Gnuk 1.2

Niibe Yutaka



Köln, 2016-09-09

Introduction

About Me - Niibe with 'g'

  • GNU Project
    • 90s: GNU Emacs, Guile, glibc, GCC
    • 00s: GPLv3
    • 10s: www.gnu.org (Japanese), GnuPG
  • GNU/Linux on SuperH around 2000
  • FSIJ since 2002
  • Debian since 2005

My use case of Gnuk Token

At work
Home
On the Go

What's Gnuk?

  • Free Software Project of FSIJ

  • Free Software implementation of Cryptographic Token
  • Supports OpenPGP card Protocol (v2, v3)
  • Runs on STM32103 MCU (Cortex-M3)
  • Supports RSA-2048 (and ECC in 1.2)

It's name: Gnuk

  • Gnuk as GNU + K (K for Key, city like Köln or Kyoto)

  • Gnuk as G + NUK

Actually, it's named after NUK(R)

  • My son used to be with his NUK(R), always, everywhere
  • I wish Gnuk Token can be a soother for GnuPG user
  • NUK(R) is a registered trademark owend by MAPA GmbH

Gnuk Token

  • Gnuk is software implementation
  • gniibe also makes hardware design: FST-01
  • We call a device Gnuk Token when it runs Gnuk

Basics

Cryptographic Token

  • Holds your secret
  • Performs security operations on the device
    • Digital signature
    • Decryption
    • Authentication
  • No direct access to secret materials

OpenPGP card Protocol Specification

  • Features of v2.0:
    • RSA 1024-bit, 2048-bit, 3072-bit, 4096-bit
    • Three keys: Sign, Decrypt, Auth
    • Key generation on the card
  • Features of v3.2:
    • ECC with NIST Curves, Brainpool
  • Implementations
    • Original OpenPGP card (BasicCard)
    • JavaCard API implementations

Gnuk's Approach

  • No hardware accelerator
  • OpenPGP card protocol, not PKCS#11
    • PKCS#11 can be emulated on top of OpenPGP card protocol
  • Minimum CCID implementation
  • No other features

Technical Hilights

What's New in Gnuk 1.2?

  • New RNG: NeuG 1.0.4
  • New Algo
    • Ed25519 for signature
    • X25519 for encryption
    • Pretty fast
    • Much safer against side-channel attacks

Let's use Gnuk 1.2 with GnuPG 2.1!

  • Ed25519 and X25519 are the new algo of GnuPG
  • Why not use the good algo?
  • Bonus: keys and signatures are small in size

How fast is it?

  • Experiments in Köln with Ed25519 and X25519
  • 10sec for 100 signatures by gpg --detach-signature

    ./run-sig.sh
    Signing 100 times.
    Thu Sep  8 13:42:40 JST 2016
    ....................
    Thu Sep  8 13:42:50 JST 2016
    
  • 21sec for 100 decryptions by gpg --decrypt

    $ ./run-dec.sh
    Decrypt 100 times.
    Thu Sep  8 13:43:48 JST 2016
    ....................
    Thu Sep  8 13:44:09 JST 2016
    

How to use it?

Card status

  • Shows card information

    $ gpg --card-status
    
    Reader ...........: 234B:0000:FSIJ-1.2.1-87193059:0
    Application ID ...: D276000124010200FFFE871930590000
    Version ..........: 2.0
    Manufacturer .....: unmanaged S/N range
    Serial number ....: 87193059
    Name of cardholder: Yutaka Niibe
    Language prefs ...: ja
    Sex ..............: male
    URL of public key : [not set]
    Login data .......: gniibe
    Signature PIN ....: not forced
    Key attributes ...: ed25519 cv25519 ed25519
    Max. PIN lengths .: 127 127 127
    PIN retry counter : 3 3 3
    Signature counter : 3128
    Signature key ....: 249C B377 1750 745D 5CDD  323C E267 B052 364F 028D
          created ....: 2015-08-12 07:10:48
    Encryption key....: E228 AB42 0F73 3B1D 712D  E50C 850A F040 D619 F240
          created ....: 2015-08-12 07:10:48
    Authentication key: E63F 31E6 F203 20B5 D796  D266 5F91 0521 FAA8 05B1
          created ....: 2015-08-12 07:16:14
    General key info..: pub  ed25519/E267B052364F028D 2015-08-12 NIIBE Yutaka 
    sec>  ed25519/E267B052364F028D  created: 2015-08-12  expires: never     
    				card-no: FFFE 87193059
    ssb>  cv25519/850AF040D619F240  created: 2015-08-12  expires: never     
    				card-no: FFFE 87193059
    ssb>  ed25519/5F910521FAA805B1  created: 2015-08-12  expires: never     
    				card-no: FFFE 87193059
    

