FSIJ USB Token for GnuPG Niibe Yutaka <gniibe@fsij.org> - PowerPoint PPT Presentation

FSIJ USB Token for GnuPG Niibe Yutaka <gniibe@fsij.org> 2009-10-21 Japan Linux Symposium

Contents ● Who am I? ● GNU Privacy Guard ● FSIJ USB Token – PCB design – V-USB (AVR-USB) – CCID/ICCD Protocol – OpenPGP Protocol – RSA (or ECC Encryption)

Niibe with sticky 'g' gniibe ● FSIJ (2002-) National Institute of AIST, ● – Linux-M32R.ORG Japan (2000-) ● IPA, Japan – CODEblog.ORG – Google SoC (2001-2004) ● Free Software – U-20 Programing Development & Contest in Japan – GPLv3 Committee Promotion GNU Project (1989-) Linux Kernel (1993-) Debian Project (2005-)

My development history National Institute of AIST: Employee Free Software Initiative of Japan: Chairman ● 1989 GNU Emacs hacks: Mule, mlh, Eggv4 ● 1994 ICOT Free Software ● 1999 Founder of GNU/Linux on SuperH ● 2001-2003 Project Manager for Free Software Development under METI ● 2003-2005 Free Software for Japanese Gov. ● 2005-2007 CODEblog Project (in Japanese) ● 2008- Principal developer of FSIJ USB Token

GnuPG GNU Privacy Guard ● Tool for Privacy with Encryption Technology ● It started as an alternative of PGP – Export regulations were there – Free Software implementation ● Conforms to OpenPGP standard ● Usage: – Digital Signature – Encryption/Decryption ● Supports “OpenPGP card”

OpenPGP card ● Smart card to put PGP/GPG keys – Implemented by Basic Card ● Follows OpenPGP protocol standard – Version 1.1 – Newer protocol: Version 2.0 ● FSFE Membership card ● Feature of v1.1: – 1024-bit RSA – Three keys for Encryption, Sign, Auth – Access control by PIN – Key generation on the card – RSA computation on the card

Major Issue ● Where and how we put our private keys? – On the disk of our PC – Encrypted by passphrase ● Not Secure Enough – OpenPGP card ● Good (portable, secure) ● Not easily deployed

Two Problems ● Smart card is not that popular for PC – Card reader is not common device ● Software Implementation of target device should be Free Software – Development of smart card is hard – Smart card industry is not friendly to Free So ftware development

Our Failures ● We tried to contact Smart Card vendors in Japan – Possibility to build OpenPGP card compatible – Possibility to build BasicCard like card ● No, we are not their target customers ● We tried to (ab)use Japanese Resident Card (Juki-net card) – Stop by some reason

Our Challenge FSIJ USB Token ● Original purpose – USB device for GNU Privacy Guard – Store private key on USB device ● General-purpose I/O through USB – I2C, Serial I/O, LED control, etc. ● Use the USB Token for FSIJ membership ● Improve situation around USB device d evelopment for Free Software ● Began August 2008

Cautions ● FSIJ USB Token is: – NEVER SECURE than Smart card ● It is EXPERIMENTAL, NEVER USE IT – It is for development environment – It is good to develop/test new things ● New protocol enhancement ● New encryption algorithm ● ... – But it is normal micro controller device – NEVER SECURE than Smart card

Development Tasks ● Hardware parts choice ● Hardware design – USB chip: AVR (ATmega328) with AVR-USB – PCB design ● Software development – USB Protocol stack: AVR-USB – CCID/ICCD Protocol – ISO 7816 Protocol, Format – OpenPGP card protocol – RSA encryption routine ● Exptmod, Montgomery-reduction, mul&sqr

Atmel AVR CPU ● Free Software Friendly ● Good Availability, Cheap ● Easy to build ● Harvard 8-bit architecture ● GCC supports AVR very well ● C library: AVR-libc ● Simulator: Simulavr ● GDB supports Simulavr ● USBasp bootloader – Download program through USB

V-USB (AVR-USB) ● Software-only USB protocol stack ● With no special hardware required ● Only support “low-speed” ● Just works! ● It's not that superior, but enough for us

