 I'm Mikey, but I have a special reason why I have RSV-200 Big Key. Yes. And it is a title tradition for Japanese or Chinese that our presentation, I apologize for my stage. Ah, usually you guys are in US countries that present their presentation by some jokes. It's a different culture. And yes, in our culture, the 2KT considers good. And my concern, my major point is that key sizes are important culture, true. But it is a simple culture among others. And I care how I wear to put my driver. And my concern is how I can control my own recommendations. It matters a lot. And however, here we have a dilemma. Better control versions. Users' computing freedom. I mean that the smart part is considered better for your security. And it's better controlled with computation inside a special purpose computer, not on your general part of the computer. But the card readers tend to be provided. And the card itself tends to be provided. And the access to the technical documents for crypto-engine, crypto-accelerator, tend to require non-disclosure agreement between Sengonaka chip vendors. Fortunately, the protocol itself is publicly available thanks to a team who wrote their documents. And the free implementation of the driver, the host receiver, is in place of there. So basically we have a dilemma. Should we use proprietary card readers or reading using a general purpose computer for a quick computation? So my original purpose for token is that I wanted to change the group of this station. But these days, you see, in the Vivian community, basically the standard is 4,000 kb. And now we have another dilemma. Longer PNs versus better controls of private key migrations there. But my hope is that in Sengonaka, let's say, a one-year or a half year or a one-year, we won't have such those kinds of dilemmas anymore. And when we introduce ET25519 and the card 25519, it is okay for the Vivian community about their threats that we will have more. Better control and computing freedom and compared to Vivian standard or Vivian culture. That's my hope, perhaps, until Sengon in Germany. And that's the story of my executes. And let me explain in detail. I'm talking about RUNU, which is a software implementation of OpenPCD card protocol. And the FST-01 is a reference hardware which is PCB designed under creative commons. Yes, and noisy is RUNU-01 version of the presentation. And the FST-01 is a happy machine. This is another story. What is this? Is it higher? Yes. It is the Vivian logo in your machine. But this is not totally related to crypto. This is just a happy machine. And the code is available at my site, or in the audience. The FST-01 is available from Chinese. It's a company. It's for something like five years old. And it only sells 10 pieces at my shop. Can you see the label? Yes. Can you see the one before? Yes. Can I see the one before? The one. Do you need medical or tutorials? Of course. Do you object to a beam string? Okay. It's available there. It's available there. It's available there. And the shambanya. So we might have a session about that. We discussed there. We discussed about the possibility of tips like that. Do you have a campaign? Yes. In this way? And it's on already? Does it work? Thank you. But see, it doesn't sell a lot. And actually, I had a campaign from November to this June. And for selling random number generator, stand-alone device. But it says 1.5 pieces per month. So I don't think... But it's just a Japanese market. So I don't know. But the Gnuk token sells better than random number generator. Yes. And here's the history. I got open PGP card version 1 in Germany, Karlsruhe. The conference name is Winnockstark. And I found that it is very useful. And it is secure. But unfortunately, it requires proprietary card readers. Or the implementation itself is proprietary. Yes. So I wanted to change the station. And I tried using 80 Mega in 2008. But it takes five seconds or more for RS-810 1K key. Yes, I demonstrated it in India and in Tokyo in 2009. And I changed my controller to superior one, SDM32. And 80 Mega is just 8-bit computer. And this is the SDM32 is ARM-based 32-bit computer, which runs at 72 MHz. And it's OK for me. At that time, it requires 2.2 seconds to sign. And now it... Now it requires... It takes 1.4 seconds to sign for 2K key. Yes. I demonstrated it at 4th Asia at Saigon. And then I joined a Gunu PG development to improve the situation of the PC side, host side. Yes. At that time, Gunu PG only supports 2K key for the card, even though the card itself supports 4K key. And in 2011, I discovered... Do it yourself, Ray, for Gunu. How to say? Abusing existing key. We have an educational key. Yes, this one is educational key for 8-bit computer. This part, we have an 8-bit computer. And this board, the prices are less than 10 US dollars. But fortunately, we have a dongle here. And it uses 32-bit computer. Yes. It's somehow funny relationship. Yes. This is main board computer with 8-bit capability. But