Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[docs] - Mooltipass Project Repository - README.md - Fixing Minor Grammar Issues #552

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

[docs] - Mooltipass Project Repository - README.md - Fixing Minor Grammar Issues #552

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
002bcc1
[docs] - Mooltipass Project Repository - README.md - Fixing Minor Gra…
Mar 31, 2018
da7d84c
Update README.md
Apr 13, 2018
f993333
Update README.md
Apr 13, 2018
28397b8
Update README.md
Apr 13, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 18 additions & 19 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,22 +3,21 @@ Mooltipass Project Repository
<p align="center">
<img src="https://raw.githubusercontent.com/limpkin/mooltipass/master/pictures/mini/prototypes/mini_alum_final_small_cropped.JPG" alt="Mooltipass first prototype"/>
</p>
This is the GitHub repository dedicated to the Mooltipass device family. It contains all the resources that were used and made for this community driven product line since the project was first started back in December 2013.
This is the GitHub repository dedicated to the Mooltipass device family. It contains all the resources that were used and made for this community-driven product line since the project was first started back in December 2013.
The Mooltipass Mini device is available for purchase <b><a href="https://www.tindie.com/products/stephanelec/mooltipass-mini-offline-password-keeper/">on our Tindie store</a></b>.

What is the Mooltipass Project?
-------------------------------
With time, logins and passwords have become critical elements we need to remember to access the different websites and services we use daily. If we want to achieve good security, each of these credential sets should be unique.
We therefore created the Mooltipass, a physical password keeper that remembers and encrypts your credentials so you don't have to. With this device, you can generate and safely store long and complex passwords. A personal PIN locked smartcard allows the decryption of your credentials and ensures that only you have access to them. Simply visit a website and the device will ask for your confirmation to enter your credentials when login is required.
The Mooltipass is a standalone device connected through USB, is completely driver-less and is compatible with all major operating systems on PCs, Macs and Smartphones. It therefore is extremely simple to use our device:
- Plug the Mooltipass to your computer/tablet/phone, no driver installation required.
- Insert your smartcard, unlock it with your PIN. Without the PIN, the card is useless.
- Visit the website that needs a login. If using our browser plugin the Mooltipass asks your permission to send the stored name and password, or asks you to save/generate new credentials if you are logging in for the first time.
- If you are not using the browser plugin or logging in to something other than a web browser, you can manually tell MP to send the correct name and password. It will type it in for you, just like a keyboard. In this way it can be used anywhere.
The Mooltipass is a standalone device connected through USB, is completely driver-less and is compatible with all major operating systems on PCs, Macs and Smartphones. It therefore is extremely simple to use our device: - Plug the Mooltipass to your computer/tablet/phone, no driver installation required.
- Insert your smart card, unlock it with your PIN. Without the PIN, the card is useless.
- Visit the website that needs a login. If using our browser plugin the Mooltipass asks your permission to send the stored name and password or asks you to save/generate new credentials if you are logging in for the first time.
- If you are not using the browser plugin or logging in to something other than a web browser, you can manually tell MP to send the correct name and password. It will type it in for you, just like a keyboard. In this way, it can be used anywhere.

Advantages over software-based solutions
----------------------------------------
A software-based password keeper uses a passphrase to decrypt a credentials database located inside a device (computer, smartphone...). As at a given moment your passphrase and your database are stored inside your device's memory, a malicious program with access to both elements could <b><a href="http://thehackernews.com/2014/11/new-citadel-trojan-targets-your.html">compromise all your passwords at once</a></b>. In some cases, security flaws of software-based solutions can also lead to entire unencrypted databases beeing extracted by <b><a href="http://www.theregister.co.uk/2016/07/27/zero_day_hole_can_pwn_millions_of_lastpass_users_who_visit_a_site">visiting a simple website</a></b>.
A software-based password keeper uses a passphrase to decrypt a credentials database located inside a device (computer, smartphone...). As at a given moment, your passphrase and your database are stored inside your device's memory, a malicious program with access to both elements could <b><a href="http://thehackernews.com/2014/11/new-citadel-trojan-targets-your.html">compromise all your passwords at once</a></b>. In some cases, security flaws of software-based solutions can also lead to entire unencrypted databases being extracted by <b><a href="http://www.theregister.co.uk/2016/07/27/zero_day_hole_can_pwn_millions_of_lastpass_users_who_visit_a_site">visiting a simple website</a></b>.
We therefore offer the following advantages:
- **Stronger security**: we reduce the number of attack vectors by basically having our device type your passwords for you.
- A **non-proprietary device**: as our product is open anyone can develop new tools for it. There will never be fees for the services we offer.
Expand All @@ -27,13 +26,13 @@ We therefore offer the following advantages:

The Platform
------------
The Mooltipass is composed of the main device shown above and a smartcard.
On the device are stored your AES-256 encrypted credentials. The smartcard is a read protected memory that needs a PIN code to unlock its contents (AES-256 key + a few websites credentials). As with your chip and pin card, too many tries will permanently lock the smart card.
The Mooltipass is composed of the main device shown above and a smart card.
On the device are stored your AES-256 encrypted credentials. The smart card is a read protected memory that needs a PIN code to unlock its contents (AES-256 key + a few websites credentials). As with your chip and pin card, too many tries will permanently lock the smart card.

