I think I understand what your saying. Thanks for explaining this. Is TPM
capable of storing keys generated by other machines? For example, if a
trusted node generated a public/private key pair and sends the public key to
a new node which is trying to verify its state, then can the new node store
that public key inside its tpm and use it to sign the pcr values. Hence only
the trsuted node can decrypt the pcr values. This will still not guarantee
that the pcr values are signed by the tpm, but for the research i am working
on this might be sufficient for now.
--Hardeep
On Fri, Nov 20, 2009 at 4:23 PM, Hal Finney <[email protected]> wrote:
> Hardeep - Your goals are the very foundation of what Trousers and
> Trusted Computing is about, the ability for computers to provide
> credible and believable proof about their state and the software they
> are running. Unfortunately this technology is, to be honest, still in
> its beginning stages. I don't believe anyone has ever fully
> accomplished what you have described.
>
> The difficulties are partly technical, in terms of the complexity of
> the data structures and the code which is needed to create and
> validate these signatures; partly infrastructure, the lack of TPM EK
> certifications and a trustworthy Privacy CA; and partly secure systems
> design, in terms of setting up a system so that the PCRs can be
> considered to reliably characterize the software which is running,
> under various threats and attacks.
>
> However I can answer your specific question and clarify how it all
> works. The reason for the AIK is due to concern about user privacy. If
> the TCG had set it up so that the EK (endorsement key) could sign
> PCRs, it would have been much simpler. But it would mean that every
> such signature would basically reveal user identity. All the
> signatures by a user would be by that same key, which would be a
> persistent identifier, harming his privacy. Intel got burned in the
> 1990s when they proposed a processor serial number, producing huge
> backlash. The lesson was learned, there must be no persistent
> identifiers used in the protocol. Therefore the EK was not only not
> used to sign, it was made impossible to sign with it.
>
> Instead, an AIK is created and this signs the PCRs. Now again it would
> have been simpler if the EK could sign the AIK, in order to prove that
> it was a TPM key. But TCG made it so the EK can't sign, so that way
> was not possible.
>
> The TCG invented the concept of a Privacy CA (Certificate Authority).
> This would be a trusted third party similar to Verisign or Thawte, who
> sign certificates for secure web sites accessed with https. The
> Privacy CA will only sign AIKs and create certificates which state
> that a given AIK is a valid TPM key. The way it works is this: the
> client system creates an AIK, and then sends a package of information
> to the PCA, including the EK public key, and a certificate on the EK
> issued by the TPM manufacturer, attesting that the EK is a real TPM
> EK. The PCA inspects all this data and decides that the EK is valid.
> It creates the certificate for the AIK, then it encrypts the
> certificate to the EK, sending that back. Remember that EK's can't
> sign, but they can decrypt. By encrypting the data to the EK, the PCA
> insures that it can only be decrypted by a valid TPM EK. The TPM
> decrypts this data with the EK, and as part of this operation the TPM
> verifies that the AIK in the certificate is a real AIK on that TPM.
> Only if this is true will the decryption succeed. If everything is OK
> the client software receives the decrypted AIK certificate, which it
> can now show as trustworthy proof that the AIK is a real TPM AIK.
>
> The result is that a TPM system can create multiple AIKs and use
> different ones with different services, so there is no harm to
> privacy, no linkable data. The AIK certificate issued by the Privacy
> CA proves that the AIKs are valid, as long as the Privacy CA does its
> job. Then the AIKs sign PCRs and so those are known to be valid as
> well. If the whole system is set up so the PCRs accurately
> characterize its state, then you get what you want.
>
> That is how it is all designed to work. I am running an experimental
> Privacy CA at privacyca.com. So in principle this can all be done. In
> practice, as I said, there are IMO too many obstacles to fully achieve
> what you have described.
>
> Hal
>
> On Fri, Nov 20, 2009 at 3:12 PM, Hardeep Uppal
> <[email protected]> wrote:
> > Hi Hal,
> >
> > Thanks for clarifying what trousers is. I guess what I am trying to
> > accomplish with TPM is to validate the state of a system to a group of
> > trusted node. For example if a new node is trying to be part of a group
> of
> > trusted nodes then the new node will send its signed PCR values to a
> trusted
> > node within the group, which will validate if the new node is configure
> as
> > accepted. Part of the validation would also be to prove that the machine
> has
> > a TPM.
> > So what is the endorsement key used for? I am still trying to understand
> how
> > TPM work and what are they capable of doing. I am hoping someone has
> figured
> > out how to create AIK and used Quote to sign PCR values.
> >
> > --Hardeep
> >
> > On Fri, Nov 20, 2009 at 2:00 PM, Hal Finney <[email protected]>
> wrote:
> >>
> >> Hi Hardeep, yes unfortunately Trousers is just the TSS API. There are
> >> a few utilities in the tpm-tools package available from the Trousers
> >> Sourceforge site. These do such things as take ownership of the TPM,
> >> create the endorsement key if it does not exist, etc. Basic TPM
> >> management utilities.
> >>
> >> The kind of thing you are asking about requires custom programming.
> >> Generally the API is very complicated and it is impossible to
> >> anticipate all the things people might want to do with the TPM, so at
> >> this point it is necessary to write programs to do things. You might
> >> look into Trusted Java, which implements a Java layer over the TSS API
> >> and might be easier to use for people familiar with that language.
> >>
> >> The specific thing you are asking for is not actually possible. The
> >> endorsement key is restricted in what it can do and it cannot sign
> >> anything. What you are supposed to do is to create a special signing
> >> key called an attestation identity key (AIK) and then use the special
> >> Quote operation to sign PCR values using the AIK. And then there is a
> >> complicated protocol to prove that the AIK is a TPM-protected key, so
> >> that people can know that the PCR values are correct. It is not as
> >> easy as one might wish, unfortunately.
> >>
> >> Hal Finney
> >>
> >> On Fri, Nov 20, 2009 at 1:29 PM, Hardeep Uppal
> >> <[email protected]> wrote:
> >> > Hi,
> >> >
> >> > I am trying to find instructions for making the tpm sign pcrs values
> >> > with
> >> > its endorsement key and also create new public/private keys. I thought
> >> > trousers was a utility that has commands that you enter in the shell
> for
> >> > doing this. But it seems like trousers is just the TSS API. Do I need
> to
> >> > write c code to get this functionality? Can someone explain what
> exactly
> >> > trousers is? Do I need to download other packages for this?
> >> >
> >> > Thanks in advance,
> >> > Hardeep
> >
> >
>
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
