Gnuk - OpenPGP USB Token implementation
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 84 | |
| Author | ||
| License | CC Attribution 2.0 Belgium: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/40021 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language | ||
| Production Year | 2012 |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
00:00
Token ringImplementationToken ringImplementationPresentation of a groupGreen's functionSoftware developerDistribution (mathematics)Information securityINTEGRALMiniDiscSelectivity (electronic)Boom (sailing)AnalogyView (database)Binary codeKey (cryptography)Computer hardwareAxiom of choiceLecture/Conference
02:05
Student's t-testSoftware developerCoordinate systemInternationalization and localizationGame theorySoftware testingSystem callPhysical systemInformation privacyUniverse (mathematics)Electronic program guideProjective planeRevision controlTranslation (relic)XML
03:35
CoprocessorKernel (computing)SoftwareDevice driverArmLecture/ConferenceXML
04:23
Execution unitSoftware developerImplementationGame theoryNear-ringVideo gameFreewareSoftwareLecture/ConferenceXML
05:08
CryptographyToken ringSoftware developerDistribution (mathematics)INTEGRALComputer hardwareDirectory serviceKey (cryptography)Identity managementFilm editingComputer programmingPasswordLie groupMultitier architectureData storage deviceNeuroinformatikForcing (mathematics)PlastikkarteCryptographyImplementationInformation privacyMicroprocessorLecture/ConferenceXML
07:30
CryptographyToken ringComputer hardwareToken ringPhysical systemSoftware developerCryptographySoftwarePasswordSource codeData storage deviceKey (cryptography)FreewareLecture/ConferenceXML
08:35
Menu (computing)Projective planeSoftware developerCoprocessorData storage deviceCommunications protocolMicroelectronicsKey (cryptography)Revision controlPlastikkarteXML
09:18
CryptographyToken ringDenial-of-service attackProjective planeMassCellular automatonKey (cryptography)Electronic signatureDigitizingData storage deviceInformation securityOperator (mathematics)Computer animation
10:20
Token ringCryptographyInformation privacyPlastikkarteSign (mathematics)SineUser interfaceDirected graphSimulationoutputImplementationHexagonAuthenticationEncryptionKey (cryptography)BitWhiteboardCompilation albumClient (computing)Social classProjective planeState of matterSystem callOpen setStaff (military)ImplementationCartesian coordinate systemAxiom of choiceLaptopBefehlsprozessorInformation securityElectronic signatureVideoconferencingMaxima and minimaDebuggerMereologyPublic-key cryptographyCoprocessorCASE <Informatik>Communications protocolDisk read-and-write headPower (physics)Information privacyData managementPlastikkarteSoftware protection dongleSequelPhysical lawDensity of statesParticle systemTelecommunicationAutonomous System (Internet)Forcing (mathematics)Scanning tunneling microscopeElectronic program guidePersonal digital assistantMultiplication signMetropolitan area networkLine (geometry)Standard deviationPoint (geometry)Revision controlExtension (kinesiology)EmailLevel (video gaming)Software development kitSoftwareModule (mathematics)Software bugDigitizingReading (process)2 (number)NumberMultilaterationCodePerformance appraisalSource codeOperator (mathematics)XML
19:34
Point (geometry)Convex hullHill differential equationElectric currentRaw image formatInformationDirectory serviceWebsiteInternet der DingeDigital photographyPoint (geometry)CoprocessorMereologyRange (statistics)NeuroinformatikFault-tolerant systemBitKey (cryptography)Social classNormal (geometry)Limit (category theory)Computer programmingClient (computing)Open setImplementationSystem callOperating systemRight anglePublic-key cryptographyElectronic program guideKeyboard shortcutOcean currentAuthentication2 (number)Software testingGoodness of fitPlastikkarteSlide ruleData transmissionVapor barrierSource codePersonal computerSoftware developerGreen's functionTelecommunicationSign (mathematics)Revision controlDigitizingFlash memoryPersonal identification numberWeb pageCryptographyPublic key certificateToken ringElliptic curveMalwareCodeFunction (mathematics)FirmwareoutputEncryptionElectric generatorFreewareDirection (geometry)Source codeXML
28:40
Data miningWhiteboardBuildingToken ringAuthenticationBefehlsprozessorSineMaxima and minimaDebuggerObject (grammar)GodAuthenticationPolar coordinate systemKey (cryptography)WindowDirection (geometry)FreewareLattice (group)BitModal logicInsertion lossNumberAssociative propertyDenial-of-service attackPoint (geometry)Software developerProjective planeBus (computing)Token ringWhiteboardWeb pageOpen setPlastikkarteObservational studySource codeIntegrated development environmentLevel (video gaming)Graph (mathematics)Cheat <Computerspiel>Serial portProcess (computing)Latent heatData storage deviceOcean currentSet (mathematics)FamilyArithmetic meanInformationRight angleCASE <Informatik>SpacetimeLink (knot theory)Configuration spaceArmCartesian coordinate systemSoftware development kitPublic-key cryptographyDebuggerOperator (mathematics)Gastropod shellScripting languageModule (mathematics)MereologyEncryptionSlide ruleInformation securityUniform resource locatorRepository (publishing)Directory serviceDigitizingSign (mathematics)Computer animation
37:45
CASE <Informatik>Computer hardwareOnline helpMobile appLecture/Conference
38:20
Finite state transducerMaxima and minimaToken ringoutputMedical imagingMultiplication signEvent horizonObservational studyPoint (geometry)Arithmetic meanDynamical systemProduct (business)Software testingKey (cryptography)2 (number)Configuration spacePortable communications deviceElectronic signatureResultantIntegrated development environmentElliptic curveCurveNational Institute of Standards and TechnologyXML
40:03
BitEntropie <Informationstheorie>Noise (electronics)Game controllerCellular automatonKey (cryptography)Random number generationDivisorPresentation of a groupSound effectDigital photographyKeyboard shortcutSource codeMultiplication signTheoryFood energySemiconductor memoryPhysical lawGoodness of fitMathematical analysisPower (physics)QuantumSoftware testingWhiteboardMoment (mathematics)ExpressionImplementationMeasurementWordDigitizingRight angleDrag (physics)Token ringDrop (liquid)AnalogySign (mathematics)outputSuite (music)Computer fileError messageData managementArmPersonal identification numberComputer hardwareNumberNeuroinformatikData conversionMass storageSequenceElectric generatorSocial classEncryptionLecture/Conference
Transcript: English(auto-generated)
00:01
So, this is my presentation about GNUC, it is now OpenPGP USB token implementation. Usually, I think that in Western culture you guys start your presentation with joke or some humor,
00:24
but because I am Japanese, it is our culture to begin the presentation by some apologizes. Perhaps my selection of DevLoom would be a mistake. Because I am a DevLoom developer
00:46
and see the announcement about FOSDEM, I just joined this development room. But there is another hardware security development room or something, but this is my first visit,
01:07
first joining to FOSDEM, so please forgive my choice. If I understand correctly that the distribution guys have much interest about the
01:29
integrity of distribution and usually the developers of any distribution should have his or their GPG key to make sure that the distribution of the packages or any binary can be checked by users.
01:55
So, today's presentation is about the USB hardware token and let me explain about myself.
02:09
I am a GNU project contributor, say, more than 20 years. When I was a university student, I joined the GNU Emacs development for internationalization.
02:29
And I also do GNU guide development or G-LIVE-C testers and the GNU 2.0 development for embedded
02:40
systems. And five years ago, six years ago, I am one member of the GNU GPL version 3 international committee to have an international symposium, international conference. And at that time, we have four or five conferences around the world
03:09
for GNU GPL version 3. And we have one in Tokyo. And recently, I am a contributor for GNU privacy guard for ping entry feature. And this month, I became Japanese translation team
03:33
coordinator for www.gnu.org. Those things I have done or I am doing for the GNU project.
