From: Abhishek C. <abh...@ya...> - 2007-11-27 21:20:42
|
Hi Hal, I read your response on some one else's query about the same issue. So there is no need for you to write to me again. But the question now is if some of the manufacturers are not issuing certs for EK, what should be done in that case regarding attestation? Also, how to find out of Broadcom has a certificate available? Should I just use the program you wrote to get the EK cert and see if it returns something valid? Thanks. -Abhishek. ----- Original Message ---- From: Abhishek Chaturvedi <abh...@ya...> To: Hal Finney <hal...@gm...> Cc: trousers <tro...@li...> Sent: Tuesday, November 27, 2007 12:34:26 PM Subject: Re: [TrouSerS-users] A Question about attestation using TPM Hi Hal, I hope you had a wonderful thanksgiving. Once again I have a question regarding your response. In your last email you said: "As far as the AIK specifically, here is the intended lifetime usage model. The AIK is created as part of an interaction with a Privacy CA. The TPM system sends the AIK public part and the Endorsement Credential plus whatever other credentials are available to the PCA. On this basis the PCA creates an AIK Credential and sends it back to the TPM system, encrypted to the Endorsement Key. The TPM decrypts that data and the application stores the AIK Credential. Note that Trousers does not provide any facilities to store this credential. This will have to be stored in a disk file somewhere and is the responsibility of the application. As above, the AIK itself has to be stored as well." Unfortunately, when I call Tspi_CollateIdentityRequest, it gives me TPM_IDENTITY_PROOF data structure (after decrypting twice, once with CA.priv and then with symKey, which is part of TPM_IDENTITY_REQ structure). The proof structure must contain the endorsement credential which can be used in the above step as you mentioned. However, as I see the endorsement credential that I get from calling this function is NULL. size is 0. Is there something else that I need to do as a setup part? When I investigate the trousers library, I see that these credentials can be set using Tspi_SetAttribData with appropriate flags. But how will the user know what credentials to set? Shouldnt this credential be persistent within the TPM? installed by the manufacturer? I am using a Dell D420 which has a TPM 1.2 from Broadcom. I took the ownership using tpm_takeownership and thats about it. I have also cleared the TPM once from the BIOS interface. Also, none of the TPM related specs mention what is the structure for TPM_ENDORSEMENT_CREDENTIAL. Do you know what is it? I ask this because the Endorsement public key needed for the above step (that you mentioned) is a part of Endorsement credential. Otherwise to get the public EK one has to do separate call to TPM. Thanks once again for your responses in advance. I look forward to hearing from you. Regards, -Abhishek. On Nov 19, 2007 7:00 PM, Abhishek Chaturvedi <abh...@ya...> wrote: > > Hi Hal, > I had another follow up question regarding the attestation using the TPM as > I mentioned before. > > I successfully used Tspi_TPM_CollateIdentityRequest to generate an AIK and > pass the public part of the AIK to the CA. (In this case the program itself, > as I generate the > CA key-pair using openssl's RSA). > > I wanted to know how trousers keep track of a generated AIK. Consider > following scenario. > > 1. A verifier asks the host (platform with TPM) to give the public portion > of AIK. This will > have the host generate an AIK using the above mentioned TSPI API from which > the public portion of AIK can be retrieved > from the TCPA_IDENTITY_PROOF structure returned. Only verifier (in my case, > I am assuming that the verifier is the CA itself so it will know how to get > the TCPA_IDENTITY_PROOF from the o/p of Tspi_TPM_CollateIdentityRequest). > > 2. However, at a later point, the verifier wants to ask the host to send the > quote on some PCRs. > > In this case, how does the trouser keep track of what key to load for AIK? > This has to be the same key which was generated in step 1 and whose public > portion was returned to the verifier. Ofcourse, the trousers needs to do > something like LoadKey or something on the hIdentKey (which was created in > the step 1. How will trouser keep track of this? > > > Assuming that the 1st and the 2nd step are separate and can be executed at > the verifiers leisure. > > Thanks for your answers in advance. I will be happy to provide any more > information that you may think that I have missed above which can help you > better explain me or get the idea of the scenarios that I am talking about. > > Thanks. > -Abhishek. Never miss a thing. Make Yahoo your homepage. ____________________________________________________________________________________ Be a better pen pal. Text or chat with friends inside Yahoo! Mail. See how. http://overview.mail.yahoo.com/ |