Signing

  • Just as same when private keys are on host

    $ gpg --sign gnuk-1_2.org
    $ gpg --clearsign gnuk-1_2.org 
    $ gpg --detach-sign gnuk-1_2.org
    

Decryption

  • Just as same when private keys are on host

    $ gpg --decrypt gnuk-1_2.org.gpg
    

OpenSSH

  • Authentication key can be used for SSH

    $ ssh YOUR-SERVER
    
  • We need to configure gpg-agent as ssh-agent

Philosophy / Discussion

Control Our Own [Crypto] Computation

  1. Access to software which controls crypto → Free Software, freedom to run, study, share modification
  2. Documentation of hardware/protocol to enable writing software
  3. Access to the development environment, too
  4. Freedom to…
    • examine the internal
    • own to run
    • study implementation detail
    • share the enhancement
  5. Reproducible by other parties

No [HIDDEN] Control by others

  • Proof of no backdoor?
  • Crypto Accelarator could be abused
  • Secure chip could be, too
  • Cheap general purpose MCU would be good

No disclosure of secret data

  • Protection mechanism
    • Gnuk Token uses flash ROM on a single chip MCU
    • Uses flash ROM protection feature
  • Protection against
    • Backdoor in the "protection mechanism" itself?
    • Intrusive physical attacks (asid, laser, microscope,…)?
  • Tamper resistance, Tamper detection

History

Early days

September 2010
Project started
February 2011
gniibe joined GnuPG development
March 2011
gniibe joined libgcrypt development
July 2011
Start NeuG, the TRNG implementation
August 2011
Start FST-01, the reference hardware design

The releases

November 2011
FST-01 1.00
July, August 2012
Gnuk 1.0 and 1.0.1
October 2012
Manufacturing FST-01, selling as Gnuk Token
November 2013
NeuG 1.0
September 2015
NeuG 1.0.4
July 2016
Gnuk 1.2.1

Implementations

Version 1.0 Implementation (1.0.4 in March 2013)

  • ChibiOS/RT
  • Crypto by PolarSSL (RSA, AES)
    • RSA-2048 only
  • Implements:
    • CCID/ICCD Protocol
    • OpenPGP card protocol / ISO 7816
    • Flash ROM management

Version 1.2 Implementation (1.2.1 in July 2016)

  • Change to: Chopstx
  • New algo: EdDSA with Ed25519 / ECDH with X25519
  • New algo: ECDSA with NIST P-256, secp256k1
  • Added RSA-4096 (slow)

Other informations

Other supported hardware by Gnuk

  • Multiple boards of STM32F103
    • STM32 Nucleo F103
    • Olimex STM32-H103

Attacks to hardware?

  • Chip level
    • hardware virus?: attack to design, foundry
    • ⇔ from lower-level design (cryptech.is)
    • → Cheap enough, general purpose MCU
  • PCB design
    • hidden parts?
    • → w/ reproducibility
  • PCB Assembly
    • fake parts?
  • programming firmware
    • attack to manufacturing process
    • → BBG-SWD

Other products / projects

Future Works

  • Hardware
    • Slower Hardware
    • Enclosure
  • Software
    • Removal of RSA
    • Factory Reset
    • KDF mostly on Host
  • Wireless + Battery ?

Availability

  • NeuG 1.0.4 on FST-01
    • ?: shop.fsf.org USD50
    • 5: EUR30
  • Gnuk 1.2.1 on FST-01
    • 10: EUR30
  • Gnuk 1.0.1 on FST-01
    • 20?: seeestudio.com

Thanks

  • GUUG
  • Werner Koch
  • Achim Petig
  • Daniel Kahn Gillmor
  • Kaz Kojima
  • Seeed Technology and SZDIY folks
  • All users and developers

Happy Hacking!

Created by gniibe.