Friday Hack Chat: Energy Harvesting

Think about an Internet-connected device that never needs charging, never plugs into an outlet, and will never run out of power. With just a small solar cell, an Internet of Thing module can run for decades. This is the promise of energy harvesting, and it opens the doors to a lot of interesting questions.

Joining us for this week’s Hack Chat will be [John Tillema], CTO and co-founder of TWTG. They’re working on removing batteries completely from the IoT equation. They have a small device that operates on just 200 lux — the same amount of light that can be found on a desktop. That’s a device that can connect to the Internet without batteries, wall warts, or the black magic wizardry of RF harvesting. How do you design a device that will run for a century? Are caps even rated for that? Are you really going to download firmware updates several decades down the line?

For this week’s Hack Chat, we’ll be discussing what energy harvesting actually is, what TWTG’s ‘light energy’ technology is all about, and the capabilities of this technology. Going further, we’ll be discussing how to design a circuit for low-power usage, how to select components that will last for decades, and how to measure and test the entire system so it lives up to the promise of being always on, forever, without needing a new battery.

This is a community Hack Chat, so of course we’ll be taking questions from the community. If you have a question, add it to the discussion sheet

join-hack-chatOur Hack Chats are live community events on the Hackaday.io Hack Chat group messaging. This Hack Chat will be going down noon, Pacific time on Friday, October 20th. Is it always five o’clock somewhere? Yes, so here’s a time zone converter!

Click that speech bubble to the right, and you’ll be taken directly to the Hack Chat group on Hackaday.io.

You don’t have to wait until Friday; join whenever you want and you can see what the community is talking about.

Posted in energy harvesting, Hack Chat, Hackaday Columns, RF, solar | Leave a comment

About That Giant Robot Battle Last Night

Two years ago we wrote about a giant robot battle between the USA and Japan. After two years in the making, MegaBots (team USA) and Suidobashi (team Japan) were finally ready for the first giant robot fight. If you are into battle bots, you probably did not miss the fight that happened around 7:00 pm PST. If you missed it, you can watch the whole thing here.

There were two duels. First it was Iron Glory (MkII) vs. Kuratas, and after that it was Eagle Prime (MkIII) vs. Kuratas.

Be warned, spoilers ahead.

Or not that much. The first combat ended in 30 seconds or so, with the heavier Kuratas knocking Iron Glory to the ground in one punch. That was all it took, and it was a bit disappointing. The second combat had a bit more action, the robots actually got stuck in each other and, as per rules, had to be restarted. A kind of “go to the corners” as in boxing. There were some interesting surprises like Kuratas launching a drone, and Eagle Prime showing off a 4 foot, 40 hp chainsaw. In the end, Eagle Prime’s superior weight and weaponry grabbed the victory.

The heavily edited video of the fight left some viewers slightly disappointed. But if you think about it, there were actual humans inside the robots, and that alone had to limit a lot on the potential action. For example, they fired giant paint balls at each other instead of explosive rockets. Even in smaller battle bots there are limitations about weapons, and that makes sense. If you are building a giant, metallic, ground vessel to win a fight with no weapons limitations, well, it’s already built, and it is called a tank. So we’ll take paint balls and theatricality.

All in all, the robots were huge feats of engineering and are awesome to see in action. This was only the first giant robot battle, lets hope there are more to come. Here is a short version of the event with the battles included:

Posted in battlebots, mech, megabots, news, robots hacks, suidobashi | Leave a comment

Practical Public Key Cryptography

Encryption is one of the pillars of modern-day communications. You have devices that use encryption all the time, even if you are not aware of it. There are so many applications and systems using it that it’s hard to begin enumerating them. Ranging from satellite television to your mobile phone, from smart power meters to your car keys, from your wireless router to your browser, and from your Visa to your Bitcoins — the list is endless.

One of the great breakthroughs in the history of encryption was the invention of public key cryptography or asymmetrical cryptography in the 70’s. For centuries traditional cryptography methods were used, where some secret key or scheme had to be agreed and shared between the sender and the receiver of an encrypted message.

Asymmetric cryptography changed that. Today you can send an encrypted message to anyone. This is accomplished by the use of a pair of keys: one public key and one private key. The key properties are such that when something is encrypted with the public key, only the private key can decrypt it and vice-versa. In practice, this is usually implemented based on mathematical problems that admit no efficient solution like certain integer factorization, discrete logarithm and elliptic curve relationships.

But the game changer is that the public key doesn’t have to be kept secret. This allows cryptography to be used for authentication — proving who someone is — as well as for encryption, without requiring you to have previously exchanged secrets. In this article, I’ll get into the details of how to set yourself up so that anyone in the world is able to send you an e-mail that only you can read.

Public Key Cryptography in a Nutshell

But first, how does it work in theory? Let’s say that Alice wants to talk to Bob. (Yes, it’s Alice and Bob again.) Alice and Bob generate their respective pair of keys. They tell the whole world about their public keys, including one another. Alice can now use Bob’s public key to encrypt a message that only Bob can read — only Bob’s private key can decrypt the message and, as the name implies, it should be kept private and known only to Bob.