03:45
And I am also a contributor to Linux kernel. I maintained flip network driver in 1995. And I have ported Linux kernel to Japanese embedded processor 10 years ago also. These days,
04:07
those CPU, SuperH or M.2 are not that common. The Japanese semiconductor company is basically a loser in the market these days. Everybody uses ARM these days.
04:26
And yes, I am a Debian developer. For example, I maintain 30 or 40 packages, 30 to 40 packages. But these days, I only maintain actively GOLI. GOLI is
04:48
Conway's life game implementation. And I am also a chairman of FSIJ, free software initiative of Japan, who kindly sent me to this conference. Yes?
05:10
Well, as I said already, distribution developers should care about integrity of distributions. And usually, GunuPG is your friend.
05:25
But we have an issue. Where to put my GPG keys? Usually, with no hardware support, we put GPG keys under the .GONUPG directory.
05:46
But yes, it is protected by the password. But it is not considered secure enough because people who steal your computer can do brute force attack against breaking your password
06:10
and steal your identity. So the people who really care about such problems are using
06:24
OpenPGP card. And if I understand correctly, Free Software Foundation Europe distributes OpenPGP card as a member's card. Yes. And yes, it is great. But for me, the card reader
06:51
possibly large, bulky, is not my friend. It is difficult to bring a large card reader.
07:02
Yes, these days we have a very small card reader, but it is somewhat expensive. And yes, we have another implementation called CliptoStick by JAMA Privacy Foundation.
07:22
And it is a very great thing that it combines the small OpenPGP card and the microprocessor so that it is a hardware token. And I think it is cheap enough, about 50 euro or so.
07:54
And GONUPG is my development, which is Free Software implementation of
08:02
cryptographic token. Perhaps you are usually that a one-time password token would be very popular than cryptographic token because some bank distributes one-time password token for
08:25
their customer, for their network banking system. But today I am explaining my development of cryptographic token, which stores our secret keys.
08:46
The GONUPG support OpenPGP card protocol version 2. And it runs on a general purpose processor. And I select STM32 processor by STMicroelectronics. And it supports RSL 2048 bit.
09:09
And this is FSIJ's official development project. And as I explained about Nuke,
09:20
Nuke is famous also in Japan. It is a sousaphore baby. When it was two or three years ago when I developed this project, my son is one year old
09:44
or so. And my son used to be with his Nuke everywhere, always. And so I put G and I named my project Nuke so that GONUPG token can be a sousaphore GONUPG user.
10:10
Let me explain about cryptographic token. It stores your secret keys. It performs security operation on the device such as digital signature computation,
10:25
authentication, and encryption. And users or anyone has no direct access to secret keys. And how it is used for it. We can bring secret keys securely.
10:47
And on the go, you can make digital signature, authenticate yourself, or read encrypted mail without bringing your notebook computer. And you know the GONUPG privacy
11:05
card is a tool for privacy. It conforms to OpenPGP card standard. And we do the encryption operations. And it supports OpenPGP card.
11:22
And I think that OpenPGP card is popular in Europe. It is smart card to put GONUPG keys. And the feature version 2.0 is it supports 1024-bit keys to 3070-bit keys.
11:52
And it has RSA accelerator on the chip. And the users can use OpenPGP card with GONUPG as
12:05
well as OpenSSH through GONUPG agent. And we can also use the card for client authentication for TLS or SSL. Yes, we have an application called SQT. It is an NSS
12:26
module for Thunderbird or Firefox. And we have also a PAM module using OpenPGP card.
