Re: [strongSwan] Strongswan and TPM

2017-09-07 Thread John Brown 
Hi Andreas,

Sorry for the delay.
Yes, these are very useful information! Now I know I have to try with
TPM2.0 only. Thank you very much.

Can you also confirm that for use with keys stored in TPM i have to use
swanctl.conf instead of ipsec.conf?

Best regards,
John

2017-08-31 12:46 GMT+02:00 Andreas Steffen :

> Hi John,
>
> currently strongSwan supports signature keys residing in the NVRAM
> of the TPM 2.0, only. These can be accessed using the object handle
> range 0x8101. Private keys stored in the NVRAM of the TPM 2.0
> have the big advantage that you can wipe the hard disk or SSD
> without irretrievably losing the keys.
>
> But as you correctly mention in principle an unlimited number of
> keys can be stored in encrypted form outside the TPM. With the TPM 2.0
> you have to load them into NVRAM first, before you can do any
> signature operations. strongSwan does not support external keys, though.
>
> strongSwan does not offer any signature key support for the TPM 1.2.
> The TPM 1.2 can be used for attestation, only (implemented by the
> Attestion IMC dynamic library) where the TPM 1.2 loads an external
> attestation key blob and generates a Quote signature over a certain
> number of PCR registers.
>
> Hope this helps.
>
> Andreas
>
> On 31.08.2017 10:46, John Brown wrote:
> > Hi Tobias/Hi all,
> > After some reading I have a conclusion that TPM 2.0 can only be used
> > with strongswan 5.5.2 or newer.
> > The example that the strongswan wiki provides shows storing the keys
> > inside the tpm (as far as I understand the example correctly). But all
> > the tpm sources I've read states that the keys can also be stored
> > externally but in encrypted form by the tpm. Is this a general rule that
> > can also be used with strongswan?
> > Additionaly, an example shows usage with swanctl.conf. Can ipsec.conf be
> > also used?
> >
> > What about TPM 1.2? I've found that it is mentioned in TNC. But can I
> > use TPM 1.2 only for key storage in strongswan? If yes, which version of
> > strongswan is the oldest that can be used for this?
> >
> > Best regards,
> > John
> >
> >
> > 2017-07-18 12:46 GMT+02:00 John Brown  > >:
> >
> > Hi Tobias,
> > Thank you for your answer. I'm on the first stage of learning TPM
> > but as far as I understand the general rule the private key should
> > not be accessible and that was a reason that aforementioned log
> > message drew my attention. This wiki page I've read is the only way
> > I can learn TPM and strongswan cooperation or there are some more
> > detailed explanations somewhere how the process is going?
> >
> > Best regards,
> > John
> >
> >
> > 2017-07-18 12:05 GMT+02:00 Tobias Brunner  > >:
> >
> > Hi John,
> >
> > > and I conclude from this example, that private key stored in
> TPM is
> > > loaded to program memory the same way as if it was stored in a
> file (log
> > > message: "...charon-systemd[21165]: loaded RSA private key
> from token").
> > > Am I correct?
> >
> > No, that's only the generic log message that you'll see for any
> > private
> > key loaded by the configuration backend, whether that private
> key is
> > actually loaded into memory or it's just a reference to a key
> > (as is the
> > case here).  Private keys on PKCS#11 tokens or in a TPM can't be
> > accessed directly, so they never end up in memory.
> >
> > Regards,
> > Tobias
> >
> >
> >
>
> --
> ==
> Andreas Steffen andreas.stef...@strongswan.org
> strongSwan - the Open Source VPN Solution!  www.strongswan.org
> Institute for Networked Solutions
> HSR University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===[INS-HSR]==
>
>

Re: [strongSwan] Strongswan and TPM

2017-08-31 Thread Andreas Steffen 
Hi John,

currently strongSwan supports signature keys residing in the NVRAM
of the TPM 2.0, only. These can be accessed using the object handle
range 0x8101. Private keys stored in the NVRAM of the TPM 2.0
have the big advantage that you can wipe the hard disk or SSD
without irretrievably losing the keys.

But as you correctly mention in principle an unlimited number of
keys can be stored in encrypted form outside the TPM. With the TPM 2.0
you have to load them into NVRAM first, before you can do any
signature operations. strongSwan does not support external keys, though.

strongSwan does not offer any signature key support for the TPM 1.2.
The TPM 1.2 can be used for attestation, only (implemented by the
Attestion IMC dynamic library) where the TPM 1.2 loads an external
attestation key blob and generates a Quote signature over a certain
number of PCR registers.

Hope this helps.

