SmartCard, OpenPGP and Security

name: inverse
layout: true
class: center, middle, inverse

---
# SmartCard, OpenPGP and Security

.right[\---- _by Hatter Jiang_]

---
layout: false

# Agenda

* SmartCard
 * Java Card
 
* OpenPGP
 * PGP
 * GnuPG
 * OpenPGP Card
 
* Security
 * Email
 * SSH
 * 2FA
 * U2F
 * Git
 
* SE in Web Application
 * Cross-Platform
 * Trusted Services

---
# SmartCard

智能卡（Smart Card） ：内嵌有微芯片的塑料卡（通常是一张信用卡的大小）的通称。

一些智能卡包含一个微电子芯片，智能卡需要通过读写器进行数据交互。智能卡配备有CPU、RAM和I/O，可自行处理数量较多的数据而不会干扰到主机CPU的工作。智能卡还可过滤错误的数据，以减轻主机CPU的负担。适应于端口数目较多且通信速度需求较快的场合。 卡内的集成电路包括中央处理器CPU、可编程只读存储器EEPROM、随机存储器RAM和固化在只读存储器ROM中的卡内操作系统COS(Chip Operating System)。卡中数据分为外部读取和内部处理部分。

---
# SmartCard Sample

---
# Java Card

Java Card技术主要是让智能卡或与智能卡相近的装置上，以具有安全防护性的方式来执行小型的Java Applet，此技术也被广泛运用在SIM卡、提款卡上。

Java Card虚拟机（Java Card Virtual Machine，也可简称为Java Card VM或JCVM）它是原有Java虚拟机的子集合，负责对Java Applet进行程式直译、执行及结果回应，也因此JCVM的空间占量不能太大，必须能小到放入智能卡内。

Java Card技术在研发初衷就是为了保护智能卡内的私密、敏感性资料。

无论是电信方面还是金融方面的智慧片应用，现在都运用Java Card技术来防护卡内所储存的资讯资料。

---
# PGP

PGP(Pretty Good Privacy)，是一个基于RSA公钥加密体系的邮件加密软件。可以用它对邮件保密以防止非授权者阅读，它还能对邮件加上数字签名从而使收信人可以确认邮件的发送者，并能确信邮件没有被篡改。

Pretty Good Privacy或者PGP由Phil Zimmermann在1991年编写并以免费软件向互联网社区公布，为此他成为三年犯罪调查的目标，因为当PGP的免费公开已传遍全球之时，美国政府认为加密软件违反了输出管制。

---
# OpenPGP

OpenPGP是一个用PKI来加密Email的非私有协议，OpenPGP协议定义了交换公钥用的消息加密，签名，私钥，证书的标准格式。它以Phil Zimmermann原创开发的PGP为基础。

## Reference: [!OpenPGP Message Format](https://tools.ietf.org/html/rfc4880)

---
# OpenPGP cond.

---
# GnuPG (GPG)

GNU Privacy Guard（GnuPG或GPG）是一种加密软件，它是PGP加密软件的满足GPL的替代物。GnuPG依照由IETF订定的OpenPGP技术标准设计。GnuPG用于加密、数字签名及产生非对称匙对的软件。

GnuPG最初由Werner Koch开发。

For Mac OS: [!](https://gpgtools.org/)

---
# OpenPGP Card

[!](http://g10code.com/p-card.html)

The OpenPGP Card is a specification of an ISO 7816-4,-8 compatible smartcard and also an actually available implementation of this specification as a standard sized card.

---
# Email - Encrypt

```
-----BEGIN PGP MESSAGE-----
Comment: GPGTools - https://gpgtools.org

hQIMA8N6kJ6vG/sAARAApCXzcbJeLEYe9/2ANavdQNMkVZGySiSxqGEmPq7JY8Ih
nuXCSUj6DnMlLX88MZ966DETe5MA9lnReWcVrO61EwNxlwAy+zfnkZNowO8qjxp/
AD4GPVkWV+q1vWVwfjUE6kinSsNhbLgMVoG6ObcKsJbFSo6Sv7BclkrZZXB2N3uO
fN+GPCHP0gaxhei8D8dv0gQXH3UgkaDiXMoAbPowa7u7ixB5SMzxvEWAHU/QgFL9
RElqo1vNJfTDxQvBAQocFTRxu5xq4YUTHAQTS/cRLqBw2KzhJbuOjjTNv9fNlwnj
8cVhM4We3IkzK9iSQ6yIEL/Cn9d8tVtBQUvNu7lCMRVh8Cc1bIRRn5Z/Oz1EWleU
fwdJBG9+gTwk0GuBddxJ1ugXfLRBJvwPXxsyzjubmbNVHEkqYA2hbYN2ZKWlGiuD
eqLpRGX91BKcDJtJW0McSTYYtVxBS4oUcs9YnKEKMPc5erfIe6fqQ6uQLt5QamWP
KXblJTlIgRZ7dJqBz2UVqEt8/mGYeOwBAq/oh3Wk+EC6TNlfJrztT5kNMNKzgvqk
wuReAAZx7g0QhWzKjRnCV6jL9OrMcM0OyKuNYbb/wRGpoi/k5ZRCXyeu5g32fgHw
QIJ6K8bZypKT6k84McTA3oihQVrYFfM009LwAuffi751yq54vpRCC2rucjR8OUfS
RgEUyYaChNY7oiI+5i7QgYbU2M9/0WT7whKuepNvsljCuP3+Ka1QRr5TFXVRhGCj
KxjBvxYF9XoBc2OGBhK8uBRGTEOyvoE=
=Gqp+
-----END PGP MESSAGE-----
```