The Firmware
------------
**We want the device to be as simple as possible.** Ideally, the end user shouldn't have to spend more than a few seconds to use its basic functionalities.
A browser extension runs on the user's computer and sends the current website to the Mooltipass. When the user has to login, the Mooltipass will light up and ask for confirmation to enter the credentials.
A browser extension runs on the user's computer and sends the current website to the Mooltipass. When the user has to log in, the Mooltipass will light up and ask for confirmation to enter the credentials.

Data Safety
-----------
Expand All @@ -42,7 +41,7 @@ The smart card containing the AES key used for encrypting the passwords can be *

A Brief History of Security Flaws and Breaches
----------------------------------------------
We often think that the devices and websites we use are exempt of security flaws.
We often think that the devices and websites we use are exempt from security flaws.
You may see **if one of your accounts has already been compromised** by visiting <b><a href="https://haveibeenpwned.com/">this website</a></b>.
We also compiled a brief list of major security breaches and vulnerabilities found during the last few months:
- 01/2018 <a href="https://yro.slashdot.org/story/18/01/29/182210/lenovos-fingerprint-scanner-can-be-bypassed-via-a-hardcoded-password">
Expand Down Expand Up @@ -107,7 +106,7 @@ A piece of paper contains passwords that can easily be read when you are not pay
Not at all, as the Mooltipass system is exactly like your chip and pin card: 3 false tries will permanently block the smart card and make credential decryption impossible.

**Why do I need different passwords for different websites?**
Websites are compromised on a daily basis. If you are using the same password for different websites, one attacker could use a password he discovered on all of them.
Web sites are compromised on a daily basis. If you are using the same password for different websites, one attacker could use a password he discovered on all of them.

**Why do you need an OLED screen?**
An offline password keeper needs to provide a way to prevent *impersonation*. The user has to check that the website/service he's approving the credential sending for is the same that the website/service he's currently visiting/using, as a malicious program could emit forged requests. Moreover, having a display allows the user to operate the Mooltipass without the browser plugin using our dedicated touch interface.
Expand All @@ -116,9 +115,9 @@ An offline password keeper needs to provide a way to prevent *impersonation*. Th
There are many reasons, the main one being that it is much easier to carry a smart card around than any other object. This smart card is a secure element that contains your credentials' encryption key, it is cheap and may be cloned without compromising the system security.

**What if I lose my smartcard?**
Our device is shipped with two smartcards, so you can keep your copy somewhere safe. The Mooltipass therefore allows the user to clone his smartcard as many times as he wants, provided that the card PIN is correctly entered.
Our device is shipped with two smart cards, so you can keep your copy somewhere safe. The Mooltipass, therefore, allows the user to clone his smartcard as many times as he wants, provided that the card PIN is correctly entered.

**Can the smartcard be used with multiple Mooltipass?**
**Can the smart card be used with multiple Mooltipass?**
You can synchronize your credentials between multiple devices. This allows you to have one Mooltipass at work and one at home.

**What if I lose my Mooltipass device?**
Expand All @@ -130,7 +129,7 @@ The AES-256 used in the Mooltipass has been compared again standard Nessie test
**Can I use it on Windows/Linux/Mac?**
Yes, as no drivers are required to use the Mooltipass. It is recognized as a standard USB keyboard that will enter passwords for you.
**Can I use on my computer/laptop/phone/tablet...?**
Most (if not all) devices (including smart phones and tablet PCs) include a USB host capable port. The Mooltipass will work with all of them.
Most (if not all) devices (including smartphones and tablet PCs) include a USB host capable port. The Mooltipass will work with all of them.

**How secure is the Mooltipass?**
We are using the most secure encryption algorithms and designed our case to make physical tampering practically impossible. Our solution is therefore perfectly suited for individuals wanting to improve their credentials safety.
Expand All @@ -145,7 +144,7 @@ The Mooltipass is enumerated as a composite HID keyboard / HID proprietary devic
In theory yes. As mentioned in our project description the Mooltipass aims at reducing the number of attack vectors to a minimum: the device basically types your password as if you were doing it yourself. Perfect security could only be achieved by sharing dedicated secrets with every possible service and website... which is practically impossible to do.

**If I can export my encrypted credentials, does this mean someone could crack them?**
In short, no. We are using AES-256 encryption in CTR mode, bruteforcing the encrypted credentials takes more than fifty years.
In short, no. We are using AES-256 encryption in CTR mode, brute-forcing the encrypted credentials takes more than fifty years.

**If it is open source, does it mean it is less secure?**
Not at all. Having our code open source allows everyone to check our security implementation, which actually leads to a better code quality and more trust from our final users.
Expand All @@ -157,13 +156,13 @@ You may contact the development team via <a href="https://groups.google.com/foru
Thanks and Acknowledgement
--------------------------
None of this would have been possible without the help of many people located all over the globe.
Here is a non exhaustive list:
Here is a nonexhaustive list:
- Darran H. (graphics, plugin, comms, general development and more) - New Zealand
- Pierre C. (GUI, encryption implementation supervision, pen testing) - France
- Bjorn W. (GUI, graphics, wise man, project advisor) - Canada
- Raoul H. (cross platform daemon, browser extensions - France
- Raoul H. (cross-platform daemon, browser extensions - France
- Henryk P. (encryption implementation supervision) - Unknown
- Olivier G. (mecanics, project advisor) - Switzerland
- Olivier G. (mechanics, project advisor) - Switzerland
- Josh W. (mechanics, plugin, fw supervision) - USA
- Eric E. (schematics & layout verification) - USA
- Mike N. (flash storage, node management) - USA
Expand Down