FSIJ USB Token for GnuPG Niibe Yutaka <gniibe@fsij.org> - - PowerPoint PPT Presentation

FSIJ USB Token for GnuPG

Niibe Yutaka <gniibe@fsij.org>

2009-10-21 Japan Linux Symposium

Contents

• Who am I?
• GNU Privacy Guard
• FSIJ USB Token

– PCB design – V-USB (AVR-USB) – CCID/ICCD Protocol – OpenPGP Protocol – RSA (or ECC Encryption)

Niibe with sticky 'g'

gniibe

• National Institute of AIST,

Japan (2000-)

• IPA, Japan

(2001-2004)

• Free Software

Development & Promotion

• FSIJ (2002-)

– Linux-M32R.ORG – CODEblog.ORG – Google SoC – U-20 Programing

Contest in Japan

– GPLv3 Committee

GNU Project (1989-) Linux Kernel (1993-) Debian Project (2005-)

My development history

National Institute of AIST: Employee Free Software Initiative of Japan: Chairman

• 1989 GNU Emacs hacks: Mule, mlh, Eggv4
• 1994 ICOT Free Software
• 1999 Founder of GNU/Linux on SuperH
• 2001-2003 Project Manager for

Free Software Development under METI

• 2003-2005 Free Software for Japanese Gov.
• 2005-2007 CODEblog Project (in Japanese)
• 2008- Principal developer of FSIJ USB Token

GnuPG

GNU Privacy Guard

• Tool for Privacy with

Encryption Technology

• It started as an alternative of PGP

– Export regulations were there – Free Software implementation

• Conforms to OpenPGP standard
• Usage:

– Digital Signature – Encryption/Decryption

• Supports “OpenPGP card”

OpenPGP card

• Smart card to put PGP/GPG keys

– Implemented by Basic Card

• Follows OpenPGP protocol standard

– Version 1.1 – Newer protocol: Version 2.0

• FSFE Membership card
• Feature of v1.1:

– 1024-bit RSA – Three keys for Encryption, Sign, Auth – Access control by PIN – Key generation on the card – RSA computation on the card

Major Issue

• Where and how we put
• ur private keys?

– On the disk of our PC – Encrypted by passphrase

• Not Secure Enough

– OpenPGP card

• Good (portable, secure)
• Not easily deployed

Two Problems

• Smart card is not that popular for PC

– Card reader is not common device

• Software Implementation of target

device should be Free Software

– Development of smart card is hard – Smart card industry is not friendly to Free So

ftware development

Our Failures

• We tried to contact Smart Card vendors

in Japan

– Possibility to build OpenPGP card compatible – Possibility to build BasicCard like card

• No, we are not their target customers
• We tried to (ab)use Japanese Resident

Card (Juki-net card)

– Stop by some reason

Our Challenge FSIJ USB Token

• Original purpose

– USB device for GNU Privacy Guard – Store private key on USB device

• General-purpose I/O through USB

– I2C, Serial I/O, LED control, etc.

• Use the USB Token for FSIJ membership
• Improve situation around USB device d

evelopment for Free Software

• Began August 2008

Cautions

• FSIJ USB Token is:

– NEVER SECURE than Smart card

• It is EXPERIMENTAL, NEVER USE IT

– It is for development environment – It is good to develop/test new things

• New protocol enhancement
• New encryption algorithm
• ...

– But it is normal micro controller device – NEVER SECURE than Smart card

Development Tasks

• Hardware parts choice
• Hardware design

– USB chip: AVR (ATmega328) with AVR-USB – PCB design

• Software development

– USB Protocol stack: AVR-USB – CCID/ICCD Protocol – ISO 7816 Protocol, Format – OpenPGP card protocol – RSA encryption routine

• Exptmod, Montgomery-reduction, mul&sqr

Atmel AVR CPU

• Free Software Friendly
• Good Availability, Cheap
• Easy to build
• Harvard 8-bit architecture
• GCC supports AVR very well
• C library: AVR-libc
• Simulator: Simulavr
• GDB supports Simulavr
• USBasp bootloader

– Download program through USB

V-USB (AVR-USB)

• Software-only USB protocol stack
• With no special hardware required
• Only support “low-speed”
• Just works!
• It's not that superior, but enough for us

Current Status of FSIJ USB Token (1)

• “gpg –card-status” works!
• “gpg –clearsign” works!
• Parts: Got ATmega328P
• PCB: Initial design done
• Software

– AVR-USB is ready – ICCD: mostly done – OpenPGP protocol: partially done – RSA: mostly done, integration remains

• Exptmod, Montgomery reduction, mul&sqr

– Most of target code is hard coded for a

given private key

Current Status of FSIJ USB Token (2)

• Speed for RSA 1024-bit key signing

– About 5 sec.

