Hi Adrian - If I understand your question, yes, Seal has a data auth value. Seal/Unseal is a rather unusual operation that is different from Encrypt/Decrypt. With Seal, in addition to specifying the auth value for the key you are sealing to, you specify a separate auth value that is specific to that Seal operation. Then to Unseal, you have to specify the same auth value that was used for the Seal (in addition to the key auth value).
One thing this allows you to do is to securely Seal to the SRK even though its auth value is usually well-known (often 20 bytes of zeros). You can do the Seal using a password as the auth value, and then the same password must be given for the Unseal. You don't have to create a key in order to do secure encryption operations with the TPM, you can use the pre-existing SRK. Hal On Tue, Dec 1, 2009 at 6:59 PM, adrian golding <[email protected]> wrote: > hi, > this post helped me a > lot: http://sourceforge.net/mailarchive/[email protected] > i am trying to write an unseal very much alike what the authors in the above > post had done, and i need to obtain all the 13 parameters to send as part of > TPM_Unseal and i'm down to the last one, which is the dataAuth parameter > (TPM_AUTHDATA) that is the authorization digest for the sealed blob. for > easy reference, i cut and pasted a portion of the referenced post here: > " >> Unseal requires two auth sessions, one for the key and one for the >> data blob. So you make two calls to OSAP or OIAP before doing >> TPM_Unseal. Then you compute a second HMAC over the parameters labeled >> 2H2, 3H2, and 4H2. As before, the 1st HMAC parameter is the >> inParamDigest, the SHA-1 of the parameters labeled 1S and 2S. The HMAC >> key is either the shared secret if an OSAP session was used, or the >> data auth value if it was an OIAP session. Then the output of this >> HMAC is the dataAuth parameter. > " > since i am using OIAP sessions to calculate the HMACs, my question is on how > to get the "auth value" (which is stated as entity.usageAuth) for the data > blob, so i can use it as the key to the HMAC. is this 20-byte value passed > in as a parameter during the seal operation? Since this is a sealed blob > instead of a key object, does it even have an auth value? > thank you - adrian ------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev _______________________________________________ TrouSerS-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/trousers-users