Imagine Alice wants to send the world (or Bob) an important message, and prove that it comes from her? In the times we live in, how could we make sure the message Alice claims to have sent is not a fake? Well, Alice uses her own private key to encrypt her important message. The world just has to use Alice public key to decrypt the message, since it is the only way to decrypt it and only the person with Alice private key could have encrypted it, hence proving that it was Alice that wrote that message.

Let’s Get Alice Started

So, assuming Alice has GPG installed, she would start by creating her own public/private key pair:

 alice@wonderland ~ $ gpg --gen-key
gpg (GnuPG) 1.4.20; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1 RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) Y You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>" Real name: Alice
Email address: alice@wonderland.xyz
Comment: Mushroom
You selected this USER-ID: "Alice (Mushroom) <alice@wonderland.xyz>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
...
public and secret key created and signed. pub 2048R/96FE8CE5 2017-10-13
Key fingerprint = B5FF 1BE3 4502 F425 A444 D6EC FBEC 78AE 96FE 8CE5
uid Alice (Mushroom) <alice@wonderland.xyz>
sub 2048R/76E5C437 2017-10-13

Depending on Alice’s needs, setting up key expiration might be a good idea. After this command, it is a good idea to export and store a copy of the keys somewhere safe, ideally with redundancy. She can, for example, store a copy in a USB drive and print a hardcopy and put it in a safe.

 alice@wonderland ~ $ gpg --export-secret-key alice@wonderland.xyz > ./alice-gpg-backup.gpg alice@wonderland ~ $ gpg --export-secret-key -a alice@wonderland.xyz
-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: GnuPG v1 lQPGBFngvxUBCADNVg9j2iNv3FuzscUOe9oZqP0xCk8p9s+ApIDTqD6vZFkXLpYs...
-----END PGP PRIVATE KEY BLOCK-----

The above commands perform a backup and outputs an ASCII version of the private key, suitable for printing. The private key implementation of OpenPGP actually contains a complete copy of the public key, so this backup file is enough to recover the key pair. Restoring the backup is done with the --import flag.

Tell The World Who You Are

Now that Alice has her key, it’s time to tell the world about it. There are several ways to do it. On the command line:

 alice@wonderland ~ $ gpg --list-public-keys
/home/alice/.gnupg/pubring.gpg
------------------------------
pub 2048R/96FE8CE5 2017-10-13
uid Alice (Mushroom) <alice@wonderland.xyz>
sub 2048R/76E5C437 2017-10-13 alice@wonderland ~ $ gpg --send-keys 96FE8CE5
gpg: sending key 96FE8CE5 to hkp server keys.gnupg.net alice@wonderland ~ $ gpg --search-keys 96FE8CE5
gpg: searching for "0x96FE8CE5" from hkp server keys.gnupg.net
(1) Alice (Mushroom) <alice@wonderland.xyz>
2048 bit RSA key 96FE8CE5, created: 2017-10-13
Keys 1-1 of 1 for "0x96FE8CE5". Enter number(s), N)ext, or Q)uit > q 

This way, Alice just published her key in a known OpenPGP Key server, accessible to anyone. (keys.gnupg.net is the default on my distro.) There are several key servers available to publish public keys, some of them are synchronized. I like to use pgp.mit.edu. Another option is to export the public key with the --export flag and sent it via email and/or manually publish it in several servers — the more the better. Now Alice can digitally sign her messages and receive encrypted messages directed to her. Lets see an example:

 alice@wonderland ~ $ echo "This is a test file" > file.txt
alice@wonderland ~ $ gpg --detach-sign file.txt You need a passphrase to unlock the secret key for
user: "Alice (Mushroom) <alice@wonderland.xyz>"
2048-bit RSA key, ID 96FE8CE5, created 2017-10-13 alice@wonderland ~ $ ls -l file*
-rw-rw-r-- 1 alice alice 37 Out 13 15:56 file.txt
-rw-rw-r-- 1 alice alice 287 Out 13 15:56 file.txt.sig alice@wonderland ~ $ gpg --verify file.txt.sig
gpg: assuming signed data in `file.txt'
gpg: Signature made Sex 13 Out 2017 15:56:23 WEST using RSA key ID 96FE8CE5
gpg: Good signature from "Alice (Mushroom) <alice@wonderland.xyz>" alice@wonderland ~ $ echo "The file contents have been tampered" > file.txt alice@wonderland ~ $ gpg --verify file.txt.sig gpg: assuming signed data in `file.txt'
gpg: Signature made 13 Out 2017 15:56:23 WEST using RSA key ID 96FE8CE5
gpg: BAD signature from "Alice (Mushroom) <alice@wonderland.xyz>"

