Add PIN attempt limiting and key stretching

[kwsantiago]

No protection against PIN brute force attacks.

• Store attempt counter in separate flash region
• Implement exponential backoff after failed attempts
• Add device lockout after N failures (configurable, e.g. 21)
• Use PBKDF2 or Argon2 for PIN-derived encryption key
• Target ~2-4 second verification time to slow brute force

[kwsantiago]

Production Hardware Wallet Patterns

Secure Element Rate Limiting

Production wallets store attempt counters in the secure element (SE), not flash:

// SE-based attempt tracking (if #81 implemented)
typedef struct {
    uint8_t attempts;           // Current failed attempts
    uint8_t max_attempts;       // Lockout threshold (e.g., 13)
    uint32_t delay_until;       // Timestamp when next attempt allowed
} se_pin_state_t;

int se_record_failed_attempt(void) {
    // SE atomically increments counter
    // Returns delay before next attempt allowed
}

int se_verify_pin_allowed(void) {
    // Check if delay has elapsed
    // Return error if device is bricked
}

Why SE, not flash:

• Flash can be re-imaged to reset counter
• SE counter survives firmware replacement
• Hardware rate limiting can't be bypassed

Progressive Delay Schedule

Production pattern uses escalating delays:

Attempts	Delay
1-3	None
4-6	15 seconds
7-9	1 minute
10-12	15 minutes
13+	Device bricked

uint32_t get_attempt_delay_ms(uint8_t attempts) {
    if (attempts <= 3) return 0;
    if (attempts <= 6) return 15 * 1000;
    if (attempts <= 9) return 60 * 1000;
    if (attempts <= 12) return 15 * 60 * 1000;
    return UINT32_MAX;  // Bricked
}

HMAC-Protected PIN Structure

Production wallets wrap PIN attempts in HMAC to detect tampering:

typedef struct {
    uint8_t magic[4];           // "PIN\0"
    uint8_t pin_hash[32];       // SHA256(PIN || salt)
    uint32_t timestamp;         // When attempt was made
    uint8_t hmac[32];           // HMAC over above fields
} pin_attempt_t;

// Bootloader verifies HMAC before processing
// Prevents replay of old PIN attempts

Key Stretching Recommendations

For PBKDF2:

#define PBKDF2_ITERATIONS 100000  // ~2 seconds on ESP32-S3
#define PBKDF2_SALT_LEN 16
#define PBKDF2_KEY_LEN 32

int derive_storage_key(const char *pin, size_t pin_len,
                       const uint8_t *salt,
                       uint8_t *key_out) {
    return mbedtls_pkcs5_pbkdf2_hmac(
        MBEDTLS_MD_SHA256,
        (uint8_t *)pin, pin_len,
        salt, PBKDF2_SALT_LEN,
        PBKDF2_ITERATIONS,
        PBKDF2_KEY_LEN, key_out);
}

Bricking Behavior

When max attempts exceeded:

1. Wipe all secrets from storage
2. Wipe SE slots (if Secure Element Phase 1: Mock Mode Implementation #81 implemented)
3. Set brick flag in bootloader region
4. Device only responds to DFU mode for reflash
5. All data unrecoverable (by design)