143 lines
4.3 KiB
Markdown
143 lines
4.3 KiB
Markdown
---
|
|
keywords:
|
|
- IT
|
|
- Security
|
|
---
|
|
## gpg usage
|
|
```bash
|
|
add to gpg.conf: keyserver hkps://keys.openpgp.org
|
|
gpg --refresh-keys
|
|
```
|
|
## Gnuk
|
|
Passport-opensc:[ https://javacardos.com/tools/passport]( https://javacardos.com/tools/passport)
|
|
Black pill pin : https://user-images.githubusercontent.com/13839872/43411278-5f35afd8-9432-11e8-9385-cdd8d3db298d.png
|
|
|
|
|
|
https://hackaday.io/project/162597/logs
|
|
the page mentioning a single free PA pin, the PA5. All other Pins seems to be PBs.
|
|
However, chopstx defines the boards and the ack-button. That leads to two places where to patch things. Within the boards definition where is a comments segment, afterwards somehow a pin definition.
|
|
|
|
Black Pill change for LED, maybe backport to gnuk
|
|
[https://github.com/gl-sergei/u2f-token/issues/9#issuecomment-408945987](https://hackaday.io/project/162597/logs)
|
|
schematics
|
|
https://s14-eu5.startpage.com/cgi-bin/serveimage?url=https:%2F%2Fembdev.net%2Fwikifiles_en%2Fthumb%2F0%2F09%2FStlink-clone-pinout.JPG%2F800px-Stlink-clone-pinout.JPG&sp=d29ef3816d5c329afdec6221d7c4c7ca
|
|
[new] https://gist.github.com/rot42/cd6ff46be45f0b7d7cd461a7bcc14d79
|
|
|
|
----------mailgroup questions----------------
|
|
firmware upgrade with public RSA --> lost of all data?
|
|
upgrade manual?
|
|
get random data from gnuk more than 32byte?
|
|
https://raw.githubusercontent.com/comio/comio-overlay/master/app-crypt/scdtools/files/scdrand.service
|
|
https://github.com/vletoux/OpenPGP-CSP/issues
|
|
https://incenp.org/dvlpt/scdtools.html
|
|
|
|
|
|
```
|
|
echo scd random 32 | gpg-connect-agent | xxd
|
|
|
|
```
|
|
-----------------
|
|
Nutzer PIN erst mit Zertifikat
|
|
adminless Modus mit PIN über 8 Zeichen, User Pin min 6 Zeichen PIN
|
|
|
|
---------UPGRADE----------—
|
|
```bash
|
|
koelner ~/src/gnuk/tool $./upgrade_by_passwd.py ../regnual/regnual.bin ../src/build/gnuk.bin
|
|
Admin password:
|
|
../regnual/regnual.bin: 4432
|
|
../src/build/gnuk.bin: 111616
|
|
CRC32: b548ca7b
|
|
|
|
Device:
|
|
Configuration: 1
|
|
Interface: 0
|
|
./upgrade_by_passwd.py:160: DeprecationWarning: tostring() is deprecated. Use tobytes() instead.
|
|
main(wait_e, keyno, passwd, data_regnual, data_upgrade[4096:])
|
|
20002a00:20005000
|
|
Downloading flash upgrade program...
|
|
start 20002a00
|
|
end 20003b00
|
|
Run flash upgrade program...
|
|
Waiting for device to appear:
|
|
Wait 1 second...
|
|
Wait 1 second...
|
|
Wait 1 second...
|
|
Wait 1 second...
|
|
Wait 1 second...
|
|
Device:
|
|
08001000:0bfffc00
|
|
Downloading the program
|
|
start 08001000
|
|
end 0801b400
|
|
Protecting device
|
|
Finish flashing
|
|
Resetting device
|
|
Update procedure finished
|
|
|
|
koelner ~/src/gnuk/tool $./usb_strings.py
|
|
Vendor: Free Software Initiative of Japan
|
|
Product: Gnuk Token
|
|
Serial: FSIJ-1.2.13-87123119
|
|
Revision: release/1.2.13-1-g3d06051-modified
|
|
Config: ST_DONGLE:dfu=no:debug=no:pinpad=no:certdo=yes:factory_reset=yes
|
|
Sys: 3.0
|
|
```
|
|
|
|
-------
|
|
https://github.com/gl-sergei/u2f-token
|
|
https://riseup.net/en/security/message-security/openpgp/best-practices
|
|
------
|
|
gnuk root key station
|
|
|
|
rpi zero WH 1.1, CPU-Kühler, USB-A Mod, USB Hub Hat, 1.44 LCD with Buttons
|
|
Optional hardware: NeuG as TRNG, keyboard, RTC
|
|
|
|
OS: DietPi
|
|
additional installed software: vim.tiny, vim, stress, gnupg, libccid, opensc, scdaemon, pinentry-tty, rng-tools [http://webhome.phy.duke.edu/~rgb/General/dieharder.php, pam-poldi, keysafe]
|
|
|
|
activate timedatectl 4
|
|
register i2c-rtc and usb-serial, login with dietpi:dietpi
|
|
|
|
-------------
|
|
root@gnupg-root:~# cat hwmon-ds3231.sh
|
|
#!/usr/bin/env bash
|
|
rtctemp=$(cat /sys/class/i2c-adapter/i2c-1/1-0068/hwmon/hwmon0/temp1_input)
|
|
rtctemp=$(bc -l <<< "$rtctemp / 1000")
|
|
echo "RTC temp = $rtctemp"
|
|
-----------
|
|
|
|
First run
|
|
Check for RNG pool
|
|
create encrypted storage for the gpg folder [on a removable device]
|
|
-with long passphrase
|
|
-with the master key and PIN (afterwards)
|
|
init gpg settings
|
|
create master key
|
|
-export as QR-Code for printing (on a SDcard, USB Stick)
|
|
-copy it to GNUK token
|
|
-N-of-M sharing
|
|
-USB-Stick
|
|
create hash over gpg folder and sign it
|
|
remount as read-only
|
|
|
|
regulary base
|
|
Unmount encrypted storage before update
|
|
update only via terminal/(ssh)
|
|
|
|
|
|
--------------
|
|
[GUI] Main task are:
|
|
-unlock encrypted storage
|
|
-copy revocation certificate to unencrypted storage
|
|
-renew the sub key
|
|
-copy subkey to GNUK
|
|
-lock encrypted storage
|
|
-renew disable date
|
|
[GUI DEBUG]
|
|
-upgrade GNUK firmware
|
|
-git update
|
|
-git verify
|
|
-configure
|
|
-make
|
|
-upgrade via publickey
|
|
-reinit GNUK token with saved openpgp data |