It makes sense that keys are not stored in the tpm since you don't want to
be restricted to create new keys because of the size of data that can be
stored in the tpm. So the AIK gets created inside the TPM and then gets
encrypted by public key of SRK and stored in the TSS database. I'll take a
look at testsuit.
Thanks for explaining this.
--Hardeep
On Thu, Dec 3, 2009 at 6:56 PM, Hal Finney <[email protected]> wrote:
> Hi Hardeep -
>
> On Thu, Dec 3, 2009 at 2:24 AM, Hardeep Uppal
> <[email protected]> wrote:
> > Hi Hal,
> >
> > I looked at privacyca.com and used the sample code to create an AIK. I
> have
> > some questions about the code.
> >
> > 1. The code is creating an AIK inside the TPM and is using a privacyCA to
> > certify that the AIK is from a valid tpm right?
>
> Right, the only thiing is that the AIK does not stay in the TPM. It
> gets unloaded from the TPM and stored in a Trousers database (on the
> disk) at the position you specify, position 1 in this case.
>
> > 2. When i execute ./identity 1 aik1 cert1 the cert1 file contains the
> signed
> > certificate b y the privacyCA. So according to your previous reply the
> > privacyCA uses the public part of EK to sign the certificate. Is this
> still
> > true when executing identity.c? Is the code looking up pubek and sending
> it
> > to the privacyCA with the AIK?
>
> Rather, PrivacyCA uses the public part of EK to ENCRYPT the
> certificate, not to sign it. The identity.c code does do what you
> said, looks up the pubek and sends it to PrivacyCA with the AIK.
>
> > 3. Also could who explain what exactly is your privacyCA doing. Do I need
> to
> > decrypt the certificate inorder to use the AIK for signing of PCR's?
>
> Well, it does a bunch of checks, creates a certificate on the AIK
> formatted according to the TCG specs, encrypts it to pubek and sends
> it back. You don't really need to do anything with the cert. You can
> use the AIK to sign PCRs using the Quote operation.
>
> > 3. Once the AIK is created and stored in the TPM, how can we check if the
> > AIK is there?
>
> As I said above, the AIK is not stored in the TPM. Generally keys are
> not stored in the TPM, they are stored elsewhere and then loaded into
> the TPM when they need to be used. The identity.c program stores the
> key in the TSS database maintained by Trousers, allowing you to use
> the LoadKeyByUuid function to load it into the TPM when you want to
> use it.
>
> >
> > For my research I have a set of controlled nodes. Therefore certification
> of
> > AIK from privacyCA is not required at the current movement. All I want to
> do
> > with the AIK is sign the PCR's in the TPM.
>
> Right. identity.c is probably not the best place for you to start. If
> you download the testsuite from the Trousers sourceforge site, it has
> sample code in the tpm directory, file Tspi_TPM_Quote01.c, that does
> the Quote operation to sign a PCR, using a newly created identity key.
> That might be a better starting point for you.
>
> Hal
>
>
> >
> > Thanks,
> > Hardeep
> >
> > On Fri, Nov 20, 2009 at 4:23 PM, Hal Finney <[email protected]>
> wrote:
> >>
> >> Hardeep - Your goals are the very foundation of what Trousers and
> >> Trusted Computing is about, the ability for computers to provide
> >> credible and believable proof about their state and the software they
> >> are running. Unfortunately this technology is, to be honest, still in
> >> its beginning stages. I don't believe anyone has ever fully
> >> accomplished what you have described.
> >>
> >> The difficulties are partly technical, in terms of the complexity of
> >> the data structures and the code which is needed to create and
> >> validate these signatures; partly infrastructure, the lack of TPM EK
> >> certifications and a trustworthy Privacy CA; and partly secure systems
> >> design, in terms of setting up a system so that the PCRs can be
> >> considered to reliably characterize the software which is running,
> >> under various threats and attacks.
> >>
> >> However I can answer your specific question and clarify how it all
> >> works. The reason for the AIK is due to concern about user privacy. If
> >> the TCG had set it up so that the EK (endorsement key) could sign
> >> PCRs, it would have been much simpler. But it would mean that every
> >> such signature would basically reveal user identity. All the
> >> signatures by a user would be by that same key, which would be a
> >> persistent identifier, harming his privacy. Intel got burned in the
> >> 1990s when they proposed a processor serial number, producing huge
> >> backlash. The lesson was learned, there must be no persistent
> >> identifiers used in the protocol. Therefore the EK was not only not
> >> used to sign, it was made impossible to sign with it.
> >>
> >> Instead, an AIK is created and this signs the PCRs. Now again it would
> >> have been simpler if the EK could sign the AIK, in order to prove that
> >> it was a TPM key. But TCG made it so the EK can't sign, so that way
> >> was not possible.
> >>
> >> The TCG invented the concept of a Privacy CA (Certificate Authority).