---
#Email - Sign
```
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello World
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJXFRsQAAoJEMeUsWRqiGzWwbEP/1YTnl3FZvtMW0TTw4zswBKZ
cbAYTGEfU9YU4vhUnHxUkXmzfoddQ1q1VGNQf61czkrEH2se7aGKxO8R76lBALNj
DoV4U7xvEmkaCrMS0djv4fxcAkrfTHYHsXoMQC6iqXYttGWf1viTAnvAd7gnPIMP
bjJa8vu8NPRfvio8U+Wtk+uQs2wWn1BCpQg7kDjWibb/CkPUb9iemh8c18Wq9q/n
xcxxl/ZsvpO4GzVdoH6C62s1Uc1siacENk+Z1NLVF0j7mqoEyzqnJtcV/Xvsc5Ab
WzQqB7v4ZDeXDkoFZeVOevysmvrWAbWVhgLNWibrjnrGHBqEnAgB/gVAv/EHWQ0d
MPaoJsdZd/2q8WsCKu+rZLaeCjmkxzl7FH9/Qtn7j5bxey05qQHnvIQjImjlkJyB
grj+7dyYoAN+7I+Ts9GMztLnWS1UVK6I9gzC+6HpiKNCnugECQCBaIzP1npxd6AV
AC/6I4lAqkWZR5cZMsp02qpNbLj/mj0VTz5cg060G/0Y/zJEIxYlHKLFnWUbP74s
NADFtvJPF6tbCd59N4DpHaDsXsy7gCdaIcO45/Hy/fSOuGTT3hFOqGJpwPOiLcS8
/xPbe8EQy/GKnunyby9gsNa9uo6yVQ5PDYB0mo+WqgFHBWwK+lsXnpwcV5yQ78j8
HfoLM1E7b1a3FdZ8Y0KF
=mwnu
-----END PGP SIGNATURE-----
```

---
# 2FA

---
# 2FA - cond.

---
# U2F

.footer[[!](https://fidoalliance.org/)]

---
# SSH

```
$ ssh root@x.hatter.zj.cn
Last login: Fri Apr  8 23:00:00 2016 from 36.23.32.*

Welcome to aliyun Elastic Compute Service!

-bash: warning: setlocale: LC_CTYPE: cannot change locale (UTF-8): No such file ➥
or directory
[root@ixxxxxxxxx ~]# 
```

---
# SSH - cond.

```
$ echo "enable-ssh-support" >> ~/.gnupg/gpg-agent.conf

$ pkill gpg-agent

$ export SSH_AUTH_SOCK=~/.gnupg/S.gpg-agent.ssh

$ gpgkey2ssh XXXXXXXX
-OR-
$ ssh-add -L
```

把`gpgkey2ssh`或`ssh-add -L`得到的字符串加到目标服务器的`~/.ssh/authorized_keys`文件中。

---
# Git

---
# Git - cond.

```
$ git config commit.gpgsign true
```

```
$ git commit -m 'your commit message' --gpg-sign=6A886CD6
```

```
$ git log --show-signature
commit 0aaace886512c94d4377fd2ef64cf90a2efb224f
gpg: Signature made Fri Apr 8 22:47:55 2016 CST using RSA key ID 6A886CD6
gpg: Good signature from "Hatter Jiang (Hatter's 4096 PGP/C) ➥
<jht5945@gmail.com>" [ultimate]
Author: Hatter Jiang <jht5945@gmail.com>
Date: Fri Apr 8 22:47:55 2016 +0800

first commit message with sign
```

.footnote[!!!https://help.github.com/articles/signing-commits-using-gpg/ !!!https://ariejan.net/2014/06/04/gpg-sign-your-git-commits/]

---

.footer[!!!https://www.w3.org/community/hb-secure-services/]

---

---
# Resource & Reference

* !!!http://openpgp.org/
* !!!http://www.pgpi.org/
* !!!https://gnupg.org/
* !!!https://www.gpg4win.org/download.html
* !!!https://gpgtools.org/
* !!!https://tools.ietf.org/html/rfc4880
* !!!http://www.philzimmermann.com/
* !!!http://g10code.com/p-card.html
* !!!https://github.com/Yubico/ykneo-openpgp
* !!!https://smartcard.cloudbook.wiki/resources/W3C_hb_secure_services_gemalto.pptx

---
name: last-page
template: inverse

# .large[_Thanks!_]

_Learn more from ☞ [!SmartCard.CloudBook.wiki](https://smartcard.cloudbook.wiki/) & [!OpenPGPCard.org](https://openpgpcard.cloudbook.wiki/)_