Current Status of FSIJ USB Token (1) ● “gpg –card-status” works! ● “gpg –clearsign” works! ● Parts: Got ATmega328P ● PCB: Initial design done ● Software – AVR-USB is ready – ICCD: mostly done – OpenPGP protocol: partially done – RSA: mostly done, integration remains ● Exptmod, Montgomery reduction, mul&sqr – Most of target code is hard coded for a given private key

Current Status of FSIJ USB Token (2) ● Speed for RSA 1024-bit key signing – About 5 sec. ● Code space requirement – 30KB or so (OK for Atmega328, but not for 168)

Schematic & PCB Design ● We use Eagle now ● Will use KiCad or PCB/gEDA

PCB Manufacturing ● P-ban.com ● Olimex

Host Software Structure Libgcrypt RSA computation if no card OpenPGP card protocol GnuPG ISO 7816 protocol pcscd, ccid CCID/ICCD protocol kernel USB protocol

Host Software Implementation ● GNU Privacy Guard: No change ● PC/SC Lite: No change ● CCID library: need fix for ICCD #503638 ● Need an $ gpg - - card- status A ppl i cati on I D . . . : D 276000124010101F517000000010000 V ersi on . . . . . . . . . . : 1. 1 entry M anuf acturer . . . . . : unknow n Seri al num ber . . . . : 00000001 on N am e of cardhol der: N I I B E Yutaka Language pref s . . . : j a libccid_Info Sex . . . . . . . . . . . . . . : m al e U R L of publ i c key : http: / / w w w . f si j . org/ Logi n data . . . . . . . : gni i be .plist Si gnature PI N . . . . : not f orced M ax. PI N l engths . : 0 0 0 PI N retry counter : 1 1 1 Si gnature counter : 0 Si gnature key . . . . : A B 4B 9F94 6555 EEB 7 FFE8 5261 B D 6A 9B CD 852F 7074 Encrypti on key. . . . : 7A B 2 1745 EB D 4 1D 3F 8C2C A 0F1 D 9A 9 C2F6 3A 01 5444 A uthenti cati on key: [none] G eneral key i nf o. . : pub 1024R / 852F7074 2008- 10- 27 N i i be Yutaka (Chopsti x) < gni i be@ f si j . org> sec 1024R / 3A 015444 created: 2008- 10- 27 expi res: never / 852F7074 created: 2008- 10- 27 expi res: never ssb 1024R

Device Software Implementation ● USB: Use V-USB ● ICCD/CCID: USB-ICC Version A (T=0) ● ISO7816: Mostly hard-coded ● OpenPGP protocol: Mostly hard-coded Only support signing ● RSA computation – Private key are at compile time option – 512-bit and CRT – Runs about 5 sec for signing (at 20MHz)

RSA Implementation ● References: – Tom St Denis&Greg Rose: BigNum Math – Tom St Denis: LibTomCrypt Developer Manual – Alfred J. Menezes, et al.: Handbook of Applied Cry ptography ● Reference implementation: – Tom St Denis: TomsFastMath 0.10 ● Technics: – Comba multiplication & sqr – Montgomery reduction – BigNum exptmod – Chinese Remainder Theorem

Target side interaction Start U 200: 0ad6 R ESET O n 0 U 020: 0b02 00 a4 00 0c 02 3f 00 - sel ect R O O T M F 00 a4 02 0c 02 2f 02 - sel ect 0x2f 02 EF U 000: 0947 00 b0 00 00 f e - R ead bi nary 00 b0 00 06 f e - R ead bi nary 00 a4 04 00 06 d2 76 00 01 24 01 - sel ect D F by nam e 00 ca 00 4f 00 - G et D ata 00 ca 00 c4 00 - G et D ata 00 ca 00 6e 00 - G et D ata 00 c0 00 00 3e - G ET R esponse 00 c0 00 00 1e - G ET R esponse U 000: 0947 00 ca 00 5e 00 - G et D ata 00 ca 00 65 00 - G et D ata 00 c0 00 00 10 - G ET R esponse 00 ca 5f 50 00 - G et D ata 00 ca 00 6e 00 - G et D ata

Contine Development... ● RSA computation routine for AVR has b een released (on Feb) ● Not hard-coded code, and release to public ● Should support key generation, etc. ● Longer key length, supports ECC? ● Another device other than AVR – Renesas SuperH (SH-2)? – Atmel AVR32 (with USB controller)?

Summary ● Device development for Free Software by Free Software ... is fun ● We are developing FSIJ USB Token now

Happy Hacking!