270 lines
10 KiB
Markdown
270 lines
10 KiB
Markdown
---
|
|
keywords:
|
|
- IT
|
|
- Security
|
|
- Hardware token
|
|
---
|
|
## gpg usage
|
|
```bash
|
|
add to gpg.conf: keyserver hkps://keys.openpgp.org
|
|
gpg --refresh-keys
|
|
```
|
|
### IMHO
|
|
I think this is more or less dead. GnuPG does have a bad stand because of its bad implementation (Debian tries to omit it, git(hub) allows to sign with a ssh key instead of gpg) It is a dinosaur, familiar, powerful but ancient. Like IPsec, it is based on the understanding of security of the 90s.
|
|
PGP is the idea, that a person has a digital identity to protect the personal data. And at that time the smartcard was the safest place.
|
|
|
|
However, it is allowed for VS-NfD and it is the successor for Chiasmus, so it will live longer. ( https://gnupg.com/gnupg-desktop.de.html)
|
|
with the rise of wireguard and the sake of simplicity and therefore some missing comforts, it is clear that we should limit security solutions to a proper, but yet simple cipher suite. There is no option to weaken or disable the suite, it is just on or off.
|
|
|
|
The hardware itself is not safe at all. It is just a microcontroller which even can't protect successfully the no-readout flag. If you loose your GNUK you need to revoke the key, which is a pain.
|
|
- the user interaction button is not easy to implement to different 'plue pill' schematics, STM32 clones, unclear firmware code
|
|
- the encasement is for STLinkV2 clones acceptable
|
|
- due fake STM32 firmware updates fails
|
|
- original one about 50€
|
|
- https://shop.fsf.org/storage-devices/neug-usb-true-random-number-generator
|
|
- https://www.gniibe.org/memo/development/fst-01/distributing-fst-01sz.html
|
|
- https://www.gniibe.org/memo/development/fst-01/fst-01-revision-sz.html
|
|
- https://www.gniibe.org/memo/development/read-out-protection/flash-rop.html
|
|
- https://blog.thestaticturtle.fr/lets-make-a-diy-gpg-usb-key/
|
|
|
|
You could however use a Masterkey deployment, which adds overhead to your key handling.
|
|
- secure storage place for the decrypted OS
|
|
- a proper hardware system to keep it locked away
|
|
- a proper air-gap OS update process
|
|
- multiple hardware tokens
|
|
- mostly terminal based work to renew all of that
|
|
- currently no UIX to respect KISS
|
|
|
|
alternative is:
|
|
- File encryption: https://github.com/FiloSottile/age https://github.com/FiloSottile/age/discussions/432
|
|
- File signing: https://github.com/jedisct1/minisign/
|
|
- Mail encryption: as intermediate solution: p≡p and a workaround: https://de.wikipedia.org/wiki/Autocrypt and DKIM by the mail provider
|
|
- git commit sign https://github.com/git/git/pull/1041
|
|
- linux login: pam-poldi --> pam-u2f
|
|
- full disk encryption Luks2: --> TPM2 + PIN (for device bundled storage) or FIDO2 based
|
|
- SSH:FIDO2 openssh native support
|
|
## Gnuk
|
|
offical Repo: https://salsa.debian.org/gnuk-team
|
|
|
|
The GNUK is a STM32 based hardware token which implements the openpgp specification. The reference hardware is the FST-01, which is no longer sold.
|
|
It is possible to buy the hardware, common hardware is the STLink V2 adapter or the 'blue pill' development board. For the german market it is easier to use the nitrokey start:
|
|
https://github.com/Nitrokey/nitrokey-start-firmware
|
|
https://github.com/Nitrokey/nitrokey-start-hardware
|
|
|
|
GNUK is based on chopstx (µC OS) and this is related to neuG (STM32 ADC rng ).
|
|
|
|
Passport-opensc:[ https://javacardos.com/tools/passport]( https://javacardos.com/tools/passport)
|
|
Black pill pin : https://user-images.githubusercontent.com/13839872/43411278-5f35afd8-9432-11e8-9385-cdd8d3db298d.png
|
|
|
|
|
|
https://hackaday.io/project/162597/logs
|
|
the page mentioning a single free PA pin, the PA5. All other Pins seems to be PBs.
|
|
However, chopstx defines the boards and the ack-button. That leads to two places where to patch things. Within the boards definition where is a comments segment, afterwards somehow a pin definition.
|
|
|
|
Black Pill change for LED, maybe backport to gnuk
|
|
[https://github.com/gl-sergei/u2f-token/issues/9#issuecomment-408945987](https://hackaday.io/project/162597/logs)
|
|
schematics
|
|
https://s14-eu5.startpage.com/cgi-bin/serveimage?url=https:%2F%2Fembdev.net%2Fwikifiles_en%2Fthumb%2F0%2F09%2FStlink-clone-pinout.JPG%2F800px-Stlink-clone-pinout.JPG&sp=d29ef3816d5c329afdec6221d7c4c7ca
|
|
[new] https://gist.github.com/rot42/cd6ff46be45f0b7d7cd461a7bcc14d79
|
|
|
|
----------mailgroup questions----------------
|
|
get random data from gnuk more than 32byte?
