Hi Ken,
Ken Goldman wrote:
> The TPM has a key __hierarchy__ under the SRK. When you create another
> key, it never remains on the TPM. It always comes off chip, encrypted
> with (wrapped by) its parent storage key.
>
> The TPM has a key cache, which can hold perhaps 5-10 keys. The number
> is TPM vendor specific and might also depend on the key size and other
> parameters. Middleware such as Trousers swaps keys between disk and TPM
> as needed.
>
> So, you can create as many keys as like. You can back them up like any
> other disk file.
>
> However, if the TPM fails, you lose the SRK and thus all child keys.
> You also lose all keys by clearing the TPM owner - a feature. To back
> up keys, use the TPM key migration facilities.
>
>
thanks for the response. I want to use the TPM as a PKCS#11 device; the
instructions on the trousers site state that the SRK password needs to
be empty for that. It indeed does work witn an empty SRK password .
However, how does this safeguard me when my laptop is stolen? if the SRK
password always needs to be empty for pkcs#11 use then it's effectively
a non-password. The thief would need to break my pkcs#11 password, but
{s}he basically can do a brute-force attack, as the SRK password is known.
The openssl_tpm_engine does seem to allow different \SRK passwords, so
that's one step closer, but ideally I would like the key to be in the
chip itself - it also would safeguard me from hard disk crashes (and bad
backup policies).
What I'd like best is to use one of the (three) free slots on the TPM to
store my RSA key; that way I am certain that when my laptop is stolen
that the key information is "safe" inside the TPM chip itself (which
does have dictionary attack counter measures).
Do you have any idea how to achieve this?
thanks,
JJK
> On 3/14/2013 6:23 AM, Jan Just Keijser wrote:
>
>> hi all,
>>
>> I've managed to set up my Dell Latitude E4310 with Broadcom TPM chip as
>> a PKCS#11 device running CentOS 6.3 (the SRK password needing to be
>> empty was the stumbling block - more on that later). I can import
>> certificates into the cryptoki pkcs11 device, even generate keys but my
>> question is: where are the keys actually stored? I'm used to hardware
>> security tokens, such as Safenet eToken, Feitian ePass and others and in
>> that case the keys reside on the chip/card. Is this also true for TPM
>> devices? If so, how many 2048bit RSA keys can you store in a TPM chip? I
>> managed to generated at least 16 "onboard" 2048bit RSA keys and still no
>> error - how can I find out what the capacity of a TPM is?
>> Also, how can one list the contents of the keys stored on the TPM?
>> let's say the harddisk in my laptop dies at an unfortunate moment - what
>> procedure can I follow to restore the keys (and cryptoki tpm dir
>> structure) ?
>>
>> Finally: my dual-boot laptop runs CentOS 6 and Windows 7; the win7
>> tpm.msc does not like an empty SRK password - it even complains that the
>> TPM is unusable. Where is this empty password located in the
>> tpm/trousers code? I just want to redefine to something wellknown so
>> that I can use the TPM chip under both CentOS 6 and Windows 7.
>>
>>
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