When Alice wishes to shared file.txt she also shares file.txt.sig so that anyone can verify her signature. So Alice can sign but before she can send Bob a message, Bob must also have a key pair and publish his public key somewhere or sent it to Alice. Lets assume Bob already did it and Alice imported Bob’s public key into GPG, either with the --import flag or --recv-keys from a server. If Alice wants to send Bob a message she would issue the following commands:

 alice@wonderland ~ $ gpg --import bob.asc
gpg: key 81DBD5F6: public key "Robert (Nope) <bob@whatdoesthebobsay.xyz>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1) alice@wonderland ~ $ gpg --list-public-keys
/home/alice/.gnupg/pubring.gpg
------------------------------
pub 2048R/96FE8CE5 2017-10-13
uid Alice (Mushroom) <alice@wonderland.xyz>
sub 2048R/76E5C437 2017-10-13 pub 2048R/81DBD5F6 2017-10-13
uid Robert (Nope) <bob@whatdoesthebobsay.xyz>
sub 2048R/21B662BE 2017-10-13 alice@wonderland ~ $ echo "This is a secret message to Bob" > message.txt
alice@wonderland ~ $ ls -l message*
-rw-rw-r-- 1 alice alice 32 Out 13 16:25 message.txt
alice@wonderland ~ $ gpg -r bob@whatdoesthebobsay.xyz --sign --encrypt message.txt You need a passphrase to unlock the secret key for
user: "Alice (Mushroom) <alice@wonderland.xyz>"
2048-bit RSA key, ID 96FE8CE5, created 2017-10-13 gpg: gpg-agent is not available in this session
gpg: 21B662BE: There is no assurance this key belongs to the named user pub 2048R/21B662BE 2017-10-13 Robert (Nope) <bob@whatdoesthebobsay.xyz>
Primary key fingerprint: 1558 11B0 C87D 0E02 1C8B 304F 4982 D1D3 81DB D5F6
Subkey fingerprint: 6CC7 BC9C D69E 9465 78E4 53E3 A931 7A64 21B6 62BE It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes. Use this key anyway? (y/N) y
alice@wonderland ~ $ ls -l message*
-rw-rw-r-- 1 alice alice 32 Out 13 16:25 message.txt
-rw-rw-r-- 1 alice alice 678 Out 13 16:25 message.txt.gpg 

This would encrypt message.txt with Bob’s public key and sign the file using Alice private key. Now Alice can send Bob the file message.txt.gpg and not only is Bob the only person able to decrypt it, he can also verify that it came from Alice as long as he has Alice’s public key. Let’s see what Bob would have to do:

 bob@whatdoesthebobsay ~ $ gpg --import alice-public-key.asc
gpg: key 96FE8CE5: public key "Alice (Mushroom) <alice@wonderland.xyz>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1) bob@whatdoesthebobsay ~ $ gpg --decrypt message.txt.gpg You need a passphrase to unlock the secret key for
user: "Robert (Nope) <bob@whatdoesthebobsay.xyz>"
2048-bit RSA key, ID 21B662BE, created 2017-10-13 (main key ID 81DBD5F6) gpg: encrypted with 2048-bit RSA key, ID 21B662BE, created 2017-10-13 "Robert (Nope) <bob@whatdoesthebobsay.xyz>" This is a secret message to Bob gpg: Signature made Sex 13 Out 2017 16:19:51 WEST using RSA key ID 96FE8CE5
gpg: Good signature from "Alice (Mushroom) <alice@wonderland.xyz>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: B5FF 1BE3 4502 F425 A444 D6EC FBEC 78AE 96FE 8CE5 

Who Can You Trust?

You might have notice the WARNING message saying that Alice key is not certified with a trusted signature and there is no indication that the signature belongs to her. If Bob knows for sure that Alice key is from Alice, he can sign it and GPG will see it as trusted.

 bob@whatdoesthebobsay ~ $ gpg --edit-key alice@wonderland.xyz sign pub 2048R/96FE8CE5 created: 2017-10-13 expires: never usage: SC
trust: undefined validity: unknown
sub 2048R/76E5C437 created: 2017-10-13 expires: never usage: E
[ unknown] (1). Alice (Mushroom) <alice@wonderland.xyz> pub 2048R/96FE8CE5 created: 2017-10-13 expires: never usage: SC
trust: undefined validity: unknown
Primary key fingerprint: B5FF 1BE3 4502 F425 A444 D6EC FBEC 78AE 96FE 8CE5 Alice (Mushroom) <alice@wonderland.xyz> Are you sure that you want to sign this key with your
key "Robert (Nope) <bob@whatdoesthebobsay.xyz>" (81DBD5F6) Really sign? (y/N) y You need a passphrase to unlock the secret key for
user: "Robert (Nope) <bob@whatdoesthebobsay.xyz>"
2048-bit RSA key, ID 81DBD5F6, created 2017-10-13 gpg> save
bob@whatdoesthebobsay ~ $ gpg --decrypt message.txt.gpg You need a passphrase to unlock the secret key for
user: "Robert (Nope) <bob@whatdoesthebobsay.xyz>"
2048-bit RSA key, ID 21B662BE, created 2017-10-13 (main key ID 81DBD5F6) gpg: encrypted with 2048-bit RSA key, ID 21B662BE, created 2017-10-13 "Robert (Nope) <bob@whatdoesthebobsay.xyz>"
This is a secret message to Bob
gpg: Signature made Sex 13 Out 2017 16:19:51 WEST using RSA key ID 96FE8CE5
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 8 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 8u
gpg: depth: 1 valid: 2 signed: 0 trust: 1-, 1q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2019-03-19
gpg: Good signature from "Alice (Mushroom) <alice@wonderland.xyz>" 

