From: chloé F. <fou...@gm...> - 2010-08-23 16:18:45
|
Hi, Rajiv, you told me that it is possible to sign non-migratable keys with an AIK, but I can't find the method in the TSS Specifications that allows that. Is it possible to decrypt an external data using the endorsement key or an AIK ? If yes, how can we do that ? I'm doing an attestation of a platform between an attesting system and a verifier. I use CollateId and ActivateId to have a credential for my new AIK, but how can the verifier can be sure that this AIK comes from the TPM ? Is it because it sends back a credential partially encrypted with the public endorsement key of the attesting system and that the latter will verify that the key suggested in the ActivateId method is a good AIK before decrypting the credential ? After that I use Quote to send to the verifier my PCR values. But then I would like that the verifier could be able to send a data to the attesting system and be sure that it will only be open by the tpm of the attesting system, how is it possible ? Need I to create a migratable key and send the public part to the verifier ? The problem is that the verifier only trust the AIK of the attesting system for the moment... and I would like something like a session key that will encrypt data, whose private key will be stored in the tpm and that can prove it to the verifier. Last thing, Ariel you told me that a tag is present in the data structure when we verify a signature but I can't find it in the Structures specifications, could you be a bit more precise please ? Thanks for your help Chloe |