|
|
https://raw.githubusercontent.com/comio/comio-overlay/master/app-crypt/scdtools/files/scdrand.service
|
|
https://github.com/vletoux/OpenPGP-CSP/issues
|
|
https://incenp.org/dvlpt/scdtools.html
|
|
|
|
```
|
|
echo scd random 32 | gpg-connect-agent | xxd
|
|
```
|
|
--------------—
|
|
### best practise
|
|
Nutzer PIN erst mit Zertifikat
|
|
adminless Modus mit PIN über 8 Zeichen, User Pin min 6 Zeichen PIN
|
|
|
|
#### regnual firmware upgrade
|
|
```bash
|
|
koelner ~/src/gnuk/tool $./upgrade_by_passwd.py ../regnual/regnual.bin ../src/build/gnuk.bin
|
|
Admin password:
|
|
../regnual/regnual.bin: 4432
|
|
../src/build/gnuk.bin: 111616
|
|
CRC32: b548ca7b
|
|
|
|
Device:
|
|
Configuration: 1
|
|
Interface: 0
|
|
./upgrade_by_passwd.py:160: DeprecationWarning: tostring() is deprecated. Use tobytes() instead.
|
|
main(wait_e, keyno, passwd, data_regnual, data_upgrade[4096:])
|
|
20002a00:20005000
|
|
Downloading flash upgrade program...
|
|
start 20002a00
|
|
end 20003b00
|
|
Run flash upgrade program...
|
|
Waiting for device to appear:
|
|
Wait 1 second...
|
|
Wait 1 second...
|
|
Wait 1 second...
|
|
Wait 1 second...
|
|
Wait 1 second...
|
|
Device:
|
|
08001000:0bfffc00
|
|
Downloading the program
|
|
start 08001000
|
|
end 0801b400
|
|
Protecting device
|
|
Finish flashing
|
|
Resetting device
|
|
Update procedure finished
|
|
|
|
koelner ~/src/gnuk/tool $./usb_strings.py
|
|
Vendor: Free Software Initiative of Japan
|
|
Product: Gnuk Token
|
|
Serial: FSIJ-1.2.13-87123119
|
|
Revision: release/1.2.13-1-g3d06051-modified
|
|
Config: ST_DONGLE:dfu=no:debug=no:pinpad=no:certdo=yes:factory_reset=yes
|
|
Sys: 3.0
|
|
```
|
|
|
|
#### openocd firmware flash
|
|
```
|
|
Make Gnuk
|
|
cm@system-legacy:~/src/gnuk/src$ ./configure --vidpid=234b:0000 --target=BLUE_PILL --enable-factory-reset --enable-certdo
|
|
./configure --vidpid=234b:0000 --target=ST_DONGLE --enable-factory-reset --enable-certdo --disable-sys1-compat
|
|
cm@system-legacy:~/src/gnuk/src$ make -j4
|
|
cm@system-legacy:~/src/gnuk/src$ make build/gnuk-vidpid.elf
|
|
|
|
|
|
Flash Gnuk
|
|
0. build it like descibed in the offical documentation.
|
|
1. connect STLink and then the blue pill itself (GND, 3.3V SWDCLK, SWDIO)
|
|
2. use openocd
|
|
|
|
$ openocd -f interface/stlink-v2.cfg -f target/stm32f1x_stlink.cfg -OR-
|
|
$ openocd -f interface/stlink-v2.cfg -f target/stm32f1x.cfg
|
|
|
|
3. telnet to openocd server
|
|
cm@system-legacy:~/src$ telnet 127.0.0.1 4444
|
|
Trying 127.0.0.1...
|
|
Connected to 127.0.0.1.
|
|
Escape character is '^]'.
|
|
Open On-Chip Debugger
|
|
> stm32f1x unlock 0
|
|
device id = 0x20036410
|
|
flash size = 64kbytes
|
|
Target not halted
|
|
> reset halt
|
|
target halted due to debug-request, current mode: Thread
|
|
xPSR: 0x01000000 pc: 0x08000250 msp: 0x20005000
|
|
> stm32f1x unlock 0
|
|
target halted due to breakpoint, current mode: Thread
|
|
xPSR: 0x61000000 pc: 0x2000003a msp: 0x20005000
|
|
stm32x unlocked.
|
|
INFO: a reset or power cycle is required for the new settings to take effect.