The warning will disappear. But why was there a warning? So far, someone sent an email claiming to have Alice’s public key, but how does Bob know it is the Alice that he knows? Or that the initial public key exchange was not intercepted? Even though public key cryptography eliminated the need to distribute secret keys, public keys have to be distributed to others with whom they want to communicate, and if the encryption is also used for authentication, the provenance of the public keys is important.

So what are Bob’s options? Bob can meet Alice face to face where she guarantees him that her key (or her key fingerprint) is correct, and Bob can mark it as trusted by signing it as in the above example. Sometimes it is impossible to meet face to face or you are talking with someone you don’t actually know. Bob can alternately choose to trust a particular key server, which is usually quite secure. If Bob does not want to choose to trust any key server, there is another way.

The Web of Trust

GnuPG addresses this problem with a mechanism known as the web of trust. In the web of trust model, responsibility for validating public keys is delegated to people you trust. This is different from normal public key infrastructure (PKI) approach since PKI permits each certificate to be signed only by a single party: a certificate authority (CA). By contrast, OpenPGP identity certificates (which include public key(s) and owner information) can be digitally signed by other users who, by signing, acknowledge the association of that public key with the person listed in the certificate.

There are even events, known as key signing parties, where users gather with their keys and identity documents and sign each other keys. Basically, as more people sign a key, the more sure you can be that the key is from who it claims to be.

I Take It All Back

On a last note, it might be a good idea for Alice to create a revocation certificate. A revocation certificate can be used if and when Alice looses her key or she believes the key was compromised. It is published to notify others that the public key should no longer be used. A revoked public key can still be used to verify signatures made by Alice in the past, but it cannot be used to encrypt future messages to Alice. It also does not affect the ability to decrypt messages sent to Alice in the past if she still has the key.

 alice@wonderland ~ $ gpg -a --gen-revoke alice@wonderland.xyz sec 2048R/96FE8CE5 2017-10-13 Alice (Mushroom) <alice@wonderland.xyz> Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
0 = No reason specified
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
Q = Cancel
(Probably you want to select 1 here)
Your decision? 0
Enter an optional description; end it with an empty line:
> revoke!
>
Reason for revocation: No reason specified
revoke!
Is this okay? (y/N) y You need a passphrase to unlock the secret key for
user: "Alice (Mushroom) <alice@wonderland.xyz>"
2048-bit RSA key, ID 96FE8CE5, created 2017-10-13 Revocation certificate created. Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
As with the private key, it is smart to print this certificate and store it away, just in case
your media become unreadable. But have some caution: the print system of
your machine might store the data and make it available to others! -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
Comment: A revocation certificate should follow iQEmBCABAgAQBQJZ5N6XCR0AcmV2b2tlIQAKCRD77Hiulv6M5XnuB/41jjJCVx/S
...
-----END PGP PUBLIC KEY BLOCK----- 

The above code demonstrates how to generate a revocation certificate.

“This is too confusing!”

I get that. I do. Users don’t want to be encrypting stuff via the command line and worry about certificates and trust models. It might seem a bit overwhelming at first but luckily there are easy to use software solutions available to the end-user that solve your basic public key cryptography needs. It’s an extensive list and I’m pretty sure our readers have plenty of suggestions depending on your internet use and operating system. Let’s hear them in the comments!

For example, to secure emails, there are several options. If you use Thunderbird, you can install Enigmail. It should work on Linux, Windows, Mac and SunOS/Solaris. For Outlook users, look for gpg4o or gpg4win. Apple Mail has GPGTools. Android has K9 and R2Mail2 while iOS has iPGMail. If you don’t use a specific email client but use webmail instead, you are not left out, you can try Mailvelope. Mailvelope is an extension for Chrome and Firefox that implements OpenPGP and works over your regular webmail client.

Regarding email encryption, you can see that there is a lot to choose from. There is probably a OpenPGP implementation available to your email client of choice, it’s a matter of choosing a solution for a software that you are already accustomed and start from there. So if you don’t use encryption yet, what is your excuse now?

Go and create your key pair, share it with the world! And do it now, before the next revolution in cryptography, quantum computing, kills it all.

