FSIJ USB Token for GnuPG
Niibe Yutaka
2009-10-21 Japan Linux Symposium Contents
● Who am I? ● GNU Privacy Guard ● FSIJ USB Token – PCB design – V-USB (AVR-USB) – CCID/ICCD Protocol – OpenPGP Protocol – RSA (or ECC Encryption) Niibe with sticky 'g' gniibe
● National Institute of AIST, ● FSIJ (2002-) Japan (2000-) – Linux-M32R.ORG ● IPA, Japan – CODEblog.ORG (2001-2004) – Google SoC ● Free Software – U-20 Programing Development & Contest in Japan Promotion – GPLv3 Committee
GNU Project (1989-) Linux Kernel (1993-) Debian Project (2005-) My development history
National Institute of AIST: Employee Free Software Initiative of Japan: Chairman
● 1989 GNU Emacs hacks: Mule, mlh, Eggv4 ● 1994 ICOT Free Software ● 1999 Founder of GNU/Linux on SuperH ● 2001-2003 Project Manager for Free Software Development under METI ● 2003-2005 Free Software for Japanese Gov. ● 2005-2007 CODEblog Project (in Japanese) ● 2008- Principal developer of FSIJ USB Token GnuPG GNU Privacy Guard
● Tool for Privacy with Encryption Technology ● It started as an alternative of PGP – Export regulations were there – Free Software implementation ● Conforms to OpenPGP standard ● Usage: – Digital Signature – Encryption/Decryption ● Supports “OpenPGP card” OpenPGP card
● Smart card to put PGP/GPG keys – Implemented by Basic Card ● Follows OpenPGP protocol standard – Version 1.1 – Newer protocol: Version 2.0 ● FSFE Membership card ● Feature of v1.1: – 1024-bit RSA – Three keys for Encryption, Sign, Auth – Access control by PIN – Key generation on the card – RSA computation on the card Major Issue
● Where and how we put our private keys? – On the disk of our PC – Encrypted by passphrase ● Not Secure Enough – OpenPGP card ● Good (portable, secure) ● Not easily deployed Two Problems
● Smart card is not that popular for PC – Card reader is not common device
● Software Implementation of target device should be Free Software – Development of smart card is hard – Smart card industry is not friendly to Free So ftware development Our Failures
● We tried to contact Smart Card vendors in Japan – Possibility to build OpenPGP card compatible – Possibility to build BasicCard like card ● No, we are not their target customers
● We tried to (ab)use Japanese Resident Card (Juki-net card) – Stop by some reason Our Challenge FSIJ USB Token
● Original purpose – USB device for GNU Privacy Guard – Store private key on USB device ● General-purpose I/O through USB – I2C, Serial I/O, LED control, etc. ● Use the USB Token for FSIJ membership ● Improve situation around USB device d evelopment for Free Software ● Began August 2008 Cautions
● FSIJ USB Token is: – NEVER SECURE than Smart card ● It is EXPERIMENTAL, NEVER USE IT – It is for development environment – It is good to develop/test new things ● New protocol enhancement ● New encryption algorithm ● ... – But it is normal micro controller device – NEVER SECURE than Smart card Development Tasks
● Hardware parts choice ● Hardware design – USB chip: AVR (ATmega328) with AVR-USB – PCB design ● Software development – USB Protocol stack: AVR-USB – CCID/ICCD Protocol – ISO 7816 Protocol, Format – OpenPGP card protocol – RSA encryption routine ● Exptmod, Montgomery-reduction, mul&sqr Atmel AVR CPU
● Free Software Friendly ● Good Availability, Cheap ● Easy to build ● Harvard 8-bit architecture ● GCC supports AVR very well ● C library: AVR-libc ● Simulator: Simulavr ● GDB supports Simulavr ● USBasp bootloader – Download program through USB V-USB (AVR-USB)
● Software-only USB protocol stack ● With no special hardware required ● Only support “low-speed” ● Just works! ● It's not that superior, but enough for us Current Status of FSIJ USB Token (1)
● “gpg –card-status” works! ● “gpg –clearsign” works! ● Parts: Got ATmega328P ● PCB: Initial design done ● Software – AVR-USB is ready – ICCD: mostly done – OpenPGP protocol: partially done – RSA: mostly done, integration remains ● Exptmod, Montgomery reduction, mul&sqr – Most of target code is hard coded for a given private key Current Status of FSIJ USB Token (2)
● Speed for RSA 1024-bit key signing – About 5 sec. ● Code space requirement – 30KB or so (OK for Atmega328, but not for 168) Schematic & PCB Design
● We use Eagle now ● Will use KiCad or PCB/gEDA PCB Manufacturing
● P-ban.com ● Olimex Host Software Structure
RSA computation Libgcrypt if no card OpenPGP card protocol GnuPG ISO 7816 protocol
CCID/ICCD protocol pcscd, ccid USB protocol kernel Host Software Implementation
● GNU Privacy Guard: No change ● PC/SC Lite: No change ● CCID library: need fix for ICCD #503638 ● $ gpg - - card- status Need an Appl i cati on I D . . . : D276000124010101F517000000010000 Version ...... : 1.1 entry Manufacturer . . . . . : unknown Seri al number . . . . : 00000001 Name of cardhol der: NII BE Yutaka on Language pref s . . . : j a Sex ...... : male libccid_Info URL of publ i c key : http: / / www.f si j . org/ Logi n data ...... : gni i be .plist Si gnature PI N . . . . : not f orced Max. PI N l engths . : 0 0 0 PI N retry counter : 1 1 1 Si gnature counter : 0 Si gnature key . . . . : AB4B 9F94 6555 EEB7 FFE8 5261 BD6A 9BCD 852F 7074 Encrypti on key. . . . : 7AB2 1745 EBD4 1D3F 8C2C A0F1 D9A9 C2F6 3A01 5444 Authenti cati on key: [ none] General key i nfo. . : pub 1024R/852F7074 2008- 10- 27 Nii be Yutaka ( Chopsti x)
● USB: Use V-USB ● ICCD/CCID: USB-ICC Version A (T=0) ● ISO7816: Mostly hard-coded ● OpenPGP protocol: Mostly hard-coded Only support signing ● RSA computation – Private key are at compile time option – 512-bit and CRT – Runs about 5 sec for signing (at 20MHz) RSA Implementation
● References: – Tom St Denis&Greg Rose: BigNum Math – Tom St Denis: LibTomCrypt Developer Manual – Alfred J. Menezes, et al.: Handbook of Applied Cry ptography ● Reference implementation: – Tom St Denis: TomsFastMath 0.10 ● Technics: – Comba multiplication & sqr – Montgomery reduction – BigNum exptmod – Chinese Remainder Theorem Target side interaction
Start U200: 0ad6 RESET On 0 U020: 0b02 00 a4 00 0c 02 3f 00 - sel ect ROOT MF 00 a4 02 0c 02 2f 02 - sel ect 0x2f 02 EF U000: 0947 00 b0 00 00 f e - Read bi nary 00 b0 00 06 f e - Read bi nary 00 a4 04 00 06 d2 76 00 01 24 01 - sel ect DF by name 00 ca 00 4f 00 - Get Data 00 ca 00 c4 00 - Get Data 00 ca 00 6e 00 - Get Data 00 c0 00 00 3e - GET Response 00 c0 00 00 1e - GET Response U000: 0947 00 ca 00 5e 00 - Get Data 00 ca 00 65 00 - Get Data 00 c0 00 00 10 - GET Response 00 ca 5f 50 00 - Get Data 00 ca 00 6e 00 - Get Data Contine Development...
● RSA computation routine for AVR has b een released (on Feb) ● Not hard-coded code, and release to public ● Should support key generation, etc.
● Longer key length, supports ECC?
● Another device other than AVR – Renesas SuperH (SH-2)? – Atmel AVR32 (with USB controller)? Summary
● Device development for Free Software by Free Software ... is fun
● We are developing FSIJ USB Token now Happy Hacking!