|
|
> reset halt
|
|
target halted due to debug-request, current mode: Thread
|
|
xPSR: 0x01000000 pc: 0x08000250 msp: 0x20005000
|
|
> flash write_bank 0 /home/cm/src/gnuk/src/build/gnuk-vidpid.bin 0
|
|
flash write algorithm aborted by target
|
|
flash write failed at address 0x8000002
|
|
flash memory not erased before writing
|
|
error writing to flash at address 0x08000000 at offset 0x00000000
|
|
> stm32f1x mass_erase 0
|
|
stm32f1x mass erase complete
|
|
> flash write_bank 0 /home/cm/src/gnuk/src/build/gnuk-vidpid.bin 0
|
|
target halted due to breakpoint, current mode: Thread
|
|
xPSR: 0x61000000 pc: 0x2000003a msp: 0x20005000
|
|
wrote 114688 bytes from file /home/cm/src/gnuk/src/build/gnuk-vidpid.bin to flash bank 0 at offset 0x00000000 in 3.447206s (32.490 KiB/s)
|
|
> reset halt
|
|
target halted due to debug-request, current mode: Thread
|
|
xPSR: 0x01000000 pc: 0x08003264 msp: 0x20005000
|
|
> stm32f1x lock 0
|
|
target halted due to breakpoint, current mode: Thread
|
|
xPSR: 0x61000000 pc: 0x2000003a msp: 0x20005000
|
|
stm32x locked
|
|
> reset
|
|
> shutdown
|
|
shutdown command invoked
|
|
Connection closed by foreign host.
|
|
```
|
|
one liner
|
|
```
|
|
openocd -f interface/stlink.cfg \
|
|
-c 'transport select hla_swd' \
|
|
-f target/stm32f1x.cfg \
|
|
-c 'adapter_speed 400' \
|
|
-c init \
|
|
-c 'reset halt' \
|
|
-c 'stm32f1x unlock 0' \
|
|
-c 'reset halt' \
|
|
-c 'stm32f1x mass_erase 0' \
|
|
-c 'flash write_bank 0 /home/koelner/Downloads/gnuk.bin 0' \
|
|
-c 'stm32f1x lock 0' \
|
|
-c reset \
|
|
-c shutdown
|
|
```
|
|
|
|
#### links
|
|
https://github.com/gl-sergei/u2f-token
|
|
https://riseup.net/en/security/message-security/openpgp/best-practices
|
|
https://blog.josefsson.org/tag/openpgp/
|
|
|
|
## gnuk root key station
|
|
|
|
rpi zero WH 1.1, CPU-Kühler, USB-A Mod, USB Hub Hat, 1.44 LCD with Buttons
|
|
Optional hardware: NeuG as TRNG, keyboard, RTC
|
|
|
|
OS: DietPi
|
|
additional installed software: vim.tiny, vim, stress, gnupg, libccid, opensc, scdaemon, pinentry-tty, rng-tools [http://webhome.phy.duke.edu/~rgb/General/dieharder.php, pam-poldi, keysafe]
|
|
|
|
activate timedatectl 4
|
|
register i2c-rtc and usb-serial, login with dietpi:dietpi
|
|
|
|
```
|
|
root@gnupg-root:~# cat hwmon-ds3231.sh
|
|
#!/usr/bin/env bash
|
|
rtctemp=$(cat /sys/class/i2c-adapter/i2c-1/1-0068/hwmon/hwmon0/temp1_input)
|
|
rtctemp=$(bc -l <<< "$rtctemp / 1000")
|
|
echo "RTC temp = $rtctemp"
|
|
```
|
|
```
|
|
root@gnupg-root:~# cat hwmon-ds3231.sh
|
|
#!/usr/bin/env bash
|
|
rtctemp=$(cat /sys/class/i2c-adapter/i2c-1/1-0068/hwmon/hwmon0/temp1_input)
|
|
echo "$rtctemp / 1000" | bc
|
|
echo "RTC temp = $rtctemp"
|
|
```
|
|
|
|
First run
|
|
Check for RNG pool
|
|
create encrypted storage for the gpg folder [on a removable device]
|
|
-with long passphrase
|
|
-with the master key and PIN (afterwards)
|
|
init gpg settings
|
|
create master key
|
|
-export as QR-Code for printing (on a SDcard, USB Stick)
|
|
-copy it to GNUK token
|
|
-N-of-M sharing
|
|
-USB-Stick
|
|
create hash over gpg folder and sign it
|
|
remount as read-only
|
|
|
|
regulary base
|
|
Unmount encrypted storage before update
|
|
update only via terminal/(ssh)
|
|
|
|
|
|
--------------
|
|
[GUI] Main task are:
|
|
-unlock encrypted storage
|
|
-copy revocation certificate to unencrypted storage
|
|
-renew the sub key
|
|
-copy subkey to GNUK
|
|
-lock encrypted storage
|
|
-renew disable date
|
|
[GUI DEBUG]
|
|
-upgrade GNUK firmware
|
|
-git update
|
|
-git verify
|
|
-configure
|
|
-make
|
|
-upgrade via publickey
|
|
-reinit GNUK token with saved openpgp data |