the dongle uses 32-bit computer. We found this. And we found the way to take advantage of this part. Yes. Yes, so I wrote this document. How to use this 32-bit computer for Gunu in 2011. And I promote this new way. How to say? This is a kind of hack against semiconductor chip vendor. And if you have some skill, it doesn't require superior skill. If you have some basic skill of electronics, I really recommend this way to produce your own Gunu token. And basically it's simple. Here is a USB cable and cut it off. And then using this board and make it small and connect the cable. That's all. And actually here is an implementation. Yes. So since 2011, I recommend my friend this way of putting their own private key, open PGP key. But many other usual normal people complain. It's too hackish or... It's against semiconductor vendor, perhaps, somehow. So I designed my own hardware, reference implementation. It was in summer in 2011. Yes. And I claim that here we have a free design. Please use this PCB design to build your own token. But people still complain. You see that it is impossible for us to manufacture the Gunu token, even if the hardware design is free hardware design. So I asked manufacturing in the Chinese factory to manufacture, I mean in production, many mass production in 2012. At that time I expected that the people who complain should buy my product. But it turns out the people who complain is basically complain. I figure out. Yes. So now we have a free software implementation for token, cryptographic computation, as well as we have a free design for reference implementation. And then at that time we had no good to random number generator. So at that time Gunuq didn't have a feature of key generation by the device itself. We always have to put our key from generated on our PC, and we register, we upload our key into the device. That was our way. Fortunately RSA doesn't require any entropy when we sign the key. Yes. I have to, around 2012 I was trying to implement ECDSA for better security, but ECDSA requires some entropy even for signing, not only key generation but only for signing. Thank you. So I implement Noiji. Noiji is an implementation of a true random number generator. And I had a campaign in Japan for the better entropy. Yes. That's a history. And let me explain the Gunuq more. Sometimes people expect one-time password token when we say token, or cryptographic token, but it's not one-time password token, but a token for OpenPGP. And it is, yes, this is my statement. It's by free software, it's for free software, and it's free software. Gunuq itself is free software, and we don't require its developers. No proprietary software is, we don't require, we require no proprietary software such that development environment. And in version 1.0, we use Chibi OS RT for thread library, and Polar SSL for AES and RSA, and we use the SHARP 2 implementation by Brian Gladman. And in 1.1, I use my own thread library, and I wrote the implementation of ED-25519 and curve to 15519. Yes. And let me introduce Noiji. Noiji is the name of a set of routines for true RMG. It is used in Gunuq, and as well as I use Noiji for Noiji standard device. It's written in C, and it's for STM32F103 only, specifically. But perhaps it could be, it could run on other STM32 process microcontrollers. And it uses output of AD converter as a source of entropy. If you have some experience using AD converter, the LSB has always unstable. This significant bit of AD converter output is always unstable. So it is considered, we can take some entropy from AD converter. And we use built-in temperature sensor and built-in voltage difference and unconnected analog inputs as a source of analog inputs. Yes, putting those analog values together into conditioning components of SHA-256, we generate random number sequence. Yes, and here is the reference. Sometimes people don't like this organization, but the document itself is very good. Yes, usually we used to have a good document by German standard, German information technology standard agency or something like that. Speaking about the true RNG, the German standard is very difficult to implement into such a small computer. They require higher standard, basically they require examining the bit by bit, how to say. The examining and evaluate the random number sequences heavily and it requires more CPU power. Yes, so generating would be easier than examining the random number sequences and the German standard is very difficult to implement onto the smaller device. On the other hand, this standard, its status is just a draft but it doesn't require much testing in runtime testing. So it is okay. It is in practice easily implemented onto the smaller device. Yes, and generally I tested generated sequences on PC using the die-hard or traditional STS test-free and we have a test user one and another one at Sourceforge called named PRACTLAND. PRACTLAND is not that popular but this one is very good. Testing suite. Yes, and the standard on the device just use CDC, I mean communication device class, so it's plain byte-stream. Yes, so no special driver is required using no-g standard device. Yes, and by changing the TTY deciphering, we can select allow EDC data or after CRC 32nd filter or SHAR256 filter. We can select. Yes, and that is basically my explanation. I want to demonstrate somehow. Yes, I already demonstrated the UI. Usually I always bring my key. Yes, and this is the one. I use the cover of eraser, so it's a kind of camouflage. Yes, please. I was wondering if you have any of these for sale here. Yes, but I am afraid that it's against the code of conduct or something. Is it okay to sell here? Yeah. I am afraid that the university has some code. This conference is not for commercial activities. Is that okay? Something between you and anyone? Just between individuals, that's okay. I'm not trying to turn into a sales talk. I'm just curious to know if you have. I have, I have. How much? That's 35 US dollars. Actually, we have two, the noisy standard device, noisy standard device and the Gnuq token. Yes, but here we have an issue. I have to explain that the GPL version 3 requires when you distribute code, binary code, say, I have to distribute the GPL version 3 itself together. So actually, if you have a computer, you can try this one. I put GPL 3 together with noisy. And when you insert that one, the standard mass storage device pops up and it includes GPL version 3 to conform GPL version 3. After that, you can use the noisy standard alone device. So it's somehow complicated and it is introduced after noisy and I have to say that Gnuq token doesn't have that feature. So I need to comply with GPL version 3. I need to output GPL version 3 in paper and I have to give you GPL version 3 together with Gnuq token when I sell. That's somehow the practice. So I should explain another term. It's in the transparent tube. I sell STZ1 in three ways. One is bareboard and another is the one in the transparent tube. And another one is with enclosure, but it is open. So it's transparent and open. That's my point. Yes. And I should demonstrate online. Yes. Where is my eraser? Yes, my eraser. Yes. I don't say this is my key. This is my eraser. So I just put my eraser into this computer and here is the output of card status. And it's only 2KT. And here is my fingerprint. Yes. This is the card number. Card number is defined by ISO standard. And this number is for our organization, FSIJ. So I asked my number, F517. It looks like FSI and J. Yes. Similar. And then I'm using this token for SSH access too. Actually, I'm using this portal box and it takes 1.4 seconds to sign. I input my pass phrase and it takes 1.4 seconds. And I can access the SSH server by SSH. So see, it is acceptable. It doesn't take so long time. Yes. So the signing is similar. See, I made this yesterday. Yes, let's try. Yes. Sign it again. No, no. It takes about 1.4 seconds. Yes. So I think that it is okay to use. Yes. But it is only using RSA 2KT. Yes. And I also demonstrated the noisy standard device. You tried to measure the time for 4KT. Yes. I measured 4KT not for full stack, but just I measured the time for using debugger. For the RSA computation routing only. And it takes more than 5 seconds. More than 5 seconds. Yes. So that's maybe too slow. But for me, it's not my option. Perhaps for signing, it would be okay. But for using SSH access, it's not my option. 5 seconds are considered too long for me. Yes. So let me show you the noisy standard device. Standard alone device. Okay. Yes. How many keys can you put on the card? Three. The question was how many keys can you put on the card? It is open PGP card compatible. Open PGP card can handle three keys. The primary key, key for decryption and key for authentication. So we can put three private keys onto this card. Yes. So it seems like that might make it difficult to do key rotation, in particular if you wanted to have a second encryption key that you started to use as you were fading out your old one. You still wanted to be able to decrypt your old messages. That's a very good question. Yes. People sometimes use such a practice for keys on PC. But open PGP has... It's the scenario of open PGP card is limited to just three keys. So you can change the encryption key on the... The three key registered on the card can be changed one by one. But the only three key can be possible to store. Okay. Is there any thought about changing that to permit... In theory, it isn't that hard to change the capability. Say supporting more keys is basically not that hard in terms of GNUQ implementation. But we need to change the specification of the open PGP card. And we need to somehow standardize the way to handle keys on the open PGP card. Okay. And would the discussion for that take place on GNU-PG DEVEL? No. Where does this standardization discussion happen? Between me and Varna Kov and Akim. Okay. These three discussed. And our consensus is that it would be better to use GPG agent protocol itself directly by USB. Currently we use the hard protocol. Yes. But it would be better to just implement GPG agent protocol directly by USB. Yes. That's our consensus now. I like that. And then that would permit you to put arbitrary numbers of keys on the card. Yes. Yes. It will be transparent. The hardware or the specific hardware or the storage on general purpose PC, it will be transparent. Okay. Thanks. Yes. A question. I wonder if you plan to support 4,000 keys. Yes. Because right now, for example, I have a crypto stick from Germany. And it's okay, but right now it's out of stock. I wonder if there are other alternatives to the device? There are some... These days we have multiple implementations for OpenPGP card. Yes. I mean the original implementation was done by Akim, by the card. And also the German guy produced a crypto stick. Yes. But unfortunately it's out of stock. But using crypto stick, you can... Although the card implementation itself is proprietary, the card leader implementation is free software implementation. Yes. And these days, Ubiqui, you know the company Ubiqui. Ubiqui has an implementation of the OpenPGP card protocol. They have a device for such a crypto computation by their product. And there are another implementation by Java. There are some activities around smart card using Java as a language to implement those features. And it would be possible to use some Java card implementation to use OpenPGP card protocol. Yes. But my recommendation is that GNUQ is stable enough now. And I think if I remember correctly, last month or two months ago, we introduced someone send us patch to support another HSM hardware security module for OpenPGP. So perhaps the newest version of GNUQ PG supports another hardware security module. So we now have multiple selections. And some of them support 4K key. Luckily. Yes. And now I open the file manager. And here we have a GPF inside the device. And the readme. And when I unmount this storage, now the CDC is available here. The noisy tool RNG. The manufacturer is Free Software Initiative of Japan. And we can access TTYHCM0 for random number stream. And here is a point. Our organization FSIJ has a vendor ID. Yes. For USB. Yeah. And because I have a configuration here for Udev, the script automatically runs when I insert noisy standard device. And here is a script to invoke RNG Demon for this device. So now this computer has enough entropy from the device. And RNG Demon watches its quality. Yes. So it's just a plug and play device for better entropy. Yes. But I'm afraid that people usually don't buy such a gadget. Yes. People prefer cryptographic device than entropy device, it seems. Yes. But you guys, hackers love entropy device, perhaps. Well, are there questions or suggestions or comments? Yes, please. What is the maximum key size? Of GPG. For the GNUK. GNUK is 2K, only support 2K. Okay. Yes. Does the GNUK contain the random number generator at the same time? Yes. So you can buy it separately or with the GNUK? It is possible to use random number generator on the GNUK, but we need some special driver. The protocol is based on basically the card reader protocol. So the noisy standard long device would be easier because it's just a stream of random byte. Yes. So if you write some driver, then you can take advantage of the GNUK and because GNUK includes the random number generator, you can use it. Yes. I don't know enough about the actual USB protocol. Would it not be possible to present two different endpoint devices from the GNUK, one of which looks like... It is possible to have two different devices on the same channel. But in theory it is possible, but the current implementation doesn't do that. Okay. Yes. But it requires more... It is possible in theory, but in practice we require... We need to change the implementation and the implementation will be more complex. And my idea is that basically I want to keep the code as simple as possible. Yes. That's fair. For an important device like a cryptographic token, I can see that. Yes. The elliptic curve implementation would require different hardware from the existing GNUK that does the RSA. The GNUK supports multiple hardware. At the start I didn't have my own reference hardware, so I started by the general purpose evaluation board. Then I found some hackish way of using an educational board, and then after that I built my own reference implementation. So rather it is easy to port GNUK to other evaluation board or your own board. Yes. GNUK doesn't require special things. Yes. And the noisy also requires special hardware. It uses just an AD converter, and our entropy source is not a diode, just an ADC. So it's simple to port. Yes. So I think that it's very much fun to use the code itself. Yes. So I'm running out of time, so please feel free to discuss later in person. Thank you very much. Thank you very much. Thank you very much.