Hi,
On 13/01/21 17:20, Илья Шипицин wrote:
Hello,
if user save password, it might be stolen from well known location
(there are popular password stealers).
in theory, is it possible to keep password in tpm ? will it prevent
password from being stolen ?
in theory, yes, but as always, it depends on the circumstances.
With TPM 1.2 you can only store a very limited amount of data in the TPM
chip; the (open source) implementation I have seen (tss, trousers) store
a key in the TPM to scramble other data with; thus, you can encrypt a
private key or password with a key stored on the TPM and only if you
have the TPM will you be able to decrypt it.
I've never been particularly impressed with the security of this setup,
however, as trousers seems to suggest to store the actualy decryption
key in an environment variable...
With TPM 2.0 you can store more data in the chip, including a full
private key. This makes it behave more like a regular PKCS#11 device,
where you store the private key, not the user password on it. Of course,
it will/should also be possible to store a user password on it.
cheers,
JJK
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
