Show HN: A secure, open source U2F token you can make with $4.5 worth of parts (opens in new tab)

In addition to the vendors you mention via that link, OSH Park[1] is great option for hobbyists (or very small-volume production). This is the same source listed in OP. It's a board pooling group that puts many small-run orders on the same panel to economize on setup costs. OSH Park uses high-quality US manufacturers to produce the boards (with tight tolerances, silkscreen, soldermask, gold-flashed pads, etc.) I believe they used to use Amitron outside Chicago, but I'm not sure if that's still the case. I've had probably 300 boards made by them, and they've all been great.

In open source designs you can usually spot OSH Park boards by the distinctive purple color. Seeed Studio and the other Asian budget board houses are a decent economy option if you can get away with looser tolerances. OSH Park is nice for compact designs because the gold-flashed pads are better for surface-mount parts, since they aren't raised like traditional solder-painted pads. Unlike most quickturn PCB fabs they don't bury you with options; the standard options give you everything you need (ENIG, double mask+silk screen, either 2/4 layer, etc.). The OSH Park ordering wizard is a case study in how PCB orders should be done (upload and a couple clicks, with a graphical preview), and for the quality the price can't be beat. Because orders are pooled and then separated before shipping out, it is slower.

You can use the free and open KiCad[2] software (again, what was used in OP; tutorials[3,4]) to do schematic capture and board layout, have it generate some gerber and drill files, and then order the boards for a few bucks from OSH Park. KiCad won't do simulations like Altium or some of the other commercial packages, but if you just want to take a schematic and make a board it works fine. Definitely learn its hotkeys.

1. https://oshpark.com/

2. http://kicad-pcb.org/

3. http://teholabs.com/knowledge/kicad.html

4. http://store.curiousinventor.com/guides/kicad/

A lot of amateur radio HF range projects use what is known as the "manhattan style" construction where, a copper clad board is used as a ground plane, so to speak and then tiny round pads are glued to it, which act as islands. The pads can be made using paper punch of appropriate grade. I have used cheap punch used for cutting paper and have made pads in the past. The parts are then soldered directly to these island pads.

Not sure if these can be applied to digital circuits, perhaps not very easily, since a lot of components are SMD these days, at least in the high speed digital domain.

Two-layer boards are now absurdly cheap, even in small quantities. The boards available from DirtyPCBs or Elecrow are perfectly satisfactory for most hobby projects. Four-layer boards with ENIG and fine pitch are now well within the realms of affordability, particularly small boards from OSHPark.

The most economical stencils are avaliable from OSH Stencils. They offer mylar stencils for $0.64/square inch, with a minimum charge of $5. Mylar stencils are perfectly satisfactory for prototyping or even short production runs.

https://www.oshstencils.com/

Yeah, PCB manufacturing really has opened up and become highly available.

On that note, the title neglects the price of the board, which will add to the total cost for building this. From OSH Park it's $4.60 for three copies of the board, bringing the total per token to $4.50 + $1.53 = ~$6.

That's a very interesting microcontroller by the way, I always think it's mildly amusing with 8-bit CPU cores sitting on a hardware USB peripheral. Looks like a nice chip, plenty of I/O, 5 V-capable, built-in 3.3 V regulator and USB firmware, and stuff. Thanks OP for sharing this!

My father made a simple PCB himself a few years ago. He designed the PCB with http://www.geda-project.org/ (I think?), printed out a negative of the PCB on a (printer-safe!) transparent page, and used an old overhead projector as the light source for the etching.

That being said, I suspect that methodology doesn't scale down to such small features, multiple layers etc. that you see in the link you posted, so at some point you have to give up on DIY etching.

At least in the fablab in my university you can make PCBs yourself (cheap, you have the result instantaneously). You can also get them done locally (expensive, relatively fast) or in China (cheap, takes long to ship).

Stencils aren't really needed, they're only really useful when using a reflow oven, and even then, I honestly think it's easier to hand solder for a single board than to pick and place and reflow.

I've gotten great results with dirtyPCBs for $14, I've made about five batches with them so far.

>>> I’m currently looking for work in the U.S. government.

A crypto work in the goverment not related with surveilance - directly or not- seems difficult to find.

Or am I missing something ?

It's "weakening".

Those are pretty low security keys, just picking the lock might be easier than going to trouble of making them from the picture..

The keys used for the picture are not used. But yes it is not a good practice to post pictures of door keys.

It makes almost no difference in any practical scenario, because conventional pin-tumbler locks are comprehensively broken. They can be opened instantly by an unskilled person using a $5 bump key.

https://www.youtube.com/watch?v=C5fLgxqWvJQ

Impressioning from a photo only poses a meaningful threat to genuinely high-security lock systems like the Abloy Protec or the ASSA Twin.

Wow I actually never thought of the implications of doing that. Thanks!

You should not be using low security keys for home and office in the first place.

It's a good question. It's definitely not been through years of testing yet but in the past few months me and some friends have had no problems.

All of the parts have a low center of mass with respect to the PCB and are unlikely to catch on anything. Water and/or sweat won't hurt it as long as it's dry when you use it. I've tested it works fine after putting it through a washer and dryer.

However, making your own casing or 3D printing something like this [1] is always best

[1]: https://github.com/conorpp/u2f-zero/blob/master/hardware/cas...

It would absolutely not survive for very long like this (naked PCB on a key-chain). Mechanical damage from the actual keys on the same chain is what will kill it before water, sweat, washing liquid, pocket lint or ESD do.

First things to fail will be ceramic capacitors torn/cracked and leads of SSOP-20 package bent/shorted.

That said, it is trivial to protect the board from all of above - just wrap it (except USB connector) with insulating tape or better yet, cover with silicone putty, or similar.

Looks like it would do fine to me. You would want to clean it with alcohol if you ran it through the wash, to avoid corrosion, but otherwise it would be fine.

I think it would be tough to break the board, so mechanically the worry would be bending some pins such that they shorted.

I have no idea what the ESD sensitivity of the parts is, but if it's something your going to walk around with in your pocket, that's something to think about. I'd probably use some heatshrink tubing on it.

I'd be very skeptical about that claim without substantial evidence of it surviving in the field. Especially if you use ROHS solder, which is more brittle than leaded solder.

There is an ESD diode in the design but it only protects certain pathways -- a zap could come from anywhere if the thing is bare.

There is a 3d-printable case included in the repo!

https://github.com/conorpp/u2f-zero/blob/master/hardware/cas...

The tiny amount of lead involved is very unlikely to be harmful. You could probably safely eat the amount of solder used to assemble that board.

I do think think a case is necessary though, as those SOIC packages will not last long in pocket with keys before they are ripped off the PCB.

Feel free to make it with Lead Free solder. See RoHS standards: https://en.wikipedia.org/wiki/Restriction_of_Hazardous_Subst...

No it is purely a hardware peripheral that just has configuration options.

http://www.atmel.com/Images/Atmel-8923S-CryptoAuth-ATECC508A...

Thanks for the comments! I never thought of trying to do a reversible USB connection. And it's actually quite easy!

The button you point out looks like a better choice. It's about 10 cents cheaper than my current one. Currently sold out with 13 week lead time at Mouser! Must be popular.

I use this $6 one.

https://www.amazon.com/gp/product/B00OGPO3ZS

which I can confirm works with google account, github, dropbox. It is a buttonless design that activates upon insertion.

While an interesting idea, the $4.50 board + $3 in smt parts equates to a 25% cost increase vs. the cheap one above, assuming you already have the tools/programmer. Long term durability of the one I linked is still in question, I've been using it since about Jan 1.

Github login still saves 20% on Yubikey U2F, putting it at $20 (US) shipped to the U.S. and Canada.

https://www.yubico.com/github-special-offer/

For those confused, see https://github.com/conorpp/u2f-zero/commit/dd71758a

That's the idea. You don't.

Either you generate the key some other way and write it into the device (but it cannot be read again), and backup the original; or you generate it on the device and do NOT back it up - instead you make a back-up key, and authorize both keys rather than just one.

I don't know if this supports external key. YubiKey does.

You don't back up the key any more than you back up a car key. It's reliant on either the password recovery process, or having a second key prepared.

As the ATECC508A is just an I2C peripheral you still have a broad choice for microcontrollers (as you still need a U2F program and U2F).

I choose to use a EFMUB1 from silicon labs.

Yes. There is [1] which is on Yubikey OTP specifically.

And on a lot more that focus on general embedded platforms running common cryptographic algorithms. U2F uses elliptic curve cryptography (ECC) internally -- check out this source for DPA on ECC [2].

[1] http://link.springer.com/chapter/10.1007/978-3-642-41284-4_1...

[2] http://saluc.engr.uconn.edu/refs/sidechannel/

Bespoke solutions generally require bespoke attacks. If you're targeted as an individual by a state-level bespoke attack, you're going to lose regardless.

U2F defends you effectively against phishing and keyloggers, which are a widespread problem.

Addendum: See page 14 of the specs overview: https://fidoalliance.org/specs/fido-u2f-overview-v1.0-rd-201...