12:43
And I started GONUPG project on September 2010. And I focus on software implementations. And the CPU choice is Cortex-M3 based STM32F1, F103, yes. And currently the target board is
13:12
Olimex evaluation board. And this is a kind of hackish, but we can use STM32 part of
13:25
STM8S discovery kit. And I also developed my own board named FST01. The second board, for second board, I should explain more. The STM8S discovery kit is a kind
13:55
of educational kit. It is very cheap, like less than $10 U.S., but its purpose by STM
14:09
is education for STM8S, 8-bit chip. But we are very lucky that it has a
14:25
gadget, how to say. It is a kind of dongle to control STM8S processor from PC. The dongle uses STM32. So we take advantage of that part of the kit so that we can install
14:48
GNU on that processor, not the main STM8S processor of original intention. So if there are some employees from STM, I should say sorry about that.
15:09
But anyway, you can sell more boards to their customers, you see. So GNU's approach is that I focus on the software and I keep software as simple as possible.
15:34
Our approach is to implement OpenPGP card protocol, not PKCS number 11 directly,
15:43
because public key cryptography standards number 11 can be emulated on top of OpenPGP card protocol. A good example is OpenSC project.
16:02
I keep implementation minimum for CCID communications. And recently, I changed to support only short APDU level exchange. Until version 0.16,
16:24
I implemented short and extended APDU level exchange. But to be conservative to existing software, I concluded that only support short APDU level exchange would be better.
16:48
And the implementation contains, I use Chibio OS-RT kernel, and I also use
17:04
cryptoroutines from Polar SSL. I use rlsa-routines under AES-routines and shaowon-routines. And it implements CCID protocol and OpenPGP card protocol and implement flashstorm management.
17:32
So basically, we use the main flashstorm embedded in the chip. We don't use external chip,
17:41
but only use the internal flashstorm. And according to the manual, we can protect flashstorm access by JTAG debugger. And once it is locked, there is no way to
18:08
lead out by JTAG debugger or anything. So if I don't have a 3S bug for attackers
18:26
to read out the data of secret keys, we can consider it secure somehow.
18:40
Yes, it is not secure enough. If we compare smart card implementation, I don't think general purpose embedded chip is more secure. I don't think so. Smart cards
19:00
consider to be more safe than the general purpose processor. But for my purpose, I think that it could be okay. And as of GNU 0.17, it has about 9,000 lines of C code.
19:28
And it is distributed under the GNU GPL version 3 and later. And for the
19:40
2048-bit key, it took 1.48 seconds for digital signing. I think I can stand with that. And it means that to sign, say, as I am a devian developer, I sign for my packages,
20:11
or I sign my board, or I use GNU for OpenSSH authentication, and when I log into the server,
20:26
when I push my code to other Git repository, it takes 1.48 seconds to authenticate. For me, it is okay. But that is because I use general purpose processor
20:48
and with no RSA accelerator. I think that this performance is okay for general purpose.
21:05
And it is already useful for GNU page users as well as OpenSSH users. And here this slide explains limitation of GNU.
21:26
I use normal general purpose embedded processor. It means that it is not that tamper-resistance. The tamper-resistance feature of general purpose processor is not that
21:45
great if we compare smart card or other special purpose processor. And it really depends on its feature of flash lead protection. Yes. And it doesn't have RSA accelerator, and it means that it is not that fast.
22:08
And technically, we have a limitation up to 2048-bit key. Many devian developers these days have 4096-bit keys, so their keys cannot be
22:31
imported to GNU token, unfortunately. And here is a good point of GNU.
22:42
The first good point is it is free software implementation. This is a very good feature. Yes, there is an OpenPGP card, but we don't have the source code of the firmware, unfortunately. But for GNU, we have a source code so that you can
23:05
examine or you can enhance the firmware as you like it. And another feature is that we can develop or test new things.
23:23
For example, we can change or improve the USB communication. Actually, I am currently trying to support ECC elliptic curve cryptography for next version
23:48
of GNU PG. And I am also testing a new ping entry for authentication.
24:04
The device, we need to authenticate ourselves to the device. Usually, we input pathways to open the feature of digital signing and authentication or decryption.
