Yes if the attacker have to believe you maybe use the full password and not just enter for example 2 times a long 6element key, etc. in, you come to a quite awesome number of possible key combinations like 1.3e+81. The fact that the key just have elements with 7 possible states dosnt make that number smaller, a key is like a character, normal passwords have lengths of 8-12 characters or so, and using for examples letters a-z, A-Z, 0-9 and 10 special symbols or so, so lets say 80 differenct characters.
SAS using 16 keys with 18750 states (6x5x5x5x5x5), so its quite an improvement of password safety but can be rememberd easily the same time.
And about brute forcing it, the problem as you said is you dont know if you guess the right password before you try and fully uncrypted the content with it.
We are talking round about 100000 operations needed to try out one key.
If u use CUDA and your graphic card and running 2500 cuda cores with I dont know lets say 2gigahertz (i know its quite more complex to see how many operations can be done by per single gpu tact but in that case a round about will be enough) we can try out 2500x2000000000/100000 possible keywords of SAS every second. Thats 50,000,000 keys per second, 100,000,000 with a dual gpu like im using for BLENDER renderings at home.
Thats just 5,00E+07. If you try to crack only a week key with 2E+30 or so you will need… just 1,29E+15 years to brute force it or lets say you can hack a key in one year with a combination ammount of arround 1,56E+15 and we are never going to use that week keys.
And yes the problem using the port as only access was the reason to define never use it again after installing SAS. Best not only using only power chargers via usb instead of computers or only power connecting usb cables, best you destroy the usb port somehow lol just let the power connections functional. So even if somebody take your wallet and your device, he cannot connect it easily.
And one more thing, just by reading the rom out dosnt help the attacker because he just get the crypted code, code you can also share open because it should be save if your password is. Just this password you have to keep save. It should be deleted and automaticly deletes after arround 10 minutes if you forget to turn the device off in menue.
By the way its maybe a quite awesome idea to give that gadget loaded on laser engraved and SEALED arduboys ( to open the device and the USB data ability too).By the way I the laser engraving I already did hope you like it.
Oh and one more thing, it should be even same or close same impossible to get the key even if you know both the crypted AND uncrypted text! Thought about it?
The way the content and the key works together in a complex way I guess you have to try out the same way as you want to find the key.
About the improvements you suggest, your fully right, And about
the licence, I have had and still have no actually plan how to go forward with that, if just open source, and how to publish. I was writing with Kevin here from the Arduboy guys, he was quite friendly and interested, it seems to be a bit complicated how to run such compains like he did with arduventure in themes about licences, when and if to open source it and so on. I believe we can do without any problems, but the code was not finished at that state and now after some weeks I finished it and write him but dosnt get any feedback for some time now. Maybe hes in holiday, I still wait for response.
And I want to see what people thinks about it and specialy if they can help me figure out about how save the algorithm works. So I decided to start it here at the board.
The topic open source licences seems also to be quite big, I only did one project that way as I remember, juming snake a small Arduboy game.
If you like Pharap I have absolutly nothing against it if you like to help to polish the programming style of that code. At the moment I only do changes relevant to this post, but I can stop and change nothing as long as you work on it if you like to improve some style things as the improvements you was suggesting before. And I will upload it again. I just hope we not have to change the algorithm of encryption itself because I already test running the application, if the algorithm gets modified I have to enter the content im testing right now again again
Cheers and a big thank you to all for all that Feedback!