Menu
▾
▴
[Trustedjava-support] A Revised "TPM" Specification
|
From: Anders R. <and...@te...> - 2009-05-21 20:35:29
|
Dear List; Although TPMs have been shipping in large quantities in laptop computers, actual adoption has been moderate to say the least. In the mean-time things like the iPhone have quickly become our closest link to the Internet making the need for credible authentication solutions imminent. However, there is no PKI provisioning protocol out there (=adopted) that can use a TPM in any verifiable secure way. Due to that I have begun to develop an authentication-oriented TPM which departs from the 1.2 specification in several aspects: - Independent of PCR measurements, runs on any platform "as is" - Attests all components of user-credentials, including PIN policies - Conventional approach to security and privacy, no DAAs or Privacy CAs. Unlike previous efforts in this space, this "TPM" project is addressing the entire chain ranging from key-store to required browser enhancements. Since a standardization effort would (easily) take another five years to accomplish the concept will be introduced in an iterative way as an Open Software and Open Hardware project. The "alternative" is probably things like: http://www.trustdigital.com/downloads/TD_EMM_CAC_Pack_101008.pdf Who wants that??? "Air-tight" provisioning, the basics: http://webpki.org/papers/keygen2/secure-key-store.pdf "Air-tight" provisioning", core facility: http://webpki.org/papers/keygen2/session-key-establishment--security-element-2-server.pdf Protocol emulator (not yet fully compliant) but (at least) shows the user experience: http://keycenter.webpki.org Initial Open Hardware TPM target: http://www.atmel.com/dyn/products/tools_card.asp?tool_id=3879 which I hope will become the first true multi-issuer token based on open technology. [Planned] feature-set at a glance: - Double-use as a regular USB 2.0 mass memory stick - 4 MB of key-space - PKI, OTP, and InfoCards - Issuer-specific PINs, PUKs, and policies - Universal credential provisioning and management protocol - Issuer-separated credential-management through proof-of-issuance signatures - "Air-tight provisioning" through device attestations Anders Rundgren WebPKI.org |
