The Final Key
What is the Final Key
Graphical User Interface
Listing and searching
Deleting accouts and macros
Overriding accounts and macros
Formatting the key
Changing the master password
Why what? (Q&A)
What is The Final Key
The Final Key is a piece technology that solves a problem. The Final Key is a hardware password manager with encryption and focus on combining portability, compatibility security and easy of use. It is a hobbyproject of mine and not under any commercial distribution, you are also free to build your own clones if you like the idea. The Final Key is based around a 16 MHz Atmel ATmega3U4 microprocessor and 64 KiB of EEPROM for storage.
You connect to The Final Key using any serial terminal, and "triggers" the account you want to log into. Then you can focus the username/password field of the website/application you want to log into, and then you press the button and The Final Key acts as a keyboard and types your credentials directly into the receiving application.
The Final Key is not a commercial device, but I have made this hobby project in the spirit that it is, meaning that the device is user-friendly (enough) and that this information exists.
This page exist because I'd like to tell that I had the idea, developed the concept and implemented the solution, I will also make some keys for my friends and family and it'd be nice to have a page to refer them to.
The Final Key is a hardware password manager built around these requirements:
- Text-based (with optional GUI)
Any action which may either compromise the data contained in The Final Key or extract this data, can only be executed by pressing the button on The Final Key itself.
Changing your password, formatting the device, creating new accounts, and of course triggering an account for login, are all impossible to complete without pressing the button on The Final Key.
There is no way of getting your login information out of The Final Key without physical access and even then, you will need to either break AES256 or know the master-password in order to obtain the login-credential.
This also means that if you forget your master-password, your Final Key can not be unlocked and it is pretty much useless, unless you want to disassemble the device and override the encrypted EEPROM with trash to trigger the First-Time setup mode.
The Arduino bootloader has been erased so that an attacker with access to your machine can not reflash the device with compromised firmware. If someone steals The Final Key and takes it apart, they may do a chip-erase and burn new firmware, thus you should consider a lost-and-found key compromised and have its firmware reflashed before use. An attacker may dump the EEPROM contents, however as these are encrypted with a 256 bit password, it would take signifigant effort to break by brute-force. Each encrypted entry is written using it's own unique random vector, so analytic attacks should be highly implausible.
All that said, even though AES likely protects the 'Merican nukes, I wouldn't trust The Final Key (or ANY OTHER device) with extremely critical information, if you have information which cannot see the light of day, better keep that stuff in your head, because security never really really is. Nothing is bulletproof when the enemy have an unlimited amount of time and material for breaking your defences.
But seriously, if anyone wants to take the time and effort to STEAL from me, disassemble the device and clock out the encrypted data, then brute-force a 32 byte password to get my Facebook login, I guess they've earned it.
The Final Key requires no driver installation on Linux and OSX, however on Windows, you need to install the Arduino driver found in the arduino package.
When you have connected The Final Key, you need to determine which serial port it is connected to.
The Linux Kernel alredy comes with the cdc_acm driver, unless you have a custom-compiled kernel without acm, you don't have to do anything to make it work.
To make daily usage of The Final Key as convenient as possible, unplug your Final Key and run the command below:
rm -f fksetup.sh && wget --no-cache http://finalkey.net/fksetup.sh && bash fksetup.sh
If you are using archlinux, use the package from AUR instead.
You may be asked for your sudo password. When setup is complete, connect The Final Key to your computer and start using it with the command:
finalkey or finalkey gui for the gui version.
Check finalkey --help for a list of available commands.
Use the FinalKey_USBSerial.inf file, install the driver the same way it was done in Windows 95 (Open DeviceManager, Properties for device, Update Driver, select from list, have disk, select FinalKey_USBSerial.inf, agree to install unsigned driver).
Once installed, you can right-click on "My Computer", go to "Properties" and "Device Manager" and see the port under "COM ports" it is probably called COM3 or COM4.
You can then use the FinalKey GUI or open putty (or hyperterm if you're oldsk00l), choose Serial and type the COM port which your Final Key was assigned.
OSX includes the drivers needed.
The Final Key should show up in /dev/ as tty.usbmodemSOMENUMBER and you can then use The Final Key GUI or screen,minicom or CoolTerm.
Typical use is simple: You connect to The Final Key, using a terminal such as minicom, putty or screen. If you use Linux you can simply type finalkey if it is installed.
When the connection has been made, the key will prompt you for pressing the button by showing a hash (#).
After pressing this key, you will be asked to enter the master-password which is used to decrypt the data on the device.
The first time you use your key, you will be greeted by the "format" messages, guiding you through setting up a master-passwor, it is important you remember this password, as your device becomes useless without it.
The button on The Final Key is used often, and it always acts the same:
A hash ( the # character ) is shown on screen, and the light blinks on The Final Key, this indcates to you that current action needs physical verification, if you proceed to press the button, the action is then executed, if you do NOT want the action to proceed, simply HOLD DOWN the button until the [abort] text appears on the screen.
> = Ready for command or account/macro number.
: = Text string and end with enter.
% = An account or macro number.
# = Press button to execute, hold button to abort.
ENT = The enter key..
TAB = The tabulator key, usually located above the caps lock key.
space = quickhelp
h = more help
There are two help-screens on The Final Key, the first is SPACE (' '), this lists the most important and most used commands. If you are lost, press space, it's a big key, it won't get lost.
The second help-screen is displayed by pressing h, this shows less used commands.
The rest of this page is an extended explanation of the things already on the two help-pages (space and h).
NUMBER = Trigger username + seperator + password + enter
uNUMBER = Trigger username
pNUMBER = Trigger password
sNUMBER = Show the username and password on screen instead of typing it
r = Repeat last trigger
An account is 4 things: title, username, password, seperator.
The title is what is shown in the listings, the username is what is typed by The Final Key first, the seperator is what is typed next, and the password is what is typed after that.
There are 3 ways of "triggering" an account, "triggering" means that the key will blink and wait for the button to be pressed, when the button is pressed, the selected account is typed by The Final Key.
The first mode is "full login", this means that The Final Key will first type the username, then press the seperator key, then type the password and then press enter.
You trigger this mode by simply typing the account number. Numbers are written in hexadecimal, without 0x. So to full-trigger the first account, type: 00 and to trigger number 10, type 0a.
The second mode is "username", this means that The Final Key will only type the username, that's it.
To trigger username-only, you press u followed by the number. For example u02 (this will be displayed as u%02 as The Final Key will add a % after u)
The third mode is "password", this means that The Final Key will only type the password, that's it, this is useful when registering a new account, or changing the password on an existing one. (most sites have a "repeat password" field, so you need to be able to provide just the password)
To trigger the password-only, you press p followed by the number. For example pa1 (which will be displayed as p%a1).
If you want to cancel a trigger (for example, because you typed the wrong number), hold the button on The Final Key until the text [abort] appears on screen.
xa = New account
To create a new account you type xa.
You will be asked to press the button to continue.
After typing a title of maximum 31 characters, you are asked to type the username, after this, you will be asked which kind of password to use:
You can manually enter a password for the account, or you can have The Final Key use it's high-quality random number generator to make one for you.
If you choose the automatic password generation, you need to select the desired length of the password, for example type 16 and press enter, then you need to consider "special charaters", you can choose to have The Final Key make you a password consisting of all printable characters (which may not be allowed everywhere), or you type upto 20 special characters from which The Final Key will also choose (alongside all letters and numbers), you can also choose to have The Final Key generate a password without any specials.
After choosing the type of automatic password, or entering one of your own, you finally need to consider the "seperator", this is the character which The Final Key will enter between the username and password when typing "full-login" here you can choose between either TAB (which is the most commonly used key to switch from the username to the password field, if you do not know what you need, this is likely it), ENT which is enter (used on old-style terminals and some games and programs), and finally you can enter your own character if you need to (some strange program may use a space between username and password, who knows?)
xm = New macro
xuNUMBER = Set macro for button
Macros are like accounts, but they consist only of 2 things: title, text.
If you want The Final Key to save and type text for you, you can use a macro.
A macro is triggered like "full login" of an account, so if entry number 01 is a macro, you simply type 01 to trigger it.
The macro will then be typed by The Final Key when you press the button.
You can also bind a macro to the button on The Final Key, so that it will be typed each time the button is pressed (unless of course an account or macro is triggered).
This can be done by xu and the macro number, so if number 1 is a macro, you type xu01 (displayed as xu%01).
You can also do this with an account number, but it is not recommended and The Final Key will warn you, but not refuse.
Creating macros are a bit different from accounts, since the text can have multiple lines, we need a way to tell when to "stop" recording text, this is done by, after the final line, entering a period (.) and pressing enter.
Listing and searching
j = previous page (go back)
k = list current page (if you don't know, just use this)
l = next page (go forward)
ENTENT = search and trigger full login for found entry
ENTu = search and trigger user for found entry
ENTp = search and trigger password for found entry
ENTs = search and trigger "Show Entry" for found entry.
Since The Final Key can contain 256 accounts and macros, it seems rather nice to be able to get them displayed, and of course you can, there are three keys for this.
The Final Key will list 44 entries per page, so there are 6 pages total, and you can use j to go to the previous page, k to list whatever page is currently selected and l to go to the next page.
The pages are circular, so if you "go back" on page 0, it jumps to page 5 and if you "go forward" on page 5, it jumps to page 0.
You can search for parts of a entry title by pressing ENTER and typing some of the text, if it finds only one entry, it will trigger that, if it finds multiple, it will list them.
For example if I want to find the entry "Shapeways" I press ENTER and type shape and press ENTER again, I will then get a list of everything with the string "shape" the title.
Search is the only case-insensitive function in The Final Key.
Deleting accounts and macros
xdNUMBER = Delete account or macro
Type xd and the number to delete an account or macro, for example xd20 (displayed as xd%20) will prompt you to first press y to verify your intention and then # (the button) to really do it, this means that you can abort even after pressing y, by holding the button until [abort] appears
Deleting an account or macro overrides the encrypted eeprom data with random numbers, so even if you know the master-password you can not get it back.
Overriding accounts and macros
xoNUMBER = Override account (with a new account on same number) or macro (with a new macro on same number)
If you want to update the username or password of an account, you need to create it again anew, however, to encure that it does not change its number which you may know by heart.
Instead of having to go through first deleting and then creating an account, this functionality will do it for you.
NOTE: When you have agreed to override the account, IT IS DELETED RIGHT AWAY, even if you abort one of the creation steps, for example by typing title which is too long.
NOTE: If you override an entry which was an account, it will automatically be an account again, and if it used to be a macro, it will be a macro again.
xf = Format
Formatting The Final Key deleted every account and sets a new password. This is done for example if you no longer wish to use your Final Key, and would like to give it to somebody else (who would then need to format it again, since you'd know the password), a tip for long-term storage of empty final-keys is to put the password as the banner name so it is easy to unlock it again.
Changing the master password
xp = Change master-password.
Changing the master password require The Final Key to decrypt (with the old password) and re-encrypt (with the new password) every account stored on it because all data is encryoted.
This also means generating new AES256 vectors for every key, and since The Final Key uses a true random number generator, this makes each account take around 2 seconds to re-encrypt.
Therefore it is advisable to delete unwanted accounts and macros before doing this.
NOTE: It takes a long time, and if the power is lost or The Final Key is disconnected while this operation is in progress, those accounts which were not converted are lost.
QA : Questions (no one really asked) and Answers
Q: Why not make a kickstarter?
A: No kickstarter for Danes, don't know anyone in US to host it for me.
Q: Can i buy one?! (Shut up and take my money!)
A: Yes, it is for sale, but it is not a commercial product, it is hobby! It's rough around the edges and I will not guarantee that it even works for you, or that you find it as useful as I do, Contact me at: dusted ext at g mail dot com
Q: Why is it not commercial?
A: 1) A USB vendor ID costs about 4000 dollars and don't think Arduino would like it if I use their ID. 2) The market for this could likely be limited to unix-geeks and the like (long-haired dudes with beards who smell funny, like myself).. 3) I don't want to spend the effort to figure out all the legal stuff.
Q: Why did you make it?
A: Because I wanted one, I'm using mine every day, and I'm happy with it.
A: Yes, but right now you need to compile it yourself (the c file in the root of the github project).
Q: How is the box made?
A: I made the box in Blender3D and had Shapeways print it, the quality is nice and seems very durable when filled with hot-glue.
Q: Can I have the box?
A: Yep, here you go, the cheapest and only Arduino Pro Micro Case on shapeways: Final Key - Arduino Pro Micro Case on the Shapeways shop.
Q: Hardware and tools?
A: Arduino micro pro board, soldering iron, i2c eeprom (64 KiB), tactile switch, led, 2x4,7kohm, 1x380 ohm, hot glue, see http://finalkey.net/building/.
A: Source on github, you do need to patch the Arduino libs to make it work. https://github.com/DusteDdk/Wizznic. I am happy to merge any improvements you make if I believe they will not make it less secure.
Q: Why "The Final Key"
A: The name is a homage to an extension cartridge for the Commodore 64 which I had as a kid and liked very much.
Q: Other fun things?
A: The switch connects to pins seven and nine.. </trek>
The Final Key is a hobby project, it is not a commercial project, and there are no crypto-experts and also no hardware-experts checking my work, it may fry your USB-port, it may kill your cat, say bad things about your mother or even let hackers have all your candy, you know this, and you know you have a choice not to use The Final Key, you have many things, and rights, but not the right to blame me for anything that happens to you, for all you know, I could be that hacker who'll steal your passwords, NEVER TRUST ANYBODY.
Created: 2013-12-24 (YYYY-MM-DD)
Updated: 2014-08-12 (YYYY-MM-DD)