Mooltipass

The Mooltipass is an open hardware and open software, hardware password keeper in which users store their credentials for authenticating against web application, PAM session, and password protected applications.

该设备可与任何支持 HID 类设备的 USB 兼容系统一起使用。

作为日常用户，可以直接通过可点击的滚轮与设备交互，或者自由使用可用的浏览器扩展/应用程序。

Mooltipass背后的团队面临着基于密码的身份验证的巨大复杂性，这需要严格的策略，包括

• 每次使用都使用唯一的密码；
• 一个难以猜测的密码；

为了结合这种策略的安全性和可用性，人们提出了像 KeePass 这样的软件 密码管理器。不幸的是，这种解决方案意味着所有凭据都保留在计算机内存中，因此最终可能会被恶意软件窃取。

Mooltipass is an external device, on which credential are stored encrypted using AES-CTR and a key of 256 bits stored on an pin-locked smartcard. When plugged, the Mooltipass emulates an HID device and will act like a keyboard to send your credentials information to the targeted application. Even if an attacker is able to sniff at some point the communication between the device and the host it is likely that they will not be able to gather all credentials nor to inject their own data.

前面介绍的智能卡用于识别用户。请注意，多个用户必须拥有不同的智能卡，但可以使用同一个 Mooltipass。

Credentials are stored on the device flash memory with the following information: domain, username, password, comments.

以下列表限制了存储能力

• 闪存大小为 8MB；
• 一个密码最多可以 32 个字符长；

固件的升级是通过签名捆绑包进行的。每个设备都有一个由主开发人员烧录到板上的专用 AES 密钥。

In addition, the mooltipass benefits from the ATMega32u4 and exposes a custom Random Number Generator that is used to generate random passwords.

mooltipass-udev^AUR provide udev rules that allow access to the device for every classical user from a session or using libusb.

Mooltipass has been designed to be easy to use for everyone. The main way of interacting with it is through browser application and/or extension.

Chromium was the first target for Mooltipass, the team created an extension (available from the Web Store) that detects login forms on web page and selects the right credential for you on the device. The user only has to check on the Mooltipass screen that the request is legitimate and to approve/deny using the hardware scroll-wheel.

See Chromium/Tips and tricks#U2F authentication for Webauthn support.

Like Chromium, Firefox users can use a Mooltipass extension for easy interaction between websites and credentials stored on the device.

moolticute^AUR is an effort to build a cross-platform application that could interact with the mooltipass outside of a browser. The application is based on C++/Qt and provide both a daemon that will handle every operation with the device and an GUI application, that could replace the chrome app.

For scripting purpose there is mc-cli^AUR which allow one to interact with the Mooltipass through moolticuted from the command line.

mc-agent^AUR benefit from the filesystem support of Mooltipass so users are able to store their (unencrypted) SSH keys. mc-agent implement an SSH agent that allows to load the key from the device.

Last client implementation is mooltipy that implement both some CLI tools and an Python module that could be used for scripting.

• The making of a secure open source password keeper (FOSDEM 2017)
• Mooltipass repository
• Moolticute repository
• Mooltipass mini teardown
• Mooltipass mini user manual
• Mooltipass mini datasheets
• Mooltipass mini firmware code