Hi Ken,
Ken Goldman wrote:
I'm answering about the TPM behavior. I don't know tpm-pkcs11.
thanks for the answers, see my replies below.
On 3/19/2013 12:13 PM, Jan Just Keijser wrote:
Ken Goldman wrote:
perhaps I do not understand how TPM encryption works: what I want to
protect is a RSA 2048bit key (coupled to an X509 cert). With a hardware
token, the key is moved "onto" the hardware token and if an attacker
tries to sign data with the key then after N attempts the token blocks.
Correct, except that N is a global. When you exceed N, the entire TPM
blocks. Note that N and the definition of 'block' are TPM vendor specific.
If I understand it correctly, with the current TPM-pkcs11 setup the keys
are stored on disk, but encrypted by the TPM itself. The TPM is accessed
via the SRK key, which has to be set to a well defined value for
opencryptoki. The keys are furthermore encrypted by the pkcs11 PIN,
which is not stored on the TPM itself. Is that correct? Or is the pkcs11
PIN (and SO-PIN) also stored on the TPM chip? if so, where and how?
The SRK is not set to a known value, just it's password. The SRK itself
is unique and locked to the TPM.
I should have formulated it more precisely: I meant the SRK password,
not the key itself.
At the TPM layer, the keys are only encrypted by the SRK, not a PIN.
Perhaps the PIN is used as the TPM authentication value (~ password)?
The TPM auth value is stored in the key blob along with the private key
as part of the encrypted area.
Key auth values are not stored on the TPM. They come on and off with
the rest of the key blob.
If my understanding is correct I could foresee the following attack: a
thief steals my laptop and could do a brute force attack on the pkcs11
PIN to recover my key. The TPM would not lock up , as the SRK key is
known and used. As soon as the pkcs11 PIN is broken the thief can use
the RSA key stored in the pkcs11 device to forge my identity.
What am I missing?
If the PIN is indeed the key's auth value, you can't brute force it
outside the TPM. It's encrypted by the SRK, whose private key you don't
know.
I did some 'black box' testing on the tpm-pkcs11 code and I'm afraid the
pkcs11 PIN is not encrypted by or linked to the TPM itself; by copying
two files back and forth
/var/log/opencryptoki/tpm/$USER/.stmapfile
/var/log/opencryptoki/tpm/$USER/NVTOK.DAT
I can circumvent the 'pin lockout' that is set on the tpm-pkcs11 device
and thus I can try to bruteforce my way into the pkcs11 device. With a
"well known" SRK password I thus have full access to all keys encrypted
by the TPM. This makes the tpm-pkcs11 driver as secure as a "regular"
RSA key on disk and thus does not offer me any protection when my laptop
is stolen....
I will continue looking for a way to store my RSA key on the TPM chip
itself and sign data directly.
Regards,
JJK / Jan Just Keijser
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
