[Cryptography] How to use FST-01?

ianG iang at iang.org
Sat Jan 18 03:30:08 EST 2014


On 17/01/14 23:49 PM, Paul Elliott wrote:
> 
> Over the Holidays I recieved a Flying Stone Technology 01.
> 
> 
> It is apparently a very small computer connected to a usb port.
> 
> It apparently has 2 applications and both have relevance to
> crypto.
> 
> 1 Gnuk, Cryptographic USB Token
> 
> 
> 2 NeuG, a True Random Number Generator Implementation
> 
> 
> All of the published software is GPLed.
> 
> I have a number of questions:


Why don't you try all of these things and let us know the results?  I
suspect that would be easier.

When it comes to the combination of two exotic pieces of hardware,
you're not likely to find someone expert in both...

iang



ps; reminds me of what the hardware guys used to say:  suck it and
see.  A sadly lost art...


> How do I set up the FST-01 to be a hardware RNG? How do I use?
> 
> Will it work with my Raspberry PI?

> If my Raspberry PI has a 1 amp power supply, can I plug the 
> FST-directly into it or do I need to use a powered usb hub?
> 
> Rapberry PI are notoriously finicky about their power, a small 
> voltage drop causes the PI to fail. There are many usb devices that
> can not be directly plugged into a PI. Is the FST-01 one of these?
> 
> 
> What is the reason for GnuK? What is the use case?


A cryptographic (hardware) token is designed to carry your GPG (or
similar) high level signing keys on it.  When you plug it in, the hope
is that your email program will then be able to ask for signatures and
get decryptions of incoming mail done.  When you take it away, your
email program won't be able to do that.

So your host machine is now no longer solely responsible for
protecting all your keys.  If your computer is stolen, then as long as
you have your USB token in your pocket you are still 'secure'.

Sticking the keys on an external device gives a small measure of
security.  As we know, most host platforms are subject to all sorts of
malware, so we can expect most users' machines to be easily scanned
for keys.  Unfortunately it isn't much more security, because the
malware can simply sit there and wait until the USB stick is plugged
in and then ask for all the sigs/decrypts it wants.  It maybe can't
get the keys, but it can act as if it is in control of the keys.

( The old rule is that a key controller has to also have a keypad and
a display so that it can show what it is being asked to do to the
human, and it can wait for the OK button to be pressed.  That's called
transaction authorisation, and a variant is typically used by advances
(European) banks with mobile phones to defeat MITB. )


> What is a Cryptographic USB Token?
> 
> Can I setup my FST-01 to be either a GNUK or a NEUG depending on
> the desire of the moment?
> 
> Thank You for considering these questions.



More information about the cryptography mailing list