> >> This would be a trusted third party similar to Verisign or Thawte, who
> >> sign certificates for secure web sites accessed with https. The
> >> Privacy CA will only sign AIKs and create certificates which state
> >> that a given AIK is a valid TPM key. The way it works is this: the
> >> client system creates an AIK, and then sends a package of information
> >> to the PCA, including the EK public key, and a certificate on the EK
> >> issued by the TPM manufacturer, attesting that the EK is a real TPM
> >> EK. The PCA inspects all this data and decides that the EK is valid.
> >> It creates the certificate for the AIK, then it encrypts the
> >> certificate to the EK, sending that back. Remember that EK's can't
> >> sign, but they can decrypt. By encrypting the data to the EK, the PCA
> >> insures that it can only be decrypted by a valid TPM EK. The TPM
> >> decrypts this data with the EK, and as part of this operation the TPM
> >> verifies that the AIK in the certificate is a real AIK on that TPM.
> >> Only if this is true will the decryption succeed. If everything is OK
> >> the client software receives the decrypted AIK certificate, which it
> >> can now show as trustworthy proof that the AIK is a real TPM AIK.
> >>
> >> The result is that a TPM system can create multiple AIKs and use
> >> different ones with different services, so there is no harm to
> >> privacy, no linkable data. The AIK certificate issued by the Privacy
> >> CA proves that the AIKs are valid, as long as the Privacy CA does its
> >> job. Then the AIKs sign PCRs and so those are known to be valid as
> >> well. If the whole system is set up so the PCRs accurately
> >> characterize its state, then you get what you want.
> >>
> >> That is how it is all designed to work. I am running an experimental
> >> Privacy CA at privacyca.com. So in principle this can all be done. In
> >> practice, as I said, there are IMO too many obstacles to fully achieve
> >> what you have described.
> >>
> >> Hal
> >>
> >> On Fri, Nov 20, 2009 at 3:12 PM, Hardeep Uppal
> >> <[email protected]> wrote:
> >> > Hi Hal,
> >> >
> >> > Thanks for clarifying what trousers is. I guess what I am trying to
> >> > accomplish with TPM is to validate the state of a system to a group of
> >> > trusted node. For example if a new node is trying to be part of a
> group
> >> > of
> >> > trusted nodes then the new node will send its signed PCR values to a
> >> > trusted
> >> > node within the group, which will validate if the new node is
> configure
> >> > as
> >> > accepted. Part of the validation would also be to prove that the
> machine
> >> > has
> >> > a TPM.
> >> > So what is the endorsement key used for? I am still trying to
> understand
> >> > how
> >> > TPM work and what are they capable of doing. I am hoping someone has
> >> > figured
> >> > out how to create AIK and used Quote to sign PCR values.
> >> >
> >> > --Hardeep
> >> >
> >> > On Fri, Nov 20, 2009 at 2:00 PM, Hal Finney <[email protected]>
> >> > wrote:
> >> >>
> >> >> Hi Hardeep, yes unfortunately Trousers is just the TSS API. There are
> >> >> a few utilities in the tpm-tools package available from the Trousers
> >> >> Sourceforge site. These do such things as take ownership of the TPM,
> >> >> create the endorsement key if it does not exist, etc. Basic TPM
> >> >> management utilities.
> >> >>
> >> >> The kind of thing you are asking about requires custom programming.
> >> >> Generally the API is very complicated and it is impossible to
> >> >> anticipate all the things people might want to do with the TPM, so at
> >> >> this point it is necessary to write programs to do things. You might
> >> >> look into Trusted Java, which implements a Java layer over the TSS
> API
> >> >> and might be easier to use for people familiar with that language.
> >> >>
> >> >> The specific thing you are asking for is not actually possible. The
> >> >> endorsement key is restricted in what it can do and it cannot sign
> >> >> anything. What you are supposed to do is to create a special signing
> >> >> key called an attestation identity key (AIK) and then use the special
> >> >> Quote operation to sign PCR values using the AIK. And then there is a
> >> >> complicated protocol to prove that the AIK is a TPM-protected key, so
> >> >> that people can know that the PCR values are correct. It is not as
> >> >> easy as one might wish, unfortunately.
> >> >>
> >> >> Hal Finney
> >> >>
> >> >> On Fri, Nov 20, 2009 at 1:29 PM, Hardeep Uppal
> >> >> <[email protected]> wrote:
> >> >> > Hi,
> >> >> >
> >> >> > I am trying to find instructions for making the tpm sign pcrs
> values
> >> >> > with
> >> >> > its endorsement key and also create new public/private keys. I
> >> >> > thought
> >> >> > trousers was a utility that has commands that you enter in the
> shell
> >> >> > for
> >> >> > doing this. But it seems like trousers is just the TSS API. Do I
> need
> >> >> > to
> >> >> > write c code to get this functionality? Can someone explain what
> >> >> > exactly
> >> >> > trousers is? Do I need to download other packages for this?
> >> >> >
> >> >> > Thanks in advance,
> >> >> > Hardeep
> >> >
> >> >
> >
> >
>
------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing.
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