Posted in encryption, Featured, gpg, Interest, openpgp, pki, private key, public key encryption, security hacks | Leave a comment

Rescuing An Antique Saw Set

Who doesn’t like old tools? Even if they aren’t practical to use for production, plenty of old tools still have a life to offer the hobbyist or home worker.  Some tools might seem a bit too far gone – due to age, rust, or practicality, to use. That’s where [Hand Tool Rescue] comes in. [HTR] finds rusty, dirty old tools, and brings them back to life. Sometimes they’re practical tools, other times, they’re a bit out there. In a recent video, he restored a BeMaCo automatic saw set from the 1940’s. Saw sets are tools which bend each tooth of a saw blade slightly. Typically they are pliers-like devices.

The slight bend of each tooth on the blade widens the saw’s kerf and prevents binding. Typically these tools are pliers-like devices. The BeMaCo set is something else — it pulls the blade through tooth by tooth, while a spring-loaded head pecks away, bending each tooth. It’s something Rube Goldberg would have loved.

[HTR’s] filming style borrows a lot from [Jimmy DiResta], who we’ve covered here before. There are no words, and most of the video is sped up. Even with the fast video, [HTR] probably has many hours of footage to pare down to a 20-minute video.

The restoration begins with tearing the saw set apart. Every nut and bolt is removed. All the parts are cleaned, chemically de-rusted, and wire-wheeled. Even the motor is torn down, cleaned, and wired up. Then come the re-assembly. [HTR] gets every piece back in its proper place. We’re wondering how many times he had to refer to the teardown video to get everything right. Finally, the saw is complete — ready for another 70 years of work.

Posted in hand tool rescue, restoration, rust, Saw Set, tool, tool hacks | Leave a comment

Testing Brushless Motors with a Scope (or a Meter)

Brushless motors have a lot of advantages over traditional brushed motors. However, testing them can be a bit of a pain. Because the resistance of the motor’s coils is usually very low, a standard resistance check isn’t likely to be useful. Some people use LC meters, but those aren’t as common as a multimeter or oscilloscope. [Nils Rohwer] put out two videos — one two years ago and one recently — showing how to test a brushless motor with a multimeter or scope. Oh, you do need one other thing: a drill.

You don’t have to drill into the motor, instead you use the drill to spin the motor’s shaft. Since a motor and a generator are about the same thing, you can read the voltages produced by the spinning motor and determine if it is good or not. The first video shows the technique and the second, more recent video shows a scope reading a bad motor. You can see both videos, below.

In the second video, you’ll see that a pair of coils have shorted — probably due to a failure of the insulation, perhaps due to heat — and are putting out about 1/10 of the voltage a good coil produces. In the end, he opened the faulty motor and looks at the suspect coils, even though there wasn’t much to see visually.

We’ve seen working brushless motors used as encoders. You can even build your own brushless motor demonstration, or opt for a more practical design.

Posted in brushless motor, motor, motor testing, tool hacks | Leave a comment

Bad RSA Library Leaves Millions of Keys Vulnerable

So, erm… good news everyone! A vulnerability has been found in a software library responsible for generating RSA key pairs used in hardware chips manufactured by Infineon Technologies AG. The vulnerability, dubbed ROCA, allows for an attacker, via a Coppersmith’s attack, to compute the private key starting with nothing more than the public key, which pretty much defeats the purpose of asymmetric encryption altogether.

Affected hardware includes cryptographic smart cards, security tokens, and other secure hardware chips produced by Infineon Technologies AG. The library with the vulnerability is also integrated in authentication, signature, and encryption tokens of other vendors and chips used for Trusted Boot of operating systems. Major vendors including Microsoft, Google, HP, Lenovo, and Fujitsu already released software updates and guidelines for mitigation.

The researchers found and analysed vulnerable keys in various domains including electronic citizen documents (750,000 Estonian identity cards), authentication tokens, trusted boot devices, software package signing, TLS/HTTPS keys and PGP. The currently confirmed number of vulnerable keys found is about 760,000 but could be up to two to three orders of magnitude higher.

Devices dating back to at least 2012 are affected, despite being NIST FIPS 140-2 and CC EAL 5+ certified.. The vulnerable chips were not necessarily sold directly by Infineon Technologies AG, as the chips can be embedded inside devices of other manufacturers.

The difficulty of the factorization attack is not the same for all key lengths and is NOT strictly increasing (some longer keys may take less time to factorize than other shorter ones). The following key length ranges are now considered practically factorizable (time complexity between hours to 1000 CPU years at maximum): 512 to 704 bits, 992 to 1216 bits and 1984 to 2144 bits. Note that 4096-bit RSA key is not practically factorizable now, but may become so, if the attack is improved.

The time complexity and cost for the selected key lengths (Intel E5-2650 v3@3GHz Q2/2014):

Keep in mind that these benchmarks are for a single CPU. For certain three-letter agencies one must assume the attacks take trivial time to complete. Then again, they probably already have your keys (citation needed).

Concerned users can test their public keys online or, maybe a better idea, offline by cloning the following GitHub repository. If using Linux flavors with pip, you can try the following to test your known public keys:

 $ sudo pip install roca-detect $ gpg -a --export > /tmp/public && roca-detect /tmp/public
2017-10-17 14:10:33 [7869] INFO ### SUMMARY ####################
2017-10-17 14:10:33 [7869] INFO Records tested: 93
2017-10-17 14:10:33 [7869] INFO .. PEM certs: . . . 0
2017-10-17 14:10:33 [7869] INFO .. DER certs: . . . 0
2017-10-17 14:10:33 [7869] INFO .. RSA key files: . 0
2017-10-17 14:10:33 [7869] INFO .. PGP master keys: 1
2017-10-17 14:10:33 [7869] INFO .. PGP total keys: 102
2017-10-17 14:10:33 [7869] INFO .. SSH keys: . . . 0
2017-10-17 14:10:33 [7869] INFO .. APK keys: . . . 0
2017-10-17 14:10:33 [7869] INFO .. JSON keys: . . . 0
2017-10-17 14:10:33 [7869] INFO .. LDIFF certs: . . 0
2017-10-17 14:10:33 [7869] INFO .. JKS certs: . . . 0
2017-10-17 14:10:33 [7869] INFO .. PKCS7: . . . . . 0
2017-10-17 14:10:33 [7869] INFO No fingerprinted keys found (OK)
2017-10-17 14:10:33 [7869] INFO ################################ 

In this example, no vulnerable keys were found. Did you find one? If it is yours, it’s probably better to revoke and generate a new one. It seems 2017 keeps on giving us security pearls with each passing day. Yesterday we mourned the death of WPA2, but we’ve also seen SHA-1 broken, the Broadcom WiFi exploit in one billion smartphones (Broadpwn), a Bluetooth vuln that won’t be patched in around 40% of the devices, your credentials being cached in search engines, and we left several from this list.

Posted in encryption, factorization, news, ROCA, rsa, security, security hacks | Leave a comment

3D Prints and Food

We recently ran a post about a cute little 3D printed elephant that could dispense booze. The design didn’t actually have the plastic touching the liquid — there was a silicone tube carrying the shots. However, it did spark a conversation at the secret Hackaday bunker about how safe it is to use 3D printed objects for food. In particular, when I say 3D printing, I’m talking fused deposition modeling. Yes, there are other technologies, but most of us are printing using filament laid out in layers with a hot nozzle.

There’s a common idea that ABS is bad in general, but that PET and PLA are no problem because there are food-safe versions of those plastics available. However, the plastic is only a small part of the total food safety picture. Let me be clear: I am not a medical professional and although my computers have run a few plastics plants in years past, I am not really an expert on polymer chemistry, either. However, I don’t use 3D printed materials to hold or handle food and while you might not drop dead if you do, you might want to reconsider.

It is true that some plastics are not food safe. The US Food and Drug Administration (FDA) talks about “food contact substances” and has a lot of technical reading on the subject including this mostly readable introduction. There’s even a database with lots of materials (not just plastics) that are food safe.

However, even if some plastics can be food safe, that doesn’t mean that the $11 spool you bought on eBay is actually food safe. You don’t usually know who made it, how impure it is, or what’s been added to it for pigmentation or to modify other properties. However, let’s assume you locate food-grade filament from a trusted supplier. Is that the only problem? Turns out, it isn’t even the biggest problem.

Bacteria

Paradoxically, the biggest problem is microscopic. If you cook or store food much, you probably know that everything you eat is full of bacteria and other little critters. Leave some leftovers out tonight if you don’t believe that. If you make a cup using injection molding with a food-safe plastic, you shouldn’t have a problem as long as you wash the thing after each use. A 3D printed object, though, is going to have little cracks and spaces, especially where the layers make contacts. These are perfect places for germs to hide and multiply. Some foods, too, are worse than others. Raw eggs and meat, for example, are notorious for having dangerous bacterial growth.

There are two schools of thought here. If you are making something disposable, this might not be a big deal. Whatever bacteria get trapped wind up in the trash. The other thing people will do is use a food-safe sealant like polyurethane or silicone to cover the food contact surfaces. Of course, now you need to be sure the sealant is really food grade. In the case of the elephant, it wasn’t so much a sealant as just running a tube through the plastic.

There has been work on making antibacterial plastics. The video below shows one such plastic and it is even dishwasher safe.

Speaking of Cleaning

It isn’t fun to think about, but one reason dishes get clean in a dishwasher isn’t from the elbow grease, but from the hot water. Some of the best plastics for food — PLA, for example — may deform under dishwasher hot water. So even if you aren’t worried about hiding bugs, you still may not be able to get the plastic really clean. We haven’t tried it, but we hear the best practice is to use warm water and antibacterial soap.

Of course, the same thing happens if you print a PLA soup bowl and then fill it with hot soup. That would be a very bad idea. Not that you can’t find plastics with better temperature resistance, but remember things like ABS are full of nasty chemicals and are generally regarded by most people as not safe for food.

Oddly enough, though, the FDA actually lists conditions where ABS is food safe. Just like with PLA, though, there is no assurance your cheap spool of ABS meets those requirements. Note, too, that they disallow ABS coming into contact with alcohol.

Contamination

Well, you’ve found your food grade filament and you’ve perfected your process so you will wind up with a cleanable surface, but you still aren’t in the clear. Your filament is going to pass through an extruder and a hot end. Are any of those parts going to leave an unpleasant residue? Brass nozzles, for example, often contain lead. Your gear or hobbed bolt that bites into the filament to move it may have some bad things, too.

There is some thinking that an all-metal hot end is safer than the traditional PEEK/PTFE hot end. However, a lot of cheap “metal” hot ends have some plastic internal components. Again, you have to think of all the things that the plastic can touch. Probably would be a good idea if all those surfaces were cleanable, too.

Keep in mind, too, that your nozzle probably has remains from all the plastic you’ve printed with it before. So that implies you ought to have a machine just for food-safe printing. Well, at least the parts of the printer that touch the filament.

Studies show that 3D printing generates ultrafine particles. There isn’t a clear consensus about the health risks of breathing and ingesting these nanoparticles. You get the same thing from laser printers, but — honestly — you probably aren’t eating anything off a laser printed surface.

You can face a variation on this same problem if you print with food. For example, a printer that extrudes chocolate or icing shouldn’t allow the food to contact bad things on the way to the print. Cleaning the food path, in that case, is super critical. There are certified printers for food like the Chef Jet in the video below.

Is Food Safe Filament Available?

If you are not worried about all the other problems, you might be looking for food-safe filament. There are a few out there, including some PET filaments. However, you can be sure if the filament is really food grade, the vendor is going to say so. For instance, there’s a safe PLA made by KeyTech (and probably others). You’ll still want to get the material safety data sheet (MSDS) and make sure. But if the vendor isn’t saying anything about food safety, it is a good bet the filament is not recognized as food safe.

What about PLA? There’s a lot of street wisdom that it is safe. After all, it is made from corn. If you have PLA with no pigment or other additives and has been made in a way to minimize unsafe contaminants, maybe it is acceptable. There was a study in 1995 that tested PLA with things that ought to leach out chemicals like booze — we don’t know if they used an elephant or not — and other solvents found in edible materials. They did find a small amount of lactic acid can leach into the food, but it wasn’t a serious concern.

To Eat or Not to Eat?

Lead solder is dangerous too, but I use enough of that. However, I’m not motivated to print food-safe plastics. I think allowing other people to use my 3D printed bowls and cups would be even worse since they would not likely understand the risk. We’ve heard people say that a plastic knife or cookie cutter doesn’t contact the food long enough to be dangerous. I don’t buy that, but I am not an expert. If you must do the cookie cutters, you might try putting plastic wrap between the food and the cutter.

I know of people who follow the tradition of drinking a shot from a shot glass printed on a new 3D printer. Even though the science says you shouldn’t put alcohol in ABS, I haven’t known anyone to die from that practice. However, the body is a complex system and long-term and cumulative effects may be happening that I don’t know about.

I warned you I’m not a doctor or a chemist. I’m also not a lawyer, but I really think selling 3D printed food carriers would be a dangerous undertaking. Of course, you could clearly mark it, or there are US laws about permanently marking items “Not for Food Use,” so that might be a loophole.

In the end, only you can decide how to proceed. But at least be sure you are doing enough research about the plastic and your printing apparatus to minimize your risk. Have you consumed food from 3D prints? Would you? Or will you continue to do so? Share your opinion in the comments.

Oh, one more thing. We certainly are not eating the bacon filament.

Posted in 3d Printer hacks, 3d printing, cooking hacks, fda, Featured, filament, food safe, Interest | Leave a comment

Stripping 3D Printed Gears for Science

While 3D printing is now well on its way to becoming “boring” in the same way that a table saw or lathe is, there was a time when the media and even some early adopters would have told you that the average desktop 3D printer was perhaps only a few decades behind the kind of replicator technology we saw on the Enterprise. But as the availability of these machines increased and more people got to see one up close, reality sunk in pretty quickly.

Many have dismissed the technology as little more than a novelty, and even within the 3D printing community itself there’s a feeling that most printers are used for little more than producing “dust collectors”. Some would see this attitude as disheartening, but the hackers over at [Gear Down For What?] see it as a challenge. They’ve made it their mission to push printed parts to increasingly ridiculous heights to show just what the technology is capable of, and in their latest entry, set out to push a pair of 3D printed gearboxes to failure.

The video starts out with a head to head challenge between two of their self-designed gearboxes. As they were spun up with battery powered drills, the smaller of the two quickly gave up the ghost, stripping out at 228 lbs. The victor of the first round then went on to pull a static load, only to eventually max out the scale at an impressive 680 lbs.

The gearbox may have defeated the scale, but the goal of the experiment was to run it to failure. By rigging up a compound pulley arrangement, they were able to double the amount of force their scale could detect. With this increased capacity the gearbox was then run up to an astonishing 1,000 lbs before it started to slip.

But perhaps the most impressive: after they got the gearbox disassembled, it was discovered that only a single planet gear out of the ten had broken. Even then, judging by how the gear sheared, the issue was more likely due to poor layer adhesion during printing than from stress alone. No gears were stripped, and in fact no visible damage was seen anywhere in the mechanism. The team is currently unable to explain the failure, other than to say that the stresses may have been so great that the plastic deformed enough that the gears were no longer meshed tightly.

This isn’t the first time we’ve checked in with the team at [Gear Down For What?], just a few months ago they impressed us by lifting an anvil with one of their printed mechanisms. They’re also not the only ones curious to find out just how far 3D printed plastic can go.

[Thanks to Nils Hitze for the tip.]

Posted in 3d printed, 3d Printer hacks, compound gearing, gearbox | Leave a comment

TeensyStep – Fast Stepper Library for Teensy

The Teensy platform is very popular with hackers — and rightly so. Teensys are available in 8-bit and 32-bit versions, the hardware has a bread-board friendly footprint, there are a ton of Teensy libraries available, and they can also run standard Arduino libraries. Want to blink a lot of LED’s? At very fast update rates? How about MIDI? Or USB-HID devices? The Teensy can handle just about anything you throw at it. Driving motors is easy using the standard Arduino libraries such as Stepper, AccelStepper or Arduino Stepper Library.

But if you want to move multiple motors at high micro-stepping speeds, either independently or synchronously and without step loss, these standard libraries become bottlenecks. [Lutz Niggl]’s new TeensyStep fast stepper control library offers a great improvement in performance when driving steppers at high speed. It works with all of the Teensy 3.x boards, and is able to handle accelerated synchronous and independent moves of multiple motors at the high pulse rates required for micro-stepping drivers.

The library can be used to turn motors at up to 300,000 steps/sec which works out to an incredible 5625 rpm at 1/16 th micro-stepping. In the demo video below, you can see him push two motors at 160,000 steps/sec — that’s 3000 rpm — without the two arms colliding. Motors can be moved either independently or synchronously. Synchronous movement uses Bresenham’s line algorithm to plan motor movements based on start and end positions. While doing a synchronous move, it can also run other motors independently. The TeensyStep library uses two class objects. The Stepper class does not require any system resources other than 56 bytes of memory. The StepControl class requires one IntervallTimer and two channels of a FTM  (FlexTimer Module) timer. Since all supported Teensys implement four PIT timers and a FTM0 module with eight timer channels, the usage is limited to four StepControl objects existing at the same time. Check out [Lutz]’s project page for some performance figures.

As a comparison, check out Better Stepping with 8-bit Micros — this approach uses DMA channels as high-speed counters, with each count sending a pulse to the motor.

Thanks to [Paul Stoffregen] for tipping us off about this new library.

Posted in arduino, Bresenham, FlexTimer Module, IntervallTimer, Microcontrollers, motor, motor speed, pulse rate, schrittmotor, stepper, stepper driver, stepper motor, StepperMotor, Teensy | Leave a comment

Snazzy Balun Lets Ham Use Off-The-Shelf Coax

It’s a dilemma many hams face: it’s easy to find yourself with a big spool of RG-11 coax cable, usually after a big cable TV wiring project. It can be tempting to use it in antenna projects, but the characteristic impedance of RG-11 is 75 Ω, whereas the ham world is geared to 50 Ω. Not willing to waste a bounty of free coax, one ham built a custom 1:1 current balun for a 75 Ω dipole.

Converting between balanced and unbalanced signals is the job of a balun, and it’s where the device derives its name. For hams, baluns are particularly useful to connect a dipole antenna, which is naturally balanced, to an unbalanced coax feedline. The balun [NV2K] built is a bifilar 1:1 design, with two parallel wires wound onto a ferrite core. To tweak the characteristic impedance to the 75 Ω needed for his antenna and feedline, [NV2K] added short lengths of Teflon insulation to one of the conductors, which is as fussy a bit of work as we’ve seen in a while. We appreciate the careful winding of the choke and the care taken to make this both mechanically and electrically sound, and not letting that RG-11 go to waste is a plus.

With as much effort as hams put into antenna design, there’s a surprising dearth of Hackaday articles on the subject. We’ve talked a bit about the Yagi-Uda antenna, and we’ve showcased a cool magnetic loop antenna, but there’s precious little about the humble dipole.

[via r/amateurradio]

Posted in 1:1, amateur, antenna, balanced, balun, bifilar, dipole, Guanella, ham, radio hacks, unbalanced | Leave a comment