TPM2 AK activation/validation seems unnecessarily complicated #98
Comments
|
I agree we could probably eliminate the self-certify and still get the security properties we want. A few things:
While we don't support it now, self-certification can include extra data, which can become a nonce to prove the AK was created for a specific purpose / CA (as opposed to re-using an existing AK). I didnt plan on using the other data, as it would be obfuscated for keys not produced under the endorsement hierarchy. |
Interesting. Is this publicly documented anywhere, or just details reverse engineered through using it? (I've tried looking at Microsoft's documentation about TPMs, but it often seems very high-level and abstract; I'd love if they had any detailed documentation explaining secure TPM usage that I could peruse.)
Oops, yes, I meant TPM2_CertifyCreation. (Wouldn't be able to trust the TPMS_CREATION_DATA otherwise!)
Ack. I was considering that. I'm just not sure I can envision why the server would be concerned about AK reuse. Maybe I'm not being creative enough though. If long-lived, reused RSA 2048 / NIST P-256 keys are a security risk, then EKs are probably about as compelling of a target as AKs. Admittedly, an attacker who successfully compromises an activated AK is one step ahead of an attacker who only compromises an EK, as the EK-attacker will first need to use the compromised EK to enroll a compromised AK. (Maybe I'm underestimating how hard this would be to do undetected.) There's a privacy concern regarding AK reuse, but this is probably something the client has to be more concerned about rather than the server anyway. E.g., the server can't guarantee that its own AKs aren't mistakenly reused for some other purpose, nor can it prevent the client from intentionally correlating multiple AKs that it controls.
Fair point. I was assuming if you really did want/need that data, that you would just create the AK within the endorsement hierarchy, and then require appropriate endorsement authorization. But maybe that's not an option? |
The only documentation available that I've found is the pdf in a github repository: https://github.com/microsoft/TSS.MSR/blob/9fb1fac9ee6b7ee2dfe8040069ae68e09d948d0d/PCPTool.v11/Using%20the%20Windows%208%20Platform%20Crypto%20Provider%20and%20Associated%20TPM%20Functionality.pdf
I haven't cared enough to implement it, but my guess is a nice separation of concerns.
Yepp, but for windows we would need to implement delegate authorization and read the authorization value out of an undocumented registry key. |
|
From what I can tell, with this change AK activation should be possible with just the EK certificate and AK public key on both TPM 1.2 and 2.0. Does that sound right? |
|
@brandonweeks I'm not really familiar with TPM 1.2, sorry. But on TPM 2.0 at least, the server still needs the AK's TPM2B_PUBLIC structure (which contain's the AK's public key), since that's (1) how you compute the Name to use with TPM2_MakeCredential, and (2) how you verify that its attributes are appropriate (e.g., that it's restricted, non-exportable, and TPM-generated). However, if the server wants to force the client to generate a new AK (which Microsoft at least seems to think is valuable, but I'm still unclear on), you need the TPM2_CertifyCreation data. |
|
Sorry for the delay, forgot to respond and realised when looking at a different change.
No. We would need to know the version of the TPM, and whether to use the tcsd credential activation format. While we could eliminate checking of the self-certify to simplify this flow, I'm not a huge fan of removing the requirement for the client to ship |
|
I've been trying to use go-attestation for the server side only, and the validation of the CertifyCreation values during the Your sample and the NewAK function creates a key in the storage hierarchy if I'm not mistaken. The example I'm working on (in TSS.Net) deals with a key in the Endorsement hierarchy (which is what I require) and is also a primary key, so I don't think it can't be used for the CertifyCreation call (or I'm new enough to TPM behavior that I'm making some fundamental mistakes). Should I be able to use CertifyCreation in this case (and have issues in my client) or is what I'm trying to do incompatible with this implementation? |
|
Correct on usage of the storage hierarchy. Two main reasons:
Creating an AK under the endorsement hierarchy is valid. Im 90% sure that creating a restricted primary key under the endorsement hierachy is also valid. As for your other questions, do you mind opening a new issue? It might be helpful if you can share the errors your encountering and possibly some blobs of the values of |
|
There's probably no need to make a new issue as I don't have anything for From the sounds of your comment I should be able to even with a primary endorsement key, so I've probably got issues on my client code. Example code I'm working from doesn't make the call and the "server side" code in the example doesn't do the same kind of validation. Should be fine once I get that working then. Thanks. |
Currently TPM2 clients generate an AK and then self-certify using TPM2_Certify.
But I don't think the self-certification is currently serving any purpose:
As far as I can tell, if
att.AttestedCreationInfo.Name.DigestingenerateChallengeTPM20was replaced withtpm2.DecodePublic(p.AIK.Public).Name().Digest, thenp.AIK.CreateDataandp.AIK.CreateAttestationcan be removed entirely without losing any security properties.But maybe I'm missing something, or there are plans to eventually utilize more of the attestation data. E.g., maybe firmwareVersion is useful to log in case it's discovered that some TPM firmware versions had key generation vulnerabilities (e.g., ROCA for RSA keys, or Yubikey's FIPS RNG goofup affecting both RSA and ECC keys); though in that case, you probably need to re-generate (and re-certify) the EK too, so I'm not sure the AK is your biggest concern.
The text was updated successfully, but these errors were encountered: