Gnuk version 0.12
NIIBE Yutaka
gniibe at fsij.org
Fri May 13 05:15:51 CEST 2011
Hi,
Gnuk version 0.12 is out.
Gnuk is software implementation of a USB token for GNU Privacy Guard.
Gnuk supports OpenPGP card protocol version 2, and it runs on STM32
processor.
Highlights are (in gnuk-0.12/NEWS):
* Admin-less mode is supported
The OpenPGP card specification assumes existence of a security
officer (admin), who has privilege to manage the card. On the other
hand, many use cases of Gnuk are admin == user.
Thus, Gnuk now supports "admin-less" mode. In this mode, user can
get privilege with the password of PW1.
At the initialization of the card, Gnuk becomes compatible mode by
setting PW3. Without setting PW3, it becomes "admin-less" mode
by setting PW1.
* tool/gnuk_put_binary.py now uses pyscard
Instead of PyUSB, it uses Python binding of PC/SC. PyUSB version is
still available as tool/gnuk_put_binary_libusb.py.
* Logo for Gnuk is updated
* Gnuk Sticker SVG is available
And we have FAQ now (in gnuk-0.12/README):
Q0: How Gnuk USB Token is superior than other solutions (OpenPGP
card 2.0, GPF Crypto Stick, etc) ?
http://www.g10code.de/p-card.html
http://www.privacyfoundation.de/crypto_stick/
A0: IMRHO, not quite. There is no ready-to-use out-of-box product.
(It is welcome for me that some vendor will manufacture Gnuk USB
Token. Even I can help design of hardware, if needed.)
Good points are:
* If you have skill of electronics and like DIY, you can build
Gnuk Token cheaper (see Q8-A8).
* You can study Gnuk to modify and to enhance. For example, you
can implement your own authentication method with some sensor
such as acceleration sensor.
* It is "of Free Software"; Gnuk is distributed under GPLv3+,
"by Free Software"; Gnuk development requires only Free Software
(GNU Toolchain, Python, etc.),
"for Free Software"; Gnuk supports GnuPG.
Q1: What's kind of key algorithm is supported?
A1: Gnuk only supports 2048-bit RSA.
Q2: How long does it take for digital signing?
A2: It takes two seconds or so.
Q3: What's your recommendation for target board?
A3: Orthodox choice is Olimex STM32-H103.
If you have skill of electronics and like DIY, STM32 part of STM8S
Discovery Kit might be the best choice.
Q4: What's version of GnuPG are you using?
A4: In Debian GNU/Linux system, I use gnupg 1.4.11-3 and gnupg-agent
2.0.14-2 (in sid). With older versions, you can only sign with SHA1.
See: http://www.fsij.org/gnuk/gnupg2-fixes-needed
Q5: What's version of pcscd and libccid are you using?
A5: In Debian GNU/Linux system, I use pcscd 1.5.5-4 and libccid 1.3.11-2,
which is in squeeze. Note that you need to edit /etc/libccid_Info.plist
when using libccid (< 1.4.1).
Q6: What kinds of hardware is required for development?
A6: You need a target board plus a JTAG debugger. If you just want to
test Gnuk for target boards with DfuSe, JTAG debugger is not
the requirement. Note that for real use, you need JTAG debugger
to enable flash ROM protection.
Q7: How much does it cost?
A7: Olimex STM32-H103 plus ARM-USB-TINY-H cost 70 Euro or so.
Q8: How much does it cost for DIY version?
A8: STM8S Discovery Kit costs 750 JPY (< $10 USD) only. You can build
your own JTAG debugger using FTDI2232 module (1450 JPY), see:
http://www.fsij.org/gnuk/jtag_dongle_ftdi2232
Q9: I got an error like "gpg: selecting openpgp failed: ec=6.108", what's up?
A9: GnuPG's SCDaemon has problems for handling insertion/removal of
card/reader (problems are fixed in trunk). When your newly
inserted token is not found by GnuPG, try killing scdaemon and let
it to be invoked again. I do:
$ killall -9 scdaemon
and confirm scdaemon doesn't exist, then,
$ gpg-connect-agent learn /bye
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: </pipermail/attachments/20110513/c1ce65b3/attachment.pgp>
More information about the Gnupg-devel
mailing list