Menu
▾
▴
Re: [Trustedjava-support] How to Encrypt by the private part of AIK
|
From: FADY F. <fad...@ya...> - 2010-10-31 11:05:56
|
Hello,
Really Thank U again for your support
I love the 15 steps of the suggested protocol, specially when you make some
enhancements in the second paper after removing steps 5, 6, and 7.
But when I try to implement step 9 of the protocol neglecting nonce and
PCR_INFO, I try the code:-
try {
//connect to
context**********************************************************************************************
context = new TcTssContextFactory().newContextObject();
context.connect();
//********************************************************************************************************************
//use
srk***********************************************************************************************************
TcIRsaKey srk =
context.createRsaKeyObject(TcTssConstants.TSS_KEY_TSP_SRK);//loadKey
TcBlobData srkSecret =
TcBlobData.newByteArray(TcTssConstants.TSS_WELL_KNOWN_SECRET);
TcIPolicy srkPolicy =
context.createPolicyObject(TcTssConstants.TSS_POLICY_USAGE);
srkPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_SHA1, srkSecret);
srkPolicy.assignToObject(srk);
//********************************************************************************************************************
//create sign
key**************************************************************************************************
TcIRsaKey mySignKey = context.createRsaKeyObject(
TcTssConstants.TSS_KEY_SIZE_2048
| TcTssConstants.TSS_KEY_TYPE_SIGNING
// | TcTssConstants.TSS_KEY_NON_VOLATILE
// | TcTssConstants.TSS_KEY_MIGRATABLE
| TcTssConstants.TSS_KEY_AUTHORIZATION);
TcBlobData signKeyUsgSecret = TcBlobData.newString("Pass4UseSignKey",
false);
TcIPolicy signKeyUsgPolicy =
context.createPolicyObject(TcTssConstants.TSS_POLICY_USAGE);
signKeyUsgPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN,
signKeyUsgSecret);
signKeyUsgPolicy.assignToObject(mySignKey);
TcBlobData signKeyMigSecret = TcBlobData.newString("Pass4MigSignKey",
false);
TcIPolicy signkeyMigPolicy =
context.createPolicyObject(TcTssConstants.TSS_POLICY_MIGRATION);
signkeyMigPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN,
signKeyMigSecret);
signkeyMigPolicy.assignToObject(mySignKey);
mySignKey.createKey(srk, null);
//********************************************************************************************************************
//create uniqe identifier for later use to sign key and load
it***************************************************
TcTssUuid mySignKeyUUID =
TcUuidFactory.getInstance().generateRandomUuid();
context.registerKey(mySignKey, TcTssConstants.TSS_PS_TYPE_SYSTEM,
mySignKeyUUID,
TcTssConstants.TSS_PS_TYPE_SYSTEM,
TcUuidFactory.getInstance().getUuidSRK());//system storage DB storage/system
Log.info("Sign Key registered in persistance sys storage" +
mySignKeyUUID.toString());
mySignKey.loadKey(srk);
//********************************************************************************************************************
//create encrypt
key**********************************************************************************************
TcIRsaKey myEncKey = context.createRsaKeyObject(
TcTssConstants.TSS_KEY_SIZE_2048
| TcTssConstants.TSS_KEY_TYPE_BIND
// | TcTssConstants.TSS_KEY_NON_VOLATILE
// | TcTssConstants.TSS_KEY_MIGRATABLE
| TcTssConstants.TSS_KEY_AUTHORIZATION);
TcBlobData encKeyUsgSecret = TcBlobData.newString("Pass4UseEncKey",
false);
TcIPolicy encKeyUsgPolicy =
context.createPolicyObject(TcTssConstants.TSS_POLICY_USAGE);
encKeyUsgPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN,
encKeyUsgSecret);
encKeyUsgPolicy.assignToObject(myEncKey);
TcBlobData encKeyMigSecret = TcBlobData.newString("Pass4MigEncKey",
false);
TcIPolicy encKeyMigPolicy =
context.createPolicyObject(TcTssConstants.TSS_POLICY_MIGRATION);
encKeyMigPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN,
encKeyMigSecret);
encKeyMigPolicy.assignToObject(myEncKey);
myEncKey.createKey(srk, null);
