In addition, even if you create and use a Signing Key, which *does* allow you
to sign externally-provided data, the TPM actually
creates and signs a tagged data structure containing that external data. So
even though some keys can be used both for quotes
and for signing arbitrary data, all you need to do to distinguish between true
and false PCR values, or TPM-created and externally-created keys, is inspect
the tag on the data
structure when verifying the signature. (You can find the exact details in the
Structures portion of the TPM specification.)
That, of course, assumes that you've previously confirmed that the key signing
the data is a genuine TPM key, probably using
CollateIdentityRequest and CertifyKey.
Ariel
________________________________________
From: Rajiv Andrade [[email protected]]
Sent: Monday, August 16, 2010 1:11 PM
To: chloé Fouquet
Cc: [email protected]
Subject: Re: [TrouSerS-users] Signature with AIK
Hi Chloé,
You can't sign arbitrary data using an AIK, only PCR values and non-migratable
keys.
Since the certificate is supposed to be provided only for requests issued by
real TPMs, when checking the signature made by a certified AIK, one can trust
that it's a TPM that is handling it, and therefore, trust its behavior of not
allowing TPM external data to be signed with such type of key.
The verifier should be certain that the Privacy CA that issued the certificate
is functioning as expected, only certifying AIKs that were generated and being
handled by real TPMs.
Thanks
---
Rajiv Andrade
Security Development
IBM Linux Technology Center
On Aug 15, 2010, at 7:12 PM, chloé Fouquet wrote:
> Hi,
> Once we have an AIK and its certificate, is it possible to sign everything we
> want with this key? What prevents us to sign false values of PCRs with this
> key ?
> How a verifier can be convinced, after having received structures as the ones
> provided by the methods CollateIdentityRequest and Quote, that the attesting
> party has signed the right PCR values of its TPM ?
>
> Thanks for looking,
>
> Chloé
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by
>
> Make an app they can't live without
> Enter the BlackBerry Developer Challenge
> http://p.sf.net/sfu/RIM-dev2dev
> _______________________________________________
> TrouSerS-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/trousers-users
------------------------------------------------------------------------------
This SF.net email is sponsored by
Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
------------------------------------------------------------------------------
This SF.net email is sponsored by
Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