24:24
But usually, we use keyboard or personal computer, which is easily
24:41
monitored by the malicious software. So some people care using the card leaders with pinpad. Currently, I am testing GNU implementation so that
25:06
people can input pin or pathways locally, not by the PC, but through the device directly.
25:20
And here, I explain the current status. For GNU PG, it works well. And for OpenSSH, it works well through the GNU PG agent. And for Firefox, using execute, we can use client
25:40
authentication using the GNU token. And I created my client certificate using csr.org and tested against that site. But currently, here is the current status, not supported yet.
26:06
I don't support secure messaging protocol yet. And I don't have an idea to support this. So we have a risk. If your computer is attacked and intruded by some malicious users,
26:28
and when he monitors the USB traffic by some kind of USB sniffer, your pathways could be stolen because the USB transmission is not encrypted at all.
26:50
But we can work around this by supporting pin entry locally. Currently, GNU token doesn't support key generation on device. All that we can do
27:08
is generating the keys on PC host side and import those keys from host side.
27:23
Currently, we cannot override keys on the device. So to override keys, we have to remove keys at first. This is a limitation, current limitation. And this is a known problem.
27:47
Yes, after I implemented GNU, and after I used GNU extensively, I figured out eventually that
28:01
OpenPGP card is not portable.gnupg. I mean that all the information the device has is only secret keys. So under the gnupg directory, we have more than secret keys. We have secret keys,
28:24
secret key links, as well as public keys, key links, and trust DB. Secret key has your secret information, but we also have public key information under the
28:50
trust DB under the gnupg directory. And it means that just bringing
29:00
GNU token means that you can do digital signing or authentication or decryption for your secret key, but you will perhaps not have a public key link on the go.
29:24
So if you really want to do more operation on the go, we should have those information on the device. But if I understand correctly, the OpenPGP card
29:45
specification is for smart card, and the smart card doesn't have enough storage, storage like public key links. For example, Debian project has a key link, and it's more than
30:06
I think 10 megabytes or so. So we cannot put such a large storage on the smart card.
30:26
But for token, we can do that. This slide explains the supported board more, and I skip. And here is a URL for GNU development. And the web page is
30:48
designed on fsij.org slash GNU, and we have a Git repository under the gnuib.org, because we don't have a Git repository on fsij.org yet.
31:12
This is a GNU development requirement. We need a GNU toolchain for ARM, and I am currently using
31:21
the script named salmon-arm toolchain. And we also need Python and Python module called PyUSB and PySmartCard, and we also use OpenOCD and Git. And here is a host requirement.
31:48
And basically, we tested against Debian and Gen2. And if you have a fairly new GNU PG and PCSCD and live CCID, you can use GNU token with no problem.
32:07
And I also tested on Windows only a bit. And here I explained the steps building GNU token.
32:25
Get source code from gnuib.org and prepare a GNU toolchain for ARM. I mean the cross development environment. And then you can build gnuib.elf and write gnuib.elf to STM32
32:46
using OpenOCD. And this is an optional step. And you can configure gnuib token
33:01
with your specified serial number. When you don't configure a serial number, it uses its own chip-on ID for serial number. And then you can personalize gnuib token
33:27
and import keys to gnuib token. Last two steps are the same as OpenPGP card.
33:41
And here I explain using gnuib token for secure shell authentication. Before development of gnuib token, I didn't know the way of using a GPG key for OpenSSH authentication. But it is not that common, but we can do it. And
34:11
when we use gnuib token OpenPGP card, it is considered very, very
34:20
convenient because we only have a GPG key and we can bring secret keys to somewhere. But the configuration or settings of SSH using GNU-PG is somewhat difficult because there are
34:48
many applications which have a low-low SSH agent. So using GPG agent as a SSH agent, we need to
35:08
stop seahorse or original SSH agent and gnuib key link. In usual distribution, those
35:23
are three plus GPG agent has a low of SSH agent. So when we use GPG agent as a SSH agent, we should only learn GPG agent and not learning seahorse SSH agent and gnuib key link.
