From: Russ F. <rus...@ho...> - 2008-04-10 02:57:51
|
Is there a way using the TPM to enforce "sign-once" semantics, or if not that, usage counting to tell me how many times a key was used for signing? I can think of a crude way that involves monotonic counters and some precreated set of N keys. Each time a key needs to be used, the monotonic counter has to be set to a value. Once that key is used, I can lock it by incrementing the counter which would in turn unlock the next key in the sequence. That's kind of not what I want, because then I have to have keys available in a certain sequence and also I'd be relying on an external entity to increment the monotonic counter. What would be better is if the TPM can keep a count of how many times a signing operation was performed using some key. Even better yet would be if there were a way to tell the TPM at key creation time to only allow some key to be used a certain number of times, then forever refuse to use that key again. The important part is that I want the TPM hardware to do the counting, or enforce the usage. I could even do this if there were a general counter that counted all cryptographic calls made of the TPM, regardless of what kind of operation took place. Thanks, Russ _________________________________________________________________ Get in touch in an instant. Get Windows Live Messenger now. http://www.windowslive.com/messenger/overview.html?ocid=TXT_TAGLM_WL_Refresh_getintouch_042008 |