Andreas

On 31.08.2017 10:46, John Brown wrote:
> Hi Tobias/Hi all,
> After some reading I have a conclusion that TPM 2.0 can only be used
> with strongswan 5.5.2 or newer.
> The example that the strongswan wiki provides shows storing the keys
> inside the tpm (as far as I understand the example correctly). But all
> the tpm sources I've read states that the keys can also be stored
> externally but in encrypted form by the tpm. Is this a general rule that
> can also be used with strongswan?
> Additionaly, an example shows usage with swanctl.conf. Can ipsec.conf be
> also used?
> 
> What about TPM 1.2? I've found that it is mentioned in TNC. But can I
> use TPM 1.2 only for key storage in strongswan? If yes, which version of
> strongswan is the oldest that can be used for this?
> 
> Best regards,
> John
> 
> 
> 2017-07-18 12:46 GMT+02:00 John Brown  >:
> 
> Hi Tobias,
> Thank you for your answer. I'm on the first stage of learning TPM
> but as far as I understand the general rule the private key should
> not be accessible and that was a reason that aforementioned log
> message drew my attention. This wiki page I've read is the only way
> I can learn TPM and strongswan cooperation or there are some more
> detailed explanations somewhere how the process is going?
> 
> Best regards,
> John
> 
> 
> 2017-07-18 12:05 GMT+02:00 Tobias Brunner  >:
> 
> Hi John,
> 
> > and I conclude from this example, that private key stored in TPM is
> > loaded to program memory the same way as if it was stored in a file 
> (log
> > message: "...charon-systemd[21165]: loaded RSA private key from 
> token").
> > Am I correct?
> 
> No, that's only the generic log message that you'll see for any
> private
> key loaded by the configuration backend, whether that private key is
> actually loaded into memory or it's just a reference to a key
> (as is the
> case here).  Private keys on PKCS#11 tokens or in a TPM can't be
> accessed directly, so they never end up in memory.
> 
> Regards,
> Tobias
> 
> 
> 

-- 
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution!  www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[INS-HSR]==



smime.p7s
Description: S/MIME Cryptographic Signature

Re: [strongSwan] Strongswan and TPM

2017-08-31 Thread John Brown 
Hi Tobias/Hi all,
After some reading I have a conclusion that TPM 2.0 can only be used with
strongswan 5.5.2 or newer.
The example that the strongswan wiki provides shows storing the keys inside
the tpm (as far as I understand the example correctly). But all the tpm
sources I've read states that the keys can also be stored externally but in
encrypted form by the tpm. Is this a general rule that can also be used
with strongswan?
Additionaly, an example shows usage with swanctl.conf. Can ipsec.conf be
also used?

What about TPM 1.2? I've found that it is mentioned in TNC. But can I use
TPM 1.2 only for key storage in strongswan? If yes, which version of
strongswan is the oldest that can be used for this?

Best regards,
John


2017-07-18 12:46 GMT+02:00 John Brown :

> Hi Tobias,
> Thank you for your answer. I'm on the first stage of learning TPM but as
> far as I understand the general rule the private key should not be
> accessible and that was a reason that aforementioned log message drew my
> attention. This wiki page I've read is the only way I can learn TPM and
> strongswan cooperation or there are some more detailed explanations
> somewhere how the process is going?
>
> Best regards,
> John
>
>
> 2017-07-18 12:05 GMT+02:00 Tobias Brunner :
>
>> Hi John,
>>
>> > and I conclude from this example, that private key stored in TPM is
>> > loaded to program memory the same way as if it was stored in a file (log
>> > message: "...charon-systemd[21165]: loaded RSA private key from token").
>> > Am I correct?
>>
>> No, that's only the generic log message that you'll see for any private
>> key loaded by the configuration backend, whether that private key is
>> actually loaded into memory or it's just a reference to a key (as is the
>> case here).  Private keys on PKCS#11 tokens or in a TPM can't be
>> accessed directly, so they never end up in memory.
>>
>> Regards,
>> Tobias
>>
>
>

Re: [strongSwan] Strongswan and TPM

2017-07-18 Thread John Brown 
Hi Tobias,
Thank you for your answer. I'm on the first stage of learning TPM but as
far as I understand the general rule the private key should not be
accessible and that was a reason that aforementioned log message drew my
attention. This wiki page I've read is the only way I can learn TPM and
strongswan cooperation or there are some more detailed explanations
somewhere how the process is going?

Best regards,
John

2017-07-18 12:05 GMT+02:00 Tobias Brunner :

> Hi John,
>
> > and I conclude from this example, that private key stored in TPM is
> > loaded to program memory the same way as if it was stored in a file (log
> > message: "...charon-systemd[21165]: loaded RSA private key from token").
> > Am I correct?
>
> No, that's only the generic log message that you'll see for any private
> key loaded by the configuration backend, whether that private key is
> actually loaded into memory or it's just a reference to a key (as is the
> case here).  Private keys on PKCS#11 tokens or in a TPM can't be
> accessed directly, so they never end up in memory.
>
> Regards,
> Tobias
>

Re: [strongSwan] Strongswan and TPM

2017-07-18 Thread Tobias Brunner 
Hi John,

> and I conclude from this example, that private key stored in TPM is
> loaded to program memory the same way as if it was stored in a file (log
> message: "...charon-systemd[21165]: loaded RSA private key from token").
> Am I correct?

No, that's only the generic log message that you'll see for any private
key loaded by the configuration backend, whether that private key is
actually loaded into memory or it's just a reference to a key (as is the
case here).  Private keys on PKCS#11 tokens or in a TPM can't be
accessed directly, so they never end up in memory.

Regards,
Tobias

[strongSwan] Strongswan and TPM

2017-07-18 Thread John Brown 
Hello all,

I'm currently looking for some information how strongswan can utilize TPM
chips. I've read


https://wiki.strongswan.org/projects/strongswan/wiki/TpmPlugin


and I conclude from this example, that private key stored in TPM is loaded
to program memory the same way as if it was stored in a file (log message:
"...charon-systemd[21165]: loaded RSA private key from token"). Am I
correct?


Best regards,

John