From: Hal F. <hal...@gm...> - 2010-01-20 19:04:21
|
Hi Amruta - answers inline: On Sun, Jan 17, 2010 at 3:07 PM, Amruta Gokhale <amr...@gm...> wrote: > Thank you for pointing me to a very useful description about the > verification of quote > operation. > > I am sorry about asking doubts on an old thread, but I still have two > questions: > > 1) The verifier should have the RSA public signing key for verifying the > signature > over the rgbData buffer. So is it okay if the prover(or the attesting party) > sends the > public key to the verifier? Will this be in accordance with the IMA > protocol? > Since the prover creates a new key pair each time via Tspi_Key_CreateKey(), > I suppose the only way for the verifier to know this public key is by > receiving it from > the prover. Or is there another way? I think generally you are right, the prover will generate the RSA signing key and will distribute it. He may send it directly to the verifier or he may publish it in some form, to make it available to other verifiers for example. It depends on how many provers and verifiers you would envision in the system. > 2) It follows from (1) above that there should be a central authority(CA) to > verify the key. > The communication with the CA would incur more work, both for the prover and > verifier. > Is there an efficient way than this to implement? Yes, the TCG assumes that AIKs suitable for issuing Quote operations would be verified by a CA which they call a Privacy CA. TPMs implement a protocol that lets a CA verify that a particular key is controlled by a TPM. This protocol allows the Privacy CA to issue a certificate on the AIK certifying that it is a valid TPM key. It is true that this may incur more work. However if the key is used many times, perhaps by many verifiers, it can be more efficient to just have the key checked once using the TPM protocol (which is rather complicated). As long as everyone trusts the Privacy CA then it is quick and easy to verify the certificates it issues and know that the Quote signing key is a valid TPM key. It is also possible for verifiers and signers to run the TPM protocol directly between themselves, in order to prove that the AIK is a real TPM key. This way no one has to trust the Privacy CA. I wrote some code to illustrate these two possibilities which is available from http://www.privacyca.com/code.html . Hal Finney |