trustedjava-support — Trusted Java General Support

Re: [Trustedjava-support] Manage multiple TPM instances

[Ronald T. <ron...@ia...>]

Hi Sebastian,

 From the architectural point of view, you should use separate instances 
of the TCS service for each TPM instance. You can then discern them by 
using different port numbers for the SOAP interface.

Practically, there is a bug in the Soap Binding implementation so that 
it will ignore your selection in TCIContext.connect("<hostname>") and 
will just use the settings from the .ini file. :-/

Do you need to call to several TPMs from the same JVM process/Class 
Loader hierarchy? Else, you can just use one app for each TPM and set it 
in the ini file.

hth,
Ronald




On 01/24/2011 01:14 PM, Sebastian Luft wrote:
> Hi List,
> I'm using a custom written TDDL implementation to be able to connect
> to multiple software TPM instances. I am currently using the
> TcTcsProperties class to set an instance ID property which the TDDL
> can read out to know which TPM to connect to. The problem is that the
> TcTcsProperties class is designed as singleton so I cannot use it to
> manage multiple TDDL connections.
> Is jTSS even designed to work with multiple TPM devices (software
> emulators)? Any Idea on how to be able to pass an ID over to TCS so it
> knows which TPM device to talk to?
> Kind regards, Sebastian.

-- 
Dipl.-Ing. Ronald Tögl          phone +43 316/873-5502
Secure and Correct Systems      fax   +43 316/873-5520
IAIK                            ron...@ia...
Graz University of Technology   http://www.iaik.tugraz.at

[Trustedjava-support] Manage multiple TPM instances

[Sebastian L. <seb...@gm...>]

Hi List,
I'm using a custom written TDDL implementation to be able to connect
to multiple software TPM instances. I am currently using the
TcTcsProperties class to set an instance ID property which the TDDL
can read out to know which TPM to connect to. The problem is that the
TcTcsProperties class is designed as singleton so I cannot use it to
manage multiple TDDL connections.
Is jTSS even designed to work with multiple TPM devices (software
emulators)? Any Idea on how to be able to pass an ID over to TCS so it
knows which TPM device to talk to?
Kind regards, Sebastian.

Re: [Trustedjava-support] Using jTSS with multiple instances of TPM emulator

[Martin P. <Mar...@ia...>]

Hi...

On 01/20/11 11:44, Sebastian Luft wrote:
> I'm trying to get jTSS to work with multiple instances of TPM emulator
> (http://tpm-emulator.berlios.de/index.html). Is it even possible to do
> so?

> Any Ideas on how to get it going?

The TPM target the TCS connects to is a configuration option,
please see the end of jtss_tcs.ini.


HTH,
Martin

[Trustedjava-support] Using jTSS with multiple instances of TPM emulator

[Sebastian L. <seb...@gm...>]

Hi List,
I'm trying to get jTSS to work with multiple instances of TPM emulator
(http://tpm-emulator.berlios.de/index.html). Is it even possible to do
so?
With only one instance, jTSS and TPM emulator can easily communicate
though the character device /dev/tpm beeing provided by the kernel
module tpmd_dev. But you can always only have one device there
(AFAIK), communicating to only one (the first?) instance.
Also, jTSS doens't support connecting to the unix domain socket at
/var/run/tpm/tpmd_socket:0.
Any Ideas on how to get it going?
Greetings, Sebastian.

BTW: I'm using Ubuntu 10.04.

Re: [Trustedjava-support] IMA Measurement list Verification problem

[Martin P. <Mar...@ia...>]

Syed Luqman Shah wrote:
> I am using jTSS for remote attestation protocol implementation. But getting
> problem in measurement list verification.
> Composite hash of measurement list sent by Attesting party does not match
> with the sent PCR value in quote operation.
> How should I calculate the composite hash of measurement list?

We never tried to recalculate IMA measurements.
The authorative source to look how IMA does the measurements are the
kernel sources at /security/integrity/ima/...

HTH,
Martin

[Trustedjava-support] IMA Measurement list Verification problem

[Syed L. S. <08m...@se...>]

I am using jTSS for remote attestation protocol implementation. But getting
problem in measurement list verification.
Composite hash of measurement list sent by Attesting party does not match
with the sent PCR value in quote operation.
How should I calculate the composite hash of measurement list?

Re: [Trustedjava-support] How to Sign by the private part of AIK

[Thomas W. <tc...@to...>]

Hi,

Out of curiosity I had a brief look at the paper. It looks like the authors 
actually claim to use an AIK for encryption of arbitrary data. This clearly 
should not be possible with a TPM that conforms to the spec. Maybe they use a 
binding key that was certified with an AIK and just forgot to mention that in 
the paper....

Honestly, I could point you to a number of papers (published at scientific 
conferences) that claim to do all sorts of interesting things with TPMs which 
should not be possible (such as using the EK for data encryption and signing). 
So be careful with what papers claim (even if they are published at peer-
reviewed conferences or workshops).

