From: Russ F. <rus...@ho...> - 2008-04-10 02:57:51
|
Is there a way using the TPM to enforce "sign-once" semantics, or if not that, usage counting to tell me how many times a key was used for signing? I can think of a crude way that involves monotonic counters and some precreated set of N keys. Each time a key needs to be used, the monotonic counter has to be set to a value. Once that key is used, I can lock it by incrementing the counter which would in turn unlock the next key in the sequence. That's kind of not what I want, because then I have to have keys available in a certain sequence and also I'd be relying on an external entity to increment the monotonic counter. What would be better is if the TPM can keep a count of how many times a signing operation was performed using some key. Even better yet would be if there were a way to tell the TPM at key creation time to only allow some key to be used a certain number of times, then forever refuse to use that key again. The important part is that I want the TPM hardware to do the counting, or enforce the usage. I could even do this if there were a general counter that counted all cryptographic calls made of the TPM, regardless of what kind of operation took place. Thanks, Russ _________________________________________________________________ Get in touch in an instant. Get Windows Live Messenger now. http://www.windowslive.com/messenger/overview.html?ocid=TXT_TAGLM_WL_Refresh_getintouch_042008 |
From: Russ F. <rus...@ho...> - 2008-04-10 03:02:55
|
[sorry for repeats, but I'm getting bounces for some messages...] Is there a way using the TPM to enforce "sign-once" semantics, or if not that, usage counting to tell me how many times a key was used for signing? I can think of one way that involves monotonic counters and some precreated set of N keys. Each time a key needs to be used, the monotonic counter has to be set to a value. Once that key is used, I can lock it by incrementing the counter which would in turn unlock the next key in the sequence. That's kind of not what I want, because then I have to have keys available in a certain sequence and also I'd be relying on an external entity to increment the monotonic counter. What would be better is if the TPM can keep a count of how many times a signing operation was performed using some key. Even better yet would be if there were a way to tell the TPM at key creation time to only allow some key to be used a certain number of times, then forever refuse to use that key again. The important part is that I want the TPM hardware to do the counting, or enforce the usage. I could even do this if there were a general counter that counted all cryptographic calls made of the TPM, regardless of what kind of operation took place. Thanks, Russ PS: This is a personal communication from an account that has keyword-based spam filtering enabled. Please preserve the original subject line when replying. (Adding "Re:" is okay.) From: rus...@ho... To: tro...@li... Date: Wed, 9 Apr 2008 22:57:51 -0400 Subject: [TrouSerS-users] sign-once semantics or usage counting? Is there a way using the TPM to enforce "sign-once" semantics, or if not that, usage counting to tell me how many times a key was used for signing? I can think of a crude way that involves monotonic counters and some precreated set of N keys. Each time a key needs to be used, the monotonic counter has to be set to a value. Once that key is used, I can lock it by incrementing the counter which would in turn unlock the next key in the sequence. That's kind of not what I want, because then I have to have keys available in a certain sequence and also I'd be relying on an external entity to increment the monotonic counter. What would be better is if the TPM can keep a count of how many times a signing operation was performed using some key. Even better yet would be if there were a way to tell the TPM at key creation time to only allow some key to be used a certain number of times, then forever refuse to use that key again. The important part is that I want the TPM hardware to do the counting, or enforce the usage. I could even do this if there were a general counter that counted all cryptographic calls made of the TPM, regardless of what kind of operation took place. Thanks, Russ Get in touch in an instant. Get Windows Live Messenger now. _________________________________________________________________ Use video conversation to talk face-to-face with Windows Live Messenger. http://www.windowslive.com/messenger/connect_your_way.html?ocid=TXT_TAGLM_WL_Refresh_messenger_video_042008 |