Key material
- The Master PIN (4–16 digits) is zero-padded or truncated to 16 bytes.
- Before use, it passes through a single round of SHA-256; the first 16 bytes become the AES key.
- The derived key never leaves SRAM and is cleared immediately after authentication.
CBC chaining
- The firmware loads the persistent Initialization Vector (IV) from EEPROM.
- Each 32-byte field (site, username, password, TOTP) is split into two 16-byte blocks.
- Blocks are XORed with the previous ciphertext (or IV for the first block) and encrypted.
- The resulting ciphertext is written back to EEPROM with a CRC-16 checksum.
AES implementation
- Based on the open-source tiny-AES-c library, optimized for minimal RAM usage.
- Uses precomputed S-box tables stored in flash.
- Encrypt/decrypt routines are constant-time with respect to plaintext values.
- All 16-byte buffers are allocated on the stack to reduce persistent traces in memory.
Handling padding
- Plaintext shorter than 32 bytes is padded with null bytes prior to encryption.
- During decryption, trailing nulls are stripped but preserved internally so auto-typing retains the original length.
- The firmware rejects UTF-8 sequences that would overflow the 32-byte limit to avoid partial block writes.
Security considerations
- Because the Master PIN is the key, changing the PIN re-encrypts every slot with the new key.
- A factory reset erases the IV and all ciphertext, preventing offline brute-force attempts on desoldered EEPROMs.
- There is no key escrow or recovery mechanism; forgetting the PIN renders stored data unrecoverable.