If you’ve used a corporate VPN or online banking system in the past fifteen years, chances are you’ve got a few of those little authentication fobs lying around, always showing a new codes every 30 seconds. Today, these one-time codes are usually texted to you or generated by a dedicated smartphone app, which is convenient but a bit annoying. If you are missing dedicated hardware for your login codes, we have good news for you: [Cameron Kaiser] managed to turn a Commodore SX-64 into a two-factor authenticator. Unlike a key fob, it’s a gadget you can’t lose, and any thief would probably need to spend some time figuring out how to make it work.
The SX-64, if you’re not familiar, is the portable version of the venerable Commodore 64. Weighing over 10kg, it’s not quite a MacBook Air, but it does come with a built-in color display and 5.25″ floppy drive. The processor is an 8-bit 6510 running at around 1 MHz and, as you can imagine, it was no trivial task to implement cryptographic routines on it. Working directly from the definitions in RFC 6238, [Cameron] first determined all the necessary bits: a SHA-1 hasher, an HMAC generator, and several routines for manipulating dates and times.
The SHA-1 algorithm and HMAC functions may seem complex, but in the end it boils down to performing bitwise addition, subtraction, and several logical functions on 32-bit numbers. Lots of steps if you can only work with eight bits at a time, but nothing even a 6510 can’t do in a reasonable amount of time, especially when running carefully crafted assembly code by hand.
Working with dates and times turned out to be more complicated. The few real-time clock add-ons that were available for the Commodore 64 series all return the time directly in a human-readable format: great for everyday use but not so great for calculations that require the time Unix. Converting between the two involves a lot of multiplication and division, which takes forever if you don’t have a hardware multiplier. [Cameron]The blog post is full of details on how to optimize computations on constrained hardware, and is worth reading even if you’re working with modern processors.
The end result of the exercise looks almost exactly like a typical authenticator app on your smartphone, including that annoying countdown bar. If you are looking for a slightly more compact solution, you can do the same on an ESP32. Need a refresher on two-factor authentication techniques? We have what you need.