Re: [TrouSerS-users] A Question about attestation using TPM

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi Hal, 
 I read your response on some one else's query about the same issue. So there is no need 
for you to write to me again. 

But the question now is if some of the manufacturers are not issuing certs for EK, what should be
done in that case regarding attestation? Also, how to find out of Broadcom has a certificate available? Should I just use the
program you wrote to get the EK cert and see if it returns something valid?

Thanks.
-Abhishek.

----- Original Message ----
From: Abhishek Chaturvedi <abh...@ya...>
To: Hal Finney <hal...@gm...>
Cc: trousers <tro...@li...>
Sent: Tuesday, November 27, 2007 12:34:26 PM
Subject: Re: [TrouSerS-users] A Question about attestation using TPM

Hi Hal, 
 I hope you had a wonderful thanksgiving. 

Once again I have a question regarding your response.
In your last email you said: 
 "As far as the AIK specifically, here is the intended lifetime usage
model. The AIK is created as part of an interaction with a Privacy CA.
The TPM system sends the AIK public part and the Endorsement
Credential plus whatever other credentials are available to the PCA.
On this basis the PCA creates an AIK Credential and sends it back to
the TPM system, encrypted to the Endorsement Key. The TPM decrypts
that data and the application stores the AIK Credential.
 Note that
Trousers does not provide any facilities to store this credential.
This will have to be stored in a disk file somewhere and is the
responsibility of the application. As above, the AIK itself has to be
stored as well."

Unfortunately, when I call Tspi_CollateIdentityRequest, it gives me 
TPM_IDENTITY_PROOF data structure (after decrypting twice, once with CA.priv 
and then with symKey, which is part of TPM_IDENTITY_REQ structure). The proof 
structure must contain the endorsement credential which can be used in the above
step as you mentioned. 
However, as I see the endorsement credential that I get from calling this function is NULL.
size is 0. 

Is there something else that I need to do as a setup part? When I investigate the trousers library, I see that  
these credentials can be set using Tspi_SetAttribData with appropriate flags. But how will the user know 
what credentials to set? Shouldnt
 this credential be persistent within the TPM? installed by the manufacturer? 

I am using a Dell D420 which has a TPM 1.2 from Broadcom. I took the ownership using
tpm_takeownership and thats about it. I have also cleared the TPM once from the BIOS 
interface. 

Also, none of the TPM related specs mention what is the structure for TPM_ENDORSEMENT_CREDENTIAL.
Do you know what is it? I ask this because the Endorsement public key needed for the above step (that you mentioned)
is a part of Endorsement credential. Otherwise to get the public EK one has to do separate call to TPM.

Thanks once again for your responses in advance. I look forward to hearing from you.

Regards,
-Abhishek.

On Nov 19, 2007 7:00 PM, Abhishek Chaturvedi
 <abh...@ya...> wrote:
>
> Hi Hal,
>  I had another follow up question regarding the attestation using the
 TPM as
> I mentioned before.
>
> I successfully used Tspi_TPM_CollateIdentityRequest to generate an
 AIK and
> pass the public part of the AIK to the CA. (In this case the program
 itself,
> as I generate the
> CA key-pair using openssl's RSA).
>
> I wanted to know how trousers keep track of a generated AIK. Consider
> following scenario.
>
> 1. A verifier asks the host (platform with TPM) to give the public
 portion
> of AIK. This will
> have the host generate an AIK using the above mentioned TSPI API from
 which
> the public portion of AIK can be retrieved
> from the TCPA_IDENTITY_PROOF structure returned. Only verifier (in my
 case,
> I am assuming that the verifier is the CA itself so it will know how
 to get
> the TCPA_IDENTITY_PROOF from the o/p of
 Tspi_TPM_CollateIdentityRequest).
>
> 2. However, at a later point, the verifier wants to ask the host to
 send the
> quote on some PCRs.
>
> In this case, how does the trouser keep track of what key to load for
 AIK?
> This has to be the same key which was generated in step 1 and whose
 public
> portion was returned to the verifier. Ofcourse, the trousers needs to
 do
> something like LoadKey or something on the hIdentKey (which was
 created in
> the step 1. How will trouser keep track of this?
>
>
> Assuming that the 1st and the 2nd step are separate and can be
 executed at
> the verifiers leisure.
>
> Thanks for your answers in advance. I will be happy to provide any
 more
> information that you may think that I have missed above which can
 help you
> better explain me or get the idea of the scenarios that I am talking
 about.
>
> Thanks.
> -Abhishek.

      Never miss a thing.   Make Yahoo your homepage.

      ____________________________________________________________________________________
Be a better pen pal. 
Text or chat with friends inside Yahoo! Mail. See how.  http://overview.mail.yahoo.com/