect of security that is so simple that it is often overlooked. Unless the Signet device is plugged into the system, access to the information it manages – such as logins, bookmarks, contacts, and credit card numbers – is inaccessible. That means that a system can be secured simply by removing the device and carrying it around with you.

Figure 3: Both the Signet USB device and the software client are required to log in to protected data.

Even when Signet is available, the information it manages can only be accessed by pressing the device's button. When the device receives any command that is "sensitive" – that is, any command that reveals private information or is destructive – the button flashes, and the command is suppressed until either the button is pressed or the time to press the button expires and the command is rejected. This arrangement means that cracking Signet's database is of no use by itself. Moreover, Nesse says, "if there is any malicious software on the system you are using, it can only intercept data when you request it, rather than it being potentially able to get a complete copy all at once."

The main potential vulnerability occurs only if you back up Signet's database to the USB device. Even then, the database is encrypted. However, even this vulnerability can be avoided by backing up the Signet database elsewhere. Nesse recommends that other "removable media backup are probably the most secure, provided you don't use the drive you select on unsecured systems."

Moreover, Signet's hardware design choices provide additional security. Information is stored inside the microcontroller's on-chip flash memory, which, according to Nesse, can only be attacked "by desoldering the memory chip and reading out the memory contents in a separate circuit." Furthermore, the microcontroller and ARM-based chip have a memory protection mode that can be enabled to prevent the chip from using its hardware debug mode and to prevent the activation of the factory boot mode.

Additionally, any firmware updates can only be applied by unlocking the device first. In theory, the data might be cracked by a brute-force attack [8], but as Nesse points out, such an effort would be "impractical." Signet uses scrypt [9], an algorithm that is so memory-intensive that each attempt at authentication takes hundreds of milliseconds. For a legitimate user who is authenticating once, this delay hardly matters. However, since a brute-force attack by definition requires multiple guesses of the password, unless an obvious password is used, the delay soon mounts up, and any attack would take too long to have much chance of success.

Still another aspect of physical security is that the device's encryption key is randomly generated by three different sources of random data: the hardware random number generator on the microcontrollers, random data from the host, and random data generated by measuring variation on two different oscillators in the microcontroller. These multiple sources not only help to ensure that the encryption key is truly random, but it also means that both the Signet device and its devices on the system must be present to access information.

To further add to the security, Signet also has restrictions that prevent two programs from accessing the USB device at the same time. Because of this restriction, communication between the device and the client software is not encrypted. "This might seem like an oversight," Nesse says, "but if the system you are using is compromised, then the communication link between the device and the application is hardly the only place where the data could be intercepted. A keylogger could capture the data as it's being typed into the GUI, or when the USB keyboard function of the device types some private data. Even if encryption was used, the client's key could be extracted from RAM at run time, or the client could be replaced with a hacked client. The only way to really counter [these possibilities] is by limiting the types of data you access on systems that you have less trust in."

Advantages over Local and Cloud Password Managers

As Nesse notes, both hard drive and cloud-based password managers are widely used. However, Signet has advantages over both.

"For a user who keeps their offline database only on their home systems and secures them well," Nesse says, "the physical security offered by Signet might not matter as much. However, many people have to use a number of computes and networks that they don't have much control over: both work and school systems, often with proprietary operating systems. This reality forces a choice between not logging in outside of the home, choosing duplicated or easy to remember passwords to make the password manager less essential, or making copies of their password database. Signet, on the other hand, takes away the incentive to accept these kinds of security risk factors."

Moreover, a password manager installed on the same system as the data it is protecting is only as secure as the system itself. The introduction of a secure external device makes an intrusion much more difficult. Signet reduces the risk even further by receiving only a set of metadata when databases are unlocked – not a complete copy of the database.

Similarly, while cloud storage or services are convenient for users who regularly work from more than one system, as Nesse notes, "the question is whether or not it makes sense to store all of your passwords and other identifying information outside of your physical control." Unless you use some additional security measures such as Least-Authority File Store (LAFS) [10], only one source needs to be cracked for an intruder to have complete access to your data – and you may not know what has happened until long after the fact, if ever. "It's difficult to determine the likelihood of this happening," Nesse says, "but every service I've looked into has a spotty track record."

True, as Nesse admits, Signet is also a single source for your data. However, he adds, "it's a physical one, and you can study or even modify how it works," since it is open source. Any attack "would still require the attacker to get a hold of your device or gain access to the backup of the device's data. Even if you are being personally targeted, it's a risky operation. Going after all or a significant number of Signet users would be even more difficult and impractical," because each Signet device would have to be cracked individually. By contrast, a cloud database is centralized, and the sheer number of users makes it a far better target for an intruder. Nor do users have anything beyond a vendor's assurances about a cloud database's security, especially if it uses proprietary software.

Next Steps

Nth Dimension has exceeded its fundraising goal of $2,000 by over 500 hundred percent. As a result, Nesse is currently taking a break from his day job to fulfill the campaign's stretch goals. These goals include command-line tools, which should be ready for the first shipment of Signet, and browser plugins, which Nesse expects to be ready by early 2018. Nesse also hopes eventually to add support for GPG encryption, which "would allow Signet to manage the encryption of media and communications, keeping sensitive private encryption keys off the host system."

Other enhancements Nesse hopes to add at an unspecified future date are a feature that indicates password strength and the ability to start the client automatically when the USB device is inserted. "Other than that, I'm pretty happy with the desktop experience," he says. "I've been using Signet personally in various forms almost a year, so when things happen that bother me, I fix them fast."

Whether Nth Dimension will be a success remains to be seen, although the number of backers for its fundraising campaign gives the new company a chance for at least modest success. However, whether or not Nth Dimension is a financial success, in Signet, the company has already proved itself a source of technological innovation – and one that wouldn't exist without the intersection of free software and crowdfunding.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95