• Code space requirement

– 30KB or so (OK for Atmega328, but not for

168)

Schematic & PCB Design

• We use

Eagle now

• Will use

KiCad

• r

PCB/gEDA

PCB Manufacturing

• P-ban.com
• Olimex

Host Software Structure

GnuPG

pcscd, ccid kernel

OpenPGP card protocol CCID/ICCD protocol USB protocol ISO 7816 protocol RSA computation

Libgcrypt if no card

Host Software Implementation

• GNU Privacy Guard: No change
• PC/SC Lite: No change
• CCID library: need fix for ICCD #503638
• Need an

entry

• n

libccid_Info .plist

$ gpg - - card- status A ppl i cati on I D . . . : D 276000124010101F517000000010000 V ersi on . . . . . . . . . . : 1. 1 M anuf acturer . . . . . : unknow n Seri al num ber . . . . : 00000001 N am e of cardhol der: N I I B E Yutaka Language pref s . . . : j a Sex . . . . . . . . . . . . . . : m al e U R L of publ i c key : http: / / w w w . f si j . org/ Logi n data . . . . . . . : gni i be Si gnature PI N . . . . : not f orced M

• ax. PI N

l engths . : 0 0 0 PI N retry counter : 1 1 1 Si gnature counter : 0 Si gnature key . . . . : A B 4B 9F94 6555 EEB 7 FFE8 5261 B D 6A 9B CD 852F 7074 Encrypti on key. . . . : 7A B 2 1745 EB D 4 1D 3F 8C2C A 0F1 D 9A 9 C2F6 3A 01 5444 A uthenti cati on key: [none] G eneral key i nf o. . : pub 1024R / 852F7074 2008- 10- 27 N i i be Yutaka (Chopsti x) < gni i be@ f si j . org> sec 1024R / 3A 015444 created: 2008- 10- 27 expi res: never ssb 1024R / 852F7074 created: 2008- 10- 27 expi res: never

Device Software Implementation

• USB: Use V-USB
• ICCD/CCID: USB-ICC Version A (T=0)
• ISO7816: Mostly hard-coded
• OpenPGP protocol: Mostly hard-coded

Only support signing

• RSA computation

– Private key are at compile time option – 512-bit and CRT – Runs about 5 sec for signing (at 20MHz)

RSA Implementation

• References:

– Tom St Denis&Greg Rose: BigNum Math – Tom St Denis: LibTomCrypt Developer Manual – Alfred J. Menezes, et al.: Handbook of Applied Cry

ptography

• Reference implementation:

– Tom St Denis: TomsFastMath 0.10

• Technics:

– Comba multiplication & sqr – Montgomery reduction – BigNum exptmod – Chinese Remainder Theorem

Target side interaction

Start U 200: 0ad6 R ESET O n 0 U 020: 0b02 00 a4 00 0c 02 3f 00 - sel ect R O O T M F 00 a4 02 0c 02 2f 02 - sel ect 0x2f 02 EF U 000: 0947 00 b0 00 00 f e - R ead bi nary 00 b0 00 06 f e - R ead bi nary 00 a4 04 00 06 d2 76 00 01 24 01 - sel ect D F by nam e 00 ca 00 4f 00 - G et D ata 00 ca 00 c4 00 - G et D ata 00 ca 00 6e 00 - G et D ata 00 c0 00 00 3e - G ET R esponse 00 c0 00 00 1e - G ET R esponse U 000: 0947 00 ca 00 5e 00 - G et D ata 00 ca 00 65 00 - G et D ata 00 c0 00 00 10 - G ET R esponse 00 ca 5f 50 00 - G et D ata 00 ca 00 6e 00 - G et D ata

Contine Development...

• RSA computation routine for AVR has b

een released (on Feb)

• Not hard-coded code,

and release to public

• Should support key generation, etc.
• Longer key length, supports ECC?
• Another device other than AVR

– Renesas SuperH (SH-2)? – Atmel AVR32 (with USB controller)?

Summary

• Device development for Free Software

by Free Software ... is fun

• We are developing FSIJ USB Token now

Happy Hacking!