35:53
This is a key point. And then we configure GPG using use agent and enable SSH support.
36:05
This is a setting using GPG agent as a SSH agent. And here I explain SDM8S discovery kit. As I said, it is educational purpose kit by SD Microelectronics and it is very
36:26
cheap. We can buy it with 750 JPM. It means less than 8 euro.
36:41
Yes. And if you have enough technology for do-it-yourself electronics, you can make GNU token easily. Here is a SDM8S discovery kit.
37:11
And here is a SDM32 part. And this is my do-it-yourself JTAG debugger connecting
37:21
SDM32 or SDM8S discovery kit. Here is another embedded board. And this is my today. I bring some examples. Yes, this is somewhat bigger, but
37:48
I build this. It costs only 10 US dollars or so. And this is somewhat smaller. I use
38:11
help in case. And I also did PCB design using KiCAD. And it is open hardware.
38:32
And here is the result. And here is a huge work. As I described already,
38:44
I am currently supporting, trying to support a elliptic curve cryptography, NIST P2056 curve support. It is quite fast. It runs, it takes only 0.08
39:07
seconds to make digital signature. And configure time USB vendor ID support and product ID setup. Currently, we use FSIJ's USB vendor ID. Yes. And currently, I am considering about
39:27
supporting data other than secret keys to a portable dot-GUNO-PG environment. Here is an acknowledgment. Bernacoff, Akim and Giovanni and Japanese guys as testers.
39:51
So, this is appendix. So, shall I have a question from you? Yes? Any questions?
40:09
Yes. Ah, yes. For audio recording, you should use this. This is a switch.
40:43
So, you mentioned a way how to enter pin entry directly to the token. So, you want to add a small keyboard to the token or what's the idea? About pin entry? Yes. There are two kinds of experimental implementations. And one is using the
41:13
consumer infrared controller. Yes. User for TV controller or audio controller. If it is
41:26
close enough, you can use it. But you know that people can monitor the signal very easily. So, that's a very, it doesn't consider very safe. But somehow, you can use very
41:47
convenient device. Yes. And another implementation I use, I am using file, how to say,
42:02
file manager of host side PC. I mean that it implement, it pretend as if it is USB memory. And when user drag and drop folders, it considers a
42:23
key input. So, when malicious users monitor the USB traffic, in theory, he can decode the pin input key sequence. But it is very difficult in practice because file folder
42:49
movement is became the USB mass storage class traffic. Yes. Currently, we have
43:02
those such experimental implementations for pin entry. Yes. These are nice ideas. Another question is about generating key directly in the device. You mentioned it's not supported at the moment. Is it because of lack of enough entropy? Yes, you are right.
43:23
Yes. At the beginning, I considered like that. But we need enough entropy for ECC. For RSA, we don't need a true random generator for computation of digital signing or decryption
43:45
or anything. But it is needed for key generation. So, at first, I didn't support key generation. But for ECC support, we need true random generator. So, last year, I implemented my own
44:03
method for true random generator. I am using the quantum error of ADC, analog digital converter, last bit of analog digital converter. We can use the noise source of ADC.
44:31
And I experimented against the random generation number.
44:43
I forgot the package name. But there is a very good test suite for true random number generation. And I confirmed that the entropy from ADC considers enough. And currently, you have
45:06
enough entropy source on the device. So, in theory, we can support key generation on GNU. But as a history, we didn't support it. Yes. Cool. That's nice to hear because I was experimenting with the similar topic. And this is
45:26
the same solution I was able to create to just read the last bit of the ADC. But I wasn't sure if it's enough. But if you say that you did some measurements and it's okay. And also, some more expensive ARM boards have a hardware generator on board. Yes. Yes. If you are able to,
45:47
or once the prices of these boards are lower, then you might consider using that as well. Yes, you're right. Thank you. Thank you. Another question? No, I am running out of my time.
46:03
So, I finished my presentation. Thank you for your time.