Author Topic: Arduino code lock  (Read 14261 times)

0 Members and 1 Guest are viewing this topic.

Offline stj

  • Super Contributor
  • ***
  • Posts: 2153
  • Country: gb
Re: Arduino code lock
« Reply #25 on: May 29, 2017, 07:04:20 pm »
the code saved by storing as 2bytes is far less than the code needed to implement it.
using a high level language kind of masks such things, but i mostly code in assembly language.
 

Offline NivagSwerdna

  • Super Contributor
  • ***
  • Posts: 2495
  • Country: gb
Re: Arduino code lock
« Reply #26 on: May 29, 2017, 08:22:03 pm »
I would recommend doing some research on finite state machines, it can really clarify your code in situations like this.

e.g. consider the lock to start in a locked state, say state 0... red on

a specific correct button press takes you to state 1, a bad one takes to back to state 0

subsequently a correct button takes you to state 2, a bad one to state 0

etc

eventually the lock will reach the open state.

« Last Edit: May 29, 2017, 08:25:35 pm by NivagSwerdna »
 

Offline Bruce Abbott

  • Frequent Contributor
  • **
  • Posts: 627
  • Country: nz
    • Bruce Abbott's R/C Models and Electronics
Re: Arduino code lock
« Reply #27 on: May 29, 2017, 09:38:25 pm »
because there's a ` before the text?
There's a '\' at the end of the previous line. This causes the two lines to be merged, so to the compiler it looks like this...

Code: [Select]
// end main loop }
...and the closing bracket is now part of the comment so the compiler ignores it.

Quote
(the code didn't work...)
Be more specific. What do you mean by "didn't work"?
 

Offline hamster_nz

  • Super Contributor
  • ***
  • Posts: 2803
  • Country: nz
Re: Arduino code lock
« Reply #28 on: May 29, 2017, 10:03:38 pm »
I would recommend doing some research on finite state machines, it can really clarify your code in situations like this.

e.g. consider the lock to start in a locked state, say state 0... red on

a specific correct button press takes you to state 1, a bad one takes to back to state 0

subsequently a correct button takes you to state 2, a bad one to state 0

etc

eventually the lock will reach the open state.

I would conjecture that processing it as a stream of button presses is a far cleaner implementation. The logic this is:
- Get the next button press
- Do the last X button presses have no more than Y seconds between presses?
- Do the last X button presses match the secret code?
- If the last two questions are true, then take the action desired for that secret code

You can then do lots of extra things you can't do cleanly with an FSM implemented solution, like have multiple different codes of different lengths
Gaze not into the abyss, lest you become recognized as an abyss domain expert, and they expect you keep gazing into the damn thing.
 

Offline Leiothrix

  • Regular Contributor
  • *
  • Posts: 104
  • Country: au
Re: Arduino code lock
« Reply #29 on: May 29, 2017, 11:49:04 pm »
You also need a count for the number of buttons pressed and a timeout to reset that counter.

You don't want someone sitting there going through all the combinations to get the correct one, so you need a way to either lockout entirely or have a delay between code attempts.
 

Offline lolimpolTopic starter

  • Contributor
  • Posts: 42
  • Country: nl
  • What level of irony are you on right now?
Re: Arduino code lock
« Reply #30 on: May 30, 2017, 06:42:33 am »
because there's a ` before the text?
There's a '\' at the end of the previous line. This causes the two lines to be merged, so to the compiler it looks like this...

Code: [Select]
// end main loop }
...and the closing bracket is now part of the comment so the compiler ignores it.

Quote
(the code didn't work...)
Be more specific. What do you mean by "didn't work"?
nothing, the red led doesn't light, neither does the green, or the onboard (all keys entered led) when I press the buttons nothing hapens either, but maybe I should say that the buttons are hooked to gnd with 10k resistors, maybe that's worng?
*Insert cool inspirational text here*
 

Offline Bruce Abbott

  • Frequent Contributor
  • **
  • Posts: 627
  • Country: nz
    • Bruce Abbott's R/C Models and Electronics
Re: Arduino code lock
« Reply #31 on: May 30, 2017, 07:43:17 pm »
I should say that the buttons are hooked to gnd with 10k resistors, maybe that's worng?
The convention is to have the resistors going to +5V and buttons pulling to Ground (so button pressed = LOW), but your way also works. My test setup is attached below (I used a jumper to simulate the buttons).

If you have a multimeter then measure the voltage on each input pin while pressing the button (should go from 0V to +5V). If you don't have a meter then wire an LED (with current-limiting resistor in series) across the 10k resistor. The LED should light when you press the button.   

The program sends the currently entered code to the serial port each time you press a button. Open the serial monitor in Arduino IDE (menu item 'tools/serial monitor') and you should see the numbers.   
 
 

Offline stj

  • Super Contributor
  • ***
  • Posts: 2153
  • Country: gb
Re: Arduino code lock
« Reply #32 on: May 30, 2017, 08:27:57 pm »
keep in mind, this is a school project.
it must be simple, clear, and easy for others to understand.
 

Offline janekm

  • Supporter
  • ****
  • Posts: 515
  • Country: gb
Re: Arduino code lock
« Reply #33 on: May 31, 2017, 12:48:03 am »
As an extra credit question, why shouldn't you use strcmp in this case (assuming it's a lock on something worth protecting)?   ;D

You can get by with just two bytes of state if you really want to secure it. At least you can then truly verify/audit all the code (if it is really worth protecting)... ;D

That would also be a good reason. What i was getting at is that strcmp will stop the comparison as soon as it sees a non-matching character, so it will take less time to execute than with a valid character, allowing for a timing attack on the lock (as explained in Dave's video on the electronic lock box).
 

Offline hamster_nz

  • Super Contributor
  • ***
  • Posts: 2803
  • Country: nz
Re: Arduino code lock
« Reply #34 on: May 31, 2017, 12:52:43 am »
As an extra credit question, why shouldn't you use strcmp in this case (assuming it's a lock on something worth protecting)?   ;D

You can get by with just two bytes of state if you really want to secure it. At least you can then truly verify/audit all the code (if it is really worth protecting)... ;D

That would also be a good reason. What i was getting at is that strcmp will stop the comparison as soon as it sees a non-matching character, so it will take less time to execute than with a valid character, allowing for a timing attack on the lock (as explained in Dave's video on the electronic lock box).
Good point!

I though you were hinting at a beginner not null terminating the non-constant string, or declaring as a four element array and not five, causing nice security issue and/or a subtle bug.

I was worried that you were going to rattle the "use the more secure strncmp()" cage.  ;D
Gaze not into the abyss, lest you become recognized as an abyss domain expert, and they expect you keep gazing into the damn thing.
 

Offline daveshah

  • Supporter
  • ****
  • Posts: 356
  • Country: at
    • Projects
Re: Arduino code lock
« Reply #35 on: May 31, 2017, 02:31:17 pm »
I was worried that you were going to rattle the "use the more secure strncmp()" cage.  ;D

On that note (slightly OT but interesting)

http://www.theregister.co.uk/2017/05/05/intel_amt_remote_exploit/, about halfway down
 
The following users thanked this post: hamster_nz

Offline Bruce Abbott

  • Frequent Contributor
  • **
  • Posts: 627
  • Country: nz
    • Bruce Abbott's R/C Models and Electronics
Re: Arduino code lock
« Reply #36 on: May 31, 2017, 09:21:48 pm »
Code: [Select]
if(strncmp(computed_response, user_response, response_length))
   deny_access();
 
Quote
Unfortunately, response_length is calculated from user_response, so if an empty string is supplied, the length is zero, no bytes are checked, no bytes are therefore different, and – as expected – strncmp() returns zero, indicating success, and access is granted. Thus, an empty response string slips through as valid when it's actually invalid.

Here we are worrying about some theoretical vulnerability in a device that will never be subject to sophisticated attacks, while the biggest chip manufacturer in the world makes a blunder so basic a 5 year old could hack their products.   

But hey, Intel made $59.4 Billion last year - so you can trust them.  ::)
 
 
The following users thanked this post: hamster_nz

Offline janekm

  • Supporter
  • ****
  • Posts: 515
  • Country: gb
Re: Arduino code lock
« Reply #37 on: June 02, 2017, 02:52:29 am »
(snip)

Here we are worrying about some theoretical vulnerability in a device that will never be subject to sophisticated attacks, while the biggest chip manufacturer in the world makes a blunder so basic a 5 year old could hack their products.   

But hey, Intel made $59.4 Billion last year - so you can trust them.  ::)
 

I would argue we are exposing a beginner to the kind of thinking that may one day help them from stumbling into that kind of blunder.
 

Offline stj

  • Super Contributor
  • ***
  • Posts: 2153
  • Country: gb
Re: Arduino code lock
« Reply #38 on: June 02, 2017, 03:22:11 am »
the only blunder was getting found out.

it takes some planning to get an arm-core cpu running on standby power 24/7 with access to ram, drive interfaces and ethernet (that also has standby power)

wait till the public finds out about the built-in wireless access port running over the 3g network!!!
 

Offline hamster_nz

  • Super Contributor
  • ***
  • Posts: 2803
  • Country: nz
Re: Arduino code lock
« Reply #39 on: June 02, 2017, 03:46:52 am »
the only blunder was getting found out.

it takes some planning to get an arm-core cpu running on standby power 24/7 with access to ram, drive interfaces and ethernet (that also has standby power)

wait till the public finds out about the built-in wireless access port running over the 3g network!!!

The hard bit is making it look like a stupid mistake, not a deliberate feature that was designed in....
Gaze not into the abyss, lest you become recognized as an abyss domain expert, and they expect you keep gazing into the damn thing.
 

Offline Bruce Abbott

  • Frequent Contributor
  • **
  • Posts: 627
  • Country: nz
    • Bruce Abbott's R/C Models and Electronics
Re: Arduino code lock
« Reply #40 on: June 02, 2017, 06:39:05 am »
The hard bit is making it look like a stupid mistake, not a deliberate feature that was designed in....
Then they failed!

In order for us to believe that is was just a stupid mistake, we would have to accept that a) a multi-billion dollar company would let any bozo code critical parts of their products, b) they did no security testing, and c) they didn't think such incompetence would get them into trouble.

In today's environment this is totally unthinkable, therefore the only logical conclusion is that it was done deliberately. Though I don't think Intel itself was to blame, I think they are the victim of a sophisticated hack by an insider. That guy had better hope we don't find out who he is!


 

Offline stj

  • Super Contributor
  • ***
  • Posts: 2153
  • Country: gb
Re: Arduino code lock
« Reply #41 on: June 02, 2017, 09:06:58 am »
they dont need to be hacked, they just need to be told by the government to do it and keep their mouths shut, or go to prison for ever.
they can do that under "national security" laws.
 

Offline David Chamberlain

  • Regular Contributor
  • *
  • Posts: 249
Re: Arduino code lock
« Reply #42 on: June 02, 2017, 10:54:40 am »
Here's mine, what a fun game  :)
Code: [Select]
uint16_t input = 0xFFFF; // any invalid init.
uint16_t code = (1 << 12) | (2 << 8) | (3 << 4) | (4 << 0); // code 1234

// keypress returns one when four numbers codes are provided.
// key_code can be number 0 to 9 or ascii code '0' to '9' it's all the same.
uint8_t keypress(uint8_t key_code)
{
input <<= 4;
input |= (key_code & 0x0F);
if(input==code) return 1;
return 0;
}

[EDIT] Yeah, basically what @mariush said
« Last Edit: June 02, 2017, 11:10:12 am by David Chamberlain »
 

Offline Bruce Abbott

  • Frequent Contributor
  • **
  • Posts: 627
  • Country: nz
    • Bruce Abbott's R/C Models and Electronics
Re: Arduino code lock
« Reply #43 on: June 02, 2017, 09:30:26 pm »
they dont need to be hacked, they just need to be told by the government to do it and keep their mouths shut, or go to prison for ever.
they can do that under "national security" laws.
So they put in a back door that a 5 year old could find in 2 seconds? Still going to prison forever!
 

Offline stj

  • Super Contributor
  • ***
  • Posts: 2153
  • Country: gb
Re: Arduino code lock
« Reply #44 on: June 02, 2017, 10:09:28 pm »
if they put in a backdoor with a password they couldnt deny it if it got found out.
 

Offline hamster_nz

  • Super Contributor
  • ***
  • Posts: 2803
  • Country: nz
Re: Arduino code lock
« Reply #45 on: June 03, 2017, 02:15:08 am »
Not that it is Arduino, but it is a combination lock.

A few months ago I built a "enter four digits to light the LED" project for an FPGA development board. So if anybody is interested how this sort of project can be implemented in VHDL I've uploaded the source at http://hamsterworks.co.nz/mediawiki/index.php/Combination_Lock

Here's a short video of it in action:
https://youtu.be/1kWDc_u6D_s
Gaze not into the abyss, lest you become recognized as an abyss domain expert, and they expect you keep gazing into the damn thing.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf