Actions
Forum Thread Details
  • Replies 0 replies
  • Subscribers 38 subscribers
  • Views 34 views
  • Users 0 members are here
Related

Identity Protocol Part 1 - Plan

arvindsa

In Bourne Ultimatum, Jason Bourne accesses the Access card to Special Research Department after breaking into Noah Vosen, Director of CIA’s Black Briar Program. In Ocean's 11, Livingston Dell is able to access the Bellagio's security camera systems because he used a stolen ID card from one of the Guards. and then there are so many more movies where just an ID card theft is needed to gain access to restricted areas. I thought movies are movies, may not have connection to reality, But lo, i was surprised that this place the movie took cues from reality. I found so many places where all you need is an Shiny white card with the right ID number and you boom... you are in.

image

But these were in super casual security settings, But In non-critical secure facilities, access control relies on swipe card and Pin entry at each door,  This is more secure but the problem is Authorized personnel like  Guards on rounds etc must swipe the card and pin entry each time and this looks like hassle. I want to make authentication a better User experience without sacrificing the security. 

The Aim is to build a smart ID Card which has numeric keypad for typing in a PIN and will perform cryptographic authentication wireless as it approaches a door.  Thus, unlike traditional systems that trust the card, this system requires the card to prove its identity cryptographically before every access event. If the card is stolen or forcibly removed, it automatically locks and refuses to authenticate. 


To Achieve this, we will use two devices

ID Device

  • Referred to as simply ID from now
  • MAX32630FTHR for low power control, The Wearable PMIC should help in Low Power managment
  • ATECC508A for Crypto. 
  • Membrane Keypad for pin Unlock. 
  • IMU (Inbuilt in the MAX32630FTHR) For theft detection
  • Bluetooth (Ibuilt in MAX32630FTHR) for communication. 
  • RGB LED (Inbuilt in MAX32630FTHR) for status of ID card locking

Door Device

  • Referred to as Simply door from now
  • MAX32630FTHR for Authentication logic. 
  • ATECC508A for Crypto. 
  • Ethernet FeatherWing for real-time logging and blacklist updates
  • Motor Featherwing for door actuation
  • ICELED Featherwing for visual feedback
  • Optical sensor for detecting door close thus detecting tailgating

 

Security Architecture

At the core of this system is asymmetric cryptography, a method of securing communication using a pair of mathematically linked keys: a private key and a public key. The private key is kept secret and never shared, while the public key can be distributed openly. When a device wants to prove its identity, it does not reveal any secret—instead, it uses its private key to sign a piece of data (in this case, a random challenge). Any other device with the corresponding public key can then verify that signature and confirm that it was created by the legitimate owner of the private key. This ensures that even if communication is intercepted, no attacker can impersonate the device without access to the private key. In simple terms, it allows a device to prove who it is without revealing its secret, which forms the foundation of a secure, zero-trust authentication system.

ATECC508A is an IC designed to act like a secure digital vault. Instead of storing sensitive data like encryption keys or passwords in normal memory (where they can be read or copied), the ATECC508A keeps them locked inside a protected area that cannot be accessed directly.  It can generate strong cryptographic keys, securely store them, and perform operations like signing or verifying data internally, without ever exposing the private key outside the chip. In simple terms, it doesn’t just store identity—it proves identity securely, making it extremely useful in systems like this where you want to ensure that even if the hardware is stolen, the attacker cannot extract or misuse the secret keys.

Each device will have a private and public key pair generated using the ATECC508A . The Public key of all ID cards is shared via the server to all doors via the server and ethernet featherwing.

After being paired by Bluetooth in SPP mode (Backup Plan: I will use NRF24 if i cant use Bluetooth), whenever the ID card device comes closer to the door, 

  1. the Bluetooth connects 
  2. door device will send a challenge string via SPP protocol.  The Challenge string is generated via ATECC508A using its by True Randon String Generator
  3. ID Card will sign the challenge string using its own private key and sent back via SPP
  4. The door verifies the signing using the shared public key

The ID will not sign the challenge if 

  • Not unlocked using the right pin
  • IMU detects a tug using the IMU (signifying a theft)
  • Timeout from last pin entry

If the door sensors detects that the door is not closed properly then alert can be raised. At all times, the logs are being sent to server via the ethernet 

Django Server

The Django server will be a Proof of Concept to expose REST API to share the public keys and log events. I will run it locally on my PC

Mechanical Parts

I will build a mock-up of a door and a frame to demonstrate the unlocking, sensor detect etc.  The electronic parts will be encased in a 3D Printed casing for basic durability.

The Plan

I will split the work in 4 phases. 

Phase 1

  • Till the hardware arrives (if i am getting selected), I will use STM32F103 Nucleo to interface with the ATECC508, Generate a Cryptographic key pair 
  • Decide on Encryption Library: Play with mbedTLS, micro-ecc to find out which one I'd like to use. From the looks of it, micro-ecc is better choice because it is lightweight (ECC only)
  • Generate a cryptographic nonce using  True Random number generator of ATECC508. Essentially nonce is a random number which is statistically guarenteed to be unique
  • Using the chosen encryption library sign the nonce using the private key, extracted the signed data using UART and verify using python and the public key (I can verify it using the same device) but i wanted to make sure the libary is using the standard ECC algorithm
  • Make the Django server and API endpoints for sharing the Public keys

Phase 2

  • Hardware arrives - Port the code to the MAX32630FTHR. Verify working
  • Using Protoboard, Membrane Keyboard, SOIC-DIP Adapter, solder a ID Card device. 
  • Interface the Keyboard, and Bluetooth Serial port Profile (NRF24 Module as backup option)
  • Using Manual Exhange of Public key, ensure that that nonce generated by door can signed by id and verified by the door

Phase 3

  • Interface inbuilt IMU and RGB on the ID device for theft detection and status information
  • Interface the Ethernet card  with the door device to fetch the public keys from the servers and cache locally. I think i need a flash chip. Also interface the ICELED Featherwing, Motor Control wing
  • Design and 3D print the card casing and door. 
  • Assemble the Casing, motor to lock and unlock and the sensor for door lock detection

Phase 4

  • Battery Optimization for the ID Device
  • Django logging and interfacing with the door device to be completed. and Each lock and unlock logs to be sent to Django server
  • Perform end-to-end testing under multiple scenarios: (Normal access, Incorrect PIN, Stolen device (tamper detection), Blacklisted  key
  • Optimize for latency, reliability, and power consumption
  • Record final demonstration showcasing seamless and secure authentication

More details i will add in the subsequent forum posting. Looking forward for the contenders announcement.