The signature for a PCR quote is made using an AIK, a 2048 bit RSA key.
Sealing would be done using a 2048 bit RSA storage key. The difference is
that sealed data can only be unsealed using the same TPM that performed the
seal operation - worthless if you don't trust the OS used to perform the
seal. An AIK is a key that the TPM will only use for a very limited number
of operations, and cannot be used to sign anything that resembles a PCR
quote except for an actual PCR quote covering the actual values of the PCRs
stored in the TPM. Faking an AIK signature would require breaking RSA
encryption, or at the very least, finding a SHA-1 collision covering some
faked PCR data. Either way, a system capable of performing that within a
few seconds of a system requesting an attestation (and also covering the
randomly generated nonce used in that operation) would be capable of things
that not even the most powerful supercomputers on earth are currently
capable of. If that's what you're trying to overcome, a TPM is not the tool
to be leveraging. As stated in an earlier message on this thread, it would
be much easier for an attacker to somehow overcome the CRTM (an immutable
system component) and intercept all PCR extends from system boot. That
would be an extremely unlikely event to occur, requiring an attacker with a
level of sophistication that is beyond the protection profile of the TPM,
and well beyond the scope of this discussion. In short, the AIK signature
of a PCR quote is as trustworthy a mechanism as you're going to get from
anything on a PC.
On Nov 12, 2014 10:09 PM, "Mike Pontillo" <[email protected]> wrote:
> My $0.02,
>
> It might be better to use the TPM to perform a "seal" operation on some
> key data needed for the system to operate. (that is, seal it to a known
> good PCR value) If an attacker can forge a PCR read, it's likely that s/he
> could also cause the system to believe that an invalid signature is
> actually valid.
>
> Regards,
> Mike
>
> From: David Li <[email protected]>
> Date: Wednesday, November 12, 2014 at 7:24 PM
> To: Luigi Semenzato <[email protected]>
> Cc: trousers-users <[email protected]>, "
> [email protected]" <[email protected]>
> Subject: Re: [TrouSerS-users] System boot integrity check with TPM
>
>
> I think there might be two aspects of the issue.
>
> My understanding is first the OS reporting PCR values has to be trustable.
> It's typically on a separate machine in a secure site or a specially built
> kernel image stored on a tamper-proof card that can be plugged in when
> necessary.
>
> Secondly the PCR values would be reported back together with a signature
> signed by the AIK (private key) inside the TPM so the secure OS can verify
> it.
>
> These two conditions combined would allow an user to verify the reporting.
>
>
>
>
> ------------------------------------------------------------------------------
> Comprehensive Server Monitoring with Site24x7.
> Monitor 10 servers for $9/Month.
> Get alerted through email, SMS, voice calls or mobile push notifications.
> Take corrective actions from your mobile device.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
> _______________________________________________
> TrouSerS-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/trousers-users
>
>
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