Bye,
Thomas

On Wednesday 17 November 2010 16:35:09 Ronald Tögl wrote:
> Hello,
> 
> I don't know how the authors of this workshop papers implemented this.
> Please consult the TPM spec on the detailed capabilities of and
> operations using identity keys.
> 
> Regards,
> Ronald
> 
> On 11/17/2010 04:24 PM, FADY FADY wrote:
> > Hello
> > 
> > Thanks A Lot for your support,
> > 
> > Ok, This means AIK is only capable of quote and certify, is this true?
> > But really, I found a paper on IEEE Computer Magazine
> > http://ieeexplore.ieee.org/Xplore/login.jsp?url=http%3A%2F%2Fieeexplore.i
> > eee.org%2Fiel5%2F5319074%2F5319075%2F05319186.pdf%3Farnumber%3D5319186&au
> > thDecision=-203
> > <http://ieeexplore.ieee.org/Xplore/login.jsp?url=http%3A%2F%2Fieeexplore
> > .ieee.org%2Fiel5%2F5319074%2F5319075%2F05319186.pdf%3Farnumber%3D5319186&
> > authDecision=-203> that speaks about encryption by AIK Public one a
> > remote machine and decryption by AIK private in the key owner machine,
> > this specified in section 3.2 of the paper.
> > The paper is attached in the email.
> > 
> > So is this really can be happened and how?
> > Thanks
> > 
> > ------------------------------------------------------------------------
> > *From:* Ronald Tögl <ron...@ia...>
> > *To:* FADY FADY <fad...@ya...>
> > *Cc:* tru...@li...
> > *Sent:* Mon, November 8, 2010 10:50:36 AM
> > *Subject:* Re: How to Sign by the private part of AIK
> > 
> > Hello,
> > 
> > I was referring to the TPM_CertifyKey resp. TPM_CertifyKey2
> > mechanisms, not quote.
> > 
> > Ronald
> > 
> > On 11/07/2010 02:10 PM, FADY FADY wrote:
> >> Hello,
> >> 
> >> Thank You for your response about my last question.
> >> 
> >> But does that mean the only way to sign myEnkKey by AIK
> >> is to send
> >> 
> >>   quote(aik,pcr,nonce) + myEncKey
> >> 
> >> To the other party
> >> 
> >> Or in general, to sign any data by AIK then encrypt we send
> >> 
> >>   {quote(aik,pcr,nonce) + theDataToBeSigned} all of these encrypted
> >> 
> >> by the other entity encryption key
> >> 
> >> Or there is another Way to sign the myEnkKey by AIK?
> >> 
> >> Thanks, I Really appreciate your help,
> >> Fady

-- 
Thomas Winkler
mail: tc...@to...

Re: [Trustedjava-support] How to Sign by the private part of AIK

[Ronald T. <ron...@ia...>]

Hello,

I don't know how the authors of this workshop papers implemented this. 
Please consult the TPM spec on the detailed capabilities of and 
operations using identity keys.

Regards,
Ronald

On 11/17/2010 04:24 PM, FADY FADY wrote:
> Hello
>
> Thanks A Lot for your support,
>
> Ok, This means AIK is only capable of quote and certify, is this true?
> But really, I found a paper on IEEE Computer Magazine
> http://ieeexplore.ieee.org/Xplore/login.jsp?url=http%3A%2F%2Fieeexplore.ieee.org%2Fiel5%2F5319074%2F5319075%2F05319186.pdf%3Farnumber%3D5319186&authDecision=-203 
> <http://ieeexplore.ieee.org/Xplore/login.jsp?url=http%3A%2F%2Fieeexplore.ieee.org%2Fiel5%2F5319074%2F5319075%2F05319186.pdf%3Farnumber%3D5319186&authDecision=-203>
> that speaks about encryption by AIK Public one a remote machine and 
> decryption by AIK private in the key owner machine, this specified in 
> section 3.2 of the paper.
> The paper is attached in the email.
>
> So is this really can be happened and how?
> Thanks
>
> ------------------------------------------------------------------------
> *From:* Ronald Tögl <ron...@ia...>
> *To:* FADY FADY <fad...@ya...>
> *Cc:* tru...@li...
> *Sent:* Mon, November 8, 2010 10:50:36 AM
> *Subject:* Re: How to Sign by the private part of AIK
>
> Hello,
>
> I was referring to the TPM_CertifyKey resp. TPM_CertifyKey2 
> mechanisms, not quote.
>
> Ronald
>
>
> On 11/07/2010 02:10 PM, FADY FADY wrote:
>> Hello,
>>
>> Thank You for your response about my last question.
>>
>> But does that mean the only way to sign myEnkKey by AIK
>> is to send
>>   quote(aik,pcr,nonce) + myEncKey
>> To the other party
>>
>> Or in general, to sign any data by AIK then encrypt we send
>>   {quote(aik,pcr,nonce) + theDataToBeSigned} all of these encrypted 
>> by the other entity encryption key
>>
>> Or there is another Way to sign the myEnkKey by AIK?
>>
>> Thanks, I Really appreciate your help,
>> Fady
>>
>
>
> -- 
> Dipl.-Ing. Ronald Tögl          phone +43 316/873-5502
> Secure and Correct Systems      fax   +43 316/873-5520
> IAI...@ia...
> Graz University of Technologyhttp://www.iaik.tugraz.at
>
>
>


-- 
Dipl.-Ing. Ronald Tögl          phone +43 316/873-5502
Secure and Correct Systems      fax   +43 316/873-5520
IAIK                            ron...@ia...
Graz University of Technology   http://www.iaik.tugraz.at

Re: [Trustedjava-support] How to Sign by the private part of AIK

[Ronald T. <ron...@ia...>]

Hello,

I was referring to the TPM_CertifyKey resp. TPM_CertifyKey2 mechanisms, 
not quote.

