Cryptoucan™ on Windows

Written by Dominik Joe Pantůček on 2018-12-13

cryptoucan

Apart from electrical and mechanical testing, we were heavily working on ensuring seamless integration on the very uncommon Windows platform. Read on to get an idea what it looks like when you come from the world where things just work to the world of Windows.


Of course, our primary platform is GNU/Linux[1][2] right now and our engineers are using Ubuntu[3], Fedora[4], Debian[5] and CentOS[6] as their development platform of choice. And although we would like to see people using Cryptoucan™ on Tails[7] or Qubes[8], we understand that the majority of users would be using Windows[9].

Let's put aside the security-related problems one can immediately see and look into what we have achieved so far.

There is pretty decent OpenPGP[10] support for Windows using the gpg4win[11] package. There are, however, two things that do not work out of box yet. Firstly, the user access to USB devices using the libusb/WinUSB[12] stack. And secondly, proper PIN entry handling.

For the former feature, we make our own builds of GnuPG from gpg4win - without the unnecessary parts like Kleopatra or GPA. Just the main binary, agent and the card supporting service (scdaemon). On our CD platform[13] we test and build every revision we create and we have a distribution system of the installer executables in place.

For the second feature, it somehow feels that nobody worked with Class 2 CCID readers for more than 20 years and making any software handle PIN entry on an external PIN pad is a tedious work. But with the right tools and the right people on the task, it is possible and we have successfully tested full Cryptoucan™ operation with Outlook 2016 on both Windows 10 and Windows 7 without any problems.

That is a good news as when the users get their first devices, they will be able to immediately start using them without any complex setup. Just install latest gpg4win and place our patches on top of it.

Of course, we are working with upstream to ensure our changes get integrated in master branch of GnuPG. Safe - yet sane - external PIN pad handling is something everyone could benefit from.

Actually when it comes to PIN entry caching, there is some work needed even for GNU/Linux systems and right now we are working on APT (maybe PPA) and YUM repositories with our builds to address these issues. On the other hand,  the future is in handling Class 2 readers properly by the upstream packages and we are happy to help improve the whole ecosystem here.

 

Thank you for staying with us so long (and for reading a rather boring report today - because that is what it was). See you next week with some more interesting stuff again!


References

  1. https://www.gnu.org/

  2. https://www.kernel.org/

  3. https://www.ubuntu.com/

  4. https://getfedora.org/

  5. https://www.debian.org/

  6. https://www.centos.org/

  7. https://tails.boum.org/

  8. https://www.qubes-os.org/

  9. Wikipedia contributors. (2018, November 28). Microsoft Windows. In Wikipedia, The Free Encyclopedia. Retrieved 07:01, December 13, 2018, from https://en.wikipedia.org/w/index.php?title=Microsoft_Windows&oldid=871023288

  10. https://www.openpgp.org/

  11. https://www.gpg4win.org/

  12. https://github.com/libusb/libusb/wiki/Windows

  13. https://trustica.cz/en/2018/11/08/cryptoucan-firmware-cd/