[Trustedjava-support] Encrypting the private part of an RSA key

[<Fed...@ff...>]

Hi,

I am new here and I have only recently started reading up on trusted
computing and TPM for a project I am part of.

I think I got all the basics, but now that I am entering more technical
details, I find all my books and sources are not enough any more.

That is why I have starting looking at your implementation of the TSS
(which I plan to use soon to implement some ideas) and  why I am posting
here, since whoever implemented something like this, must have a very
good and practical knowledge of the specifications J

The question I have is about how asymmetric keys are stored securely
outside the TPM.

As far as I understand, AIK or Storage keys are asymmetric pairs of keys
and are stored outside the TPM in a secure way protected by their parent
key.

I guess this means that the private part of these keys must be
encrypted, and in particular it should be encrypted with the SRK or 

other parent storage keys, which are also asymmetric. So how is this
done? By encrypting the private part of a key with the public part of
its parent key (possibly the SRK itself)?

If so, isn't a private key too big to fit in one RSA encrypted block?
Does it have to be split in smaller blocks first? If so how (is there a
standard) ?

Reading your Javadoc I found at least two methods that return an
encrypted private key (TspCreateWrapKey_Internal), so I hope you can
help me out with this. 

 

This question is bugging me since in the book "A practical guide to
trusted computing" there is a whole section dedicated to how big a
symmetric key can be to be encrypted by a binding (asymmetric) key,

but there does not seem to be a problem to encrypt potentially big
private keys instead.

 

Thanks for any answer!

 

Federico Mancini