//********************************************************************************************************************
//create uniqe identifier for later use to enc key and load
it********************************************************
TcTssUuid myEncKeyUUID =
TcUuidFactory.getInstance().generateRandomUuid();
context.registerKey(myEncKey, TcTssConstants.TSS_PS_TYPE_SYSTEM,
myEncKeyUUID,
TcTssConstants.TSS_PS_TYPE_SYSTEM,
TcUuidFactory.getInstance().getUuidSRK());//system storage DB storage/system
Log.info("Enc Key registered in persistance sys storage" +
myEncKeyUUID.toString());
System.out.println(myEncKeyUUID.toString());
myEncKey.loadKey(srk);
//********************************************************************************************************************
//using
AIK*********************************************************************************************************
TcIRsaKey aikKey = context.loadKeyByBlob(srk, keyblob_);
TcBlobData aikUsgSecret = TcBlobData.newString(keysecret,false);
TcIPolicy aikUsgPolicy =
context.createPolicyObject(TcTssConstants.TSS_POLICY_USAGE);
aikUsgPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN,
aikUsgSecret);
aikUsgPolicy.assignToObject(aikKey);
TcBlobData aikMigSecret = TcBlobData.newString(keysecret,false);
TcIPolicy aikMigPolicy =
context.createPolicyObject(TcTssConstants.TSS_POLICY_MIGRATION);
aikMigPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN,
aikMigSecret);
aikMigPolicy.assignToObject(aikKey);
//*********************************************************************************************************************
//SIGNING myEncKey
withAIK***********************************************************************************
TcBlobData encKeysigned =
TcBlobData.newByteArray(myEncKey.getPubKey().asByteArray());
TcIHash hashForSign =
context.createHashObject(TcTssConstants.TSS_HASH_SHA1);
hashForSign.updateHashValue(encKeysigned);
System.out.println(encKeysigned);
System.out.println(hashForSign.toString());
TcBlobData signature1 = hashForSign.sign(mySignKey);//work fine
TcBlobData signature2 = hashForSign.sign(aikKey);//make exception
//**********************************************************************************************************************
context.closeContext();
} catch (TcTssException ex) {
Log.err(ex);
}
It works fine for using mySignKey but not for aikKey,
It give me The usage of a key is not allowed Exception.
I see The TPM Specs, Rev. 103, Part 3, Ch. 13, Signing Section, but this does
not help me.
So
How can I sign by AIK the Encryption Key?
Or
Does the only way to sign by AIK private part is by using quoting?
Thanks
________________________________
From: Ronald Tögl <ron...@ia...>
To: tru...@li...
Cc: FADY FADY <fad...@ya...>
Sent: Wed, October 20, 2010 2:40:46 PM
Subject: Re: [Trustedjava-support] How to Encrypt by the private part of AIK
Hello,
On 10/20/2010 02:24 PM, FADY FADY wrote:
> Dear Ronald
> Thank U for your response
>
> My Question is
> If we have two entities 1 and 2 with Keys AIK1 and AIK2 respectively
> can entity 1 sign by AIK1private then encrypt by AIK2public
> so entity 2 decrypt by AIK2private then by AIK1public?
This cannot be done, because AIKs can only sign but not encrypt.
> If this cant not be done, can we make two binding keys where there
> parents are AIK1 and AIK2 respectively, and do by these binding keys
> what we try to do by AIKs in the first question?
Yes. You can implement the scheme presented in
"Securing the Distribution and Storage of Secrets with Trusted Platform Modules"
by Paul E. Sevinç, Mario Strasser and David Basin.
http://www.springerlink.com/content/b77jr665x9122q16/
Depending on your use case, you might want to modify it according to
"Formal Analysis of a TPM-Based Secrets Distribution and Storage Scheme"
by Toegl, R.; Hofferek, G.; Greimel, K.; Leung, A.; Phan, R.C.-W.;
Bloem, R.;
http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=4709329&tag=1
Have fun,
Ronald
-- Dipl.-Ing. Ronald Tögl phone +43 316/873-5502
Secure and Correct Systems fax +43 316/873-5520
IAIK ron...@ia...
Graz University of Technology http://www.iaik.tugraz.at
|
