Diagnostic Mode

Cipherpod has built-in security measures, including checking for a compromised onboard key, RFID reader validation and RFID token validation. Diagnostic Mode can be accessed by pressing **## (star-star-pound-pound) on the keypad.

How to use Diagnostic Mode:

  • Open Notepad (or any text editor) on your computer, smartphone or tablet
  • Connect your Cipherpod, wait until it’s finished with its onboard diagnostics
    • If it flashes red, contact us for support
  • Press **## (star-star-pound-pound) on the keypad, the LEDs will start flashing
  • Pass any RFID-enabled device (token, smartcard, even an old credit card) underneath the Cipherpod to let it read the card.

How to read the diagnostic output:

After performing the above steps, the Cipherpod will output something like:

FW Alpha6 v083 PN532 0x32010607 UID 28E994046191D8 Type UNK_0044_20_M27 Standard
RFID META 38 bytes (metadata) Chi-sq 37 POOR Sec METADATA
  • FW Alpha6 v083
    • This is the firmware version. All versions after Alpha6 are ready for production use.
  • PN532 0x32010607
    • This shows the onboard RFID reader chipset and its firmware
    • This also confirms that the device is able to access the RFID reader and can read this information from its chipset, ensuring it can read RFID tokens properly
  • UID 28E994046191D8
    • The RFID serial number is displayed here, indicating a good RFID read
  • Type UNK_0044_20_M27
    • This shows the RFID token type, such as MiFare 1K or MiFare Ultralight. In this case, it is an unknown type but is still readable
  • Standard
    • Indicates the Cipherpod is type Standard, as opposed to Black
    • Cipherpod Standards are replaceable, Black units are uniquely keyed and cannot be reproduced under any circumstance
  • RFID Meta
    • Indicates the contents of the RFID token that was swiped, either PROG / ENH (Programmed Enhanced) or META (Metadata)
    • PROG/ENH RFID tokens such as the ones shipped with your Cipherpod have onboard 256-bit entropy
    • META indicates the metadata of the RFID token would be used to generate credentials. This is unaugmented data and is formed by stripping all available information (model number, manufacturer information, etc) from the token to facilitate the best password generation possible
  • 38 Bytes (metadata)
    • The amount of information that could be stripped from the RFID token presented was 38 bytes
  • Chi-sq 37 POOR
    • The Chi Square rating (“kye-square”) of the bytes that were read from the RFID device presented has a score of 37 = POOR.
    • Chi Square is a measure of randomness across a distribution. The more predictable the numeric sequence, the less appropriate the contents are for password generation. The higher the number the worse the score: for example 10 or 15 is EXCELLENT, but anything higher than about 35 is POOR
    • All zero’s or 01010101 (for example) is POOR and will produce a low Chi Square rating
    • When relying upon an RFID token that was not provided with your Cipherpod such as a hotel room key, old credit card or a building access token for work, it will rely upon this rating for key generation
    • Use this diagnostic feature to help decide what RFID token you want to use for a given environment (home/work/full drive encryption). We do not advise using any token with a Chi Square rating of less than GOOD in high security environments.
  • Sec METADATA
    • METADATA as opposed to POOR, GOOD, or EXCELLENT
    • Metadata indicates that the Cipherpod will rely upon the Chi Square figure for its security, that it is otherwise an unprogrammed and standard RFID token. This is okay for general use as long as the Chi Square rating is GOOD or higher.
    • When the Sec reading is GOOD or EXCELLENT, the RFID token presented has programmed information, and that information has enough entropy (randomness) to provide a strong foundation for password generation.
    • RFID tokens provided with your Cipherpod have 256-bits of entropy encoded onboard, and this entropy is guaranteed to be absolutely unlike any other Cipherpod user’s token in the world! It will always read EXCELLENT.

If the Chi Square of an RFID token is POOR but the SEC rating is EXCELLENT, this is okay as the Cipherpod will read the EXCELLENT entropy data pool and always use that for password generation. For example:

FW Alpha6 v083 PN532 0x32010607 UID 7585B5D2DE5100 Type MIFARE_UL_NXP Standard
RFID PROG 87 bytes (48 prog) Chi-sq 34 POOR Sec EXCELLENT

In this sample token, the Cipherpod was able to extract 87 bytes of entropy with some programmed data, and that data isn’t very random (manufacturer and serial numbers often contain many zeroes), but the programmed Security pool has Excellent entropy, so this RFID token is safe to use with Cipherpod.

It should be noted that out of that 87 bytes, this includes a unique serial number, manufacturer identifiers, lot number and other data about this RFID token. This is still very, very hard to duplicate and such cards are often used for building access. Such an RFID token would, for example, let an employee in the doors of one office building, but no other office buildings in all of Downtown Denver! There might be one other office building you could get into with that card in all of Colorado.

  • POOR means the RFID card will work for your and one other office building in all of Colorado
  • GOOD means the RFID card might open two doors in the United States
  • EXCELLENT means the RFID card will open only one door in the universe. Not kidding, this is not exaggeration or hyperbole – this is how powerful 256-bit keys are!

So for general home use, POOR is still surprisingly strong when combined with your PIN and a Cipherpod. An RFID token rated as POOR that generates a password from a pin of 12345678 will generate a password like:

dO+^kr&FHwrXi*em++9JeV9IIA*JDVN*RdBw0mpjYCj

Which as you can see is a pretty brutal password! This is the Cipherpod’s job – take easy entropy and turn it into a password that’s impossible to guess. This begs the question, “Well then what’s the point of all this?!” and the answer is how much it would cost to break your password: if you’re dealing with a nation-state attacker who will spend millions of dollars to try and brute force your password, it’s not impossible they’ll guess the above password if your RFID token has a rating of POOR. If your RFID token has a rating of GOOD they’ll have to spend hundreds of millions to try and guess it, but if it has a rating of EXCELLENT then it’s impossible to guess no matter how much they spend.

If your adversary is your next door neighbor or even a coworker, an RFID rating of POOR is nothing to worry about. If you’re a human rights lawyer traveling across countries being targeted by a nation state, you need a token rated at EXCELLENT.