Ronald


On 11/07/2010 02:10 PM, FADY FADY wrote:
> Hello,
>
> Thank You for your response about my last question.
>
> But does that mean the only way to sign myEnkKey by AIK
> is to send
>   quote(aik,pcr,nonce) + myEncKey
> To the other party
>
> Or in general, to sign any data by AIK then encrypt we send
>   {quote(aik,pcr,nonce) + theDataToBeSigned} all of these encrypted by 
> the other entity encryption key
>
> Or there is another Way to sign the myEnkKey by AIK?
>
> Thanks, I Really appreciate your help,
> Fady
>


-- 
Dipl.-Ing. Ronald Tögl          phone +43 316/873-5502
Secure and Correct Systems      fax   +43 316/873-5520
IAIK                            ron...@ia...
Graz University of Technology   http://www.iaik.tugraz.at

[Trustedjava-support] How to Sign by the private part of AIK

[FADY F. <fad...@ya...>]

Hello,

Thank You for your response about my last question.

But does that mean the only way to sign myEnkKey by AIK
is to send 
  quote(aik,pcr,nonce) + myEncKey
To the other party

Or in general, to sign any data by AIK then encrypt we send 
  {quote(aik,pcr,nonce) + theDataToBeSigned} all of these encrypted by the other 
entity encryption key

Or there is another Way to sign the myEnkKey by AIK?

Thanks, I Really appreciate your help,
Fady


      

Re: [Trustedjava-support] How to Encrypt by the private part of AIK

[Ronald T. <ron...@ia...>]

Hello,

This is the correct behavior as the AIK is not meant to sign 
user-provided data.
Use the "certify key" mechanisms instead.

Ronald

On 10/31/2010 12:05 PM, FADY FADY wrote:
> Hello,
>
> Really Thank U again for your support
>
> I love the 15 steps of the suggested protocol, specially when you make 
> some enhancements in the second paper after removing steps 5, 6, and 7.
>
> But when I try to implement step 9 of the protocol neglecting nonce 
> and PCR_INFO, I try the code:-
>
> try {
>           //connect to 
> context**********************************************************************************************
>           context = new TcTssContextFactory().newContextObject();
>           context.connect();
>          
>  //********************************************************************************************************************
>           //use 
> srk***********************************************************************************************************
>           TcIRsaKey srk = 
> context.createRsaKeyObject(TcTssConstants.TSS_KEY_TSP_SRK);//loadKey
>           TcBlobData srkSecret = 
> TcBlobData.newByteArray(TcTssConstants.TSS_WELL_KNOWN_SECRET);
>           TcIPolicy srkPolicy = 
> context.createPolicyObject(TcTssConstants.TSS_POLICY_USAGE);
>           srkPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_SHA1, 
> srkSecret);
>           srkPolicy.assignToObject(srk);
>          
>  //******************************************************************************************************************** 
>
>
>           //create sign 
> key**************************************************************************************************
>           TcIRsaKey mySignKey = context.createRsaKeyObject(
>                     TcTssConstants.TSS_KEY_SIZE_2048
>                   | TcTssConstants.TSS_KEY_TYPE_SIGNING
>                   //    | TcTssConstants.TSS_KEY_NON_VOLATILE
>                   //    | TcTssConstants.TSS_KEY_MIGRATABLE
>                   | TcTssConstants.TSS_KEY_AUTHORIZATION);
>
>           TcBlobData signKeyUsgSecret = 
> TcBlobData.newString("Pass4UseSignKey", false);
>           TcIPolicy signKeyUsgPolicy = 
> context.createPolicyObject(TcTssConstants.TSS_POLICY_USAGE);
>          
>  signKeyUsgPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN, 
> signKeyUsgSecret);
>           signKeyUsgPolicy.assignToObject(mySignKey);
>
>           TcBlobData signKeyMigSecret = 
> TcBlobData.newString("Pass4MigSignKey", false);
>           TcIPolicy signkeyMigPolicy = 
> context.createPolicyObject(TcTssConstants.TSS_POLICY_MIGRATION);
>          
>  signkeyMigPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN, 
> signKeyMigSecret);
>           signkeyMigPolicy.assignToObject(mySignKey);
>
>           mySignKey.createKey(srk, null);
>          
>  //********************************************************************************************************************
>
>           //create uniqe identifier for later use to sign key and load 
> it***************************************************
>           TcTssUuid mySignKeyUUID = 
> TcUuidFactory.getInstance().generateRandomUuid();
>           context.registerKey(mySignKey, 
> TcTssConstants.TSS_PS_TYPE_SYSTEM, mySignKeyUUID,
>                   TcTