Re: [TrouSerS-users] Signature with AIK

[chloé F. <fou...@gm...>]

Hi,
Rajiv, you told me that it is possible to sign non-migratable keys with an
AIK, but I can't find the method in the TSS Specifications that allows that.

Is it possible to decrypt an external data using the endorsement key or an
AIK ? If yes, how can we do that ?

I'm doing an attestation of a platform between an attesting system and a
verifier. I use CollateId and ActivateId to have a credential for my new
AIK, but how can the verifier can be sure that this AIK comes from the TPM ?
Is it because it sends back a credential partially encrypted with the public
endorsement key of the attesting system and that the latter will verify that
the key suggested in the ActivateId method is a good AIK before decrypting
the credential ?

After that I use Quote to send to the verifier my PCR values. But then I
would like that the verifier could be able to send a data to the attesting
system and be sure that it will only be open by the tpm of the attesting
system, how is it possible ? Need I to create a migratable key and send the
public part to the verifier ? The problem is that the verifier only trust
the AIK of the attesting system for the moment... and I would like something
like a session key that will encrypt data, whose private key will be stored
in the tpm and that can prove it to the verifier.

Last thing, Ariel you told me that a tag is present in the data structure
when we verify a signature but I can't find it in the Structures
specifications, could you be a bit more precise please ?

Thanks for your help

Chloe