On 8/23/10 12:18 PM, "chloé Fouquet" <[email protected]> wrote:
> Hi,
> Rajiv, you told me that it is possible to sign non-migratable keys with an
> AIK, but I can't find the method in the TSS Specifications that allows that.
You're looking for CertifyKey. (Tspi_Key_CertifyKey)
>
> Is it possible to decrypt an external data using the endorsement key or an AIK
> ? If yes, how can we do that ?
The AIK is a signing key; it certainly can't be used to decrypt data.
The EK can, but within some very limited circumstances: the EK will only
decrypt data as part of the AIC issuance protocol, so you will need to
structure your data accordingly. (If you're not familiar with this protocol,
the CA signing the AIC will encrypt it with a symmetric key, and then
encrypt that symmetric key along with some information about the enclosed
AIC to the EK. The EK will then verify that the AIC is associated with a
local, loaded AIK and decrypt the symmetric key. The TPM doesn't do any
verification of the symmetrically encrypted contents, so you could
theoretically replace the payload with anything you liked.)
> I'm doing an attestation of a platform between an attesting system and a
> verifier. I use CollateId and ActivateId to have a credential for my new AIK,
> but how can the verifier can be sure that this AIK comes from the TPM ? Is it
> because it sends back a credential partially encrypted with the public
> endorsement key of the attesting system and that the latter will verify that
> the key suggested in the ActivateId method is a good AIK before decrypting the
> credential ?
Yes. Only the TPM with the Endorsement Key you trust will be able to decrypt
the symmetric key and therefore the encrypted certificate, and a TPM will
only provide the decrypted symmetric key to the software if the certified
key is an AIK loaded in that TPM.
> After that I use Quote to send to the verifier my PCR values. But then I would
> like that the verifier could be able to send a data to the attesting system
> and be sure that it will only be open by the tpm of the attesting system, how
> is it possible ? Need I to create a migratable key and send the public part to
> the verifier ? The problem is that the verifier only trust the AIK of the
> attesting system for the moment... and I would like something like a session
> key that will encrypt data, whose private key will be stored in the tpm and
> that can prove it to the verifier.
You can use the AIK to certify other keys using that same Tspi_CertifyKey
command we discussed earlier. In particular, the TPM allows you to create
and certify binding keys that you can use with the Tspi_Data_Bind and
Tspi_Data_Unbind commands, which will allow you to send encrypted data
produced on another machine to be decrypted by that binding key.
> Last thing, Ariel you told me that a tag is present in the data structure when
> we verify a signature but I can't find it in the Structures specifications,
> could you be a bit more precise please ?
In most of the relevant structures (TPM_SIGN_INFO, TPM_QUOTE2_INFO are
primary ones) you'll see either a "TPM_STRUCTURE_TAG" or a BYTE fixed[4] (or
sometimes both). (Quote has the second: it's the second parameter, and
you'll see that its description is "This SHALL always be the string
'QUOT'.") Verifying that these tags are correct as part of your quote or
signed data verification will confirm that the data was produced by the
correct command.
I'm afraid I don't have any insights into why the tagging infrastructure
isn't consistent. Sorry.
Ariel
------------------------------------------------------------------------------
This SF.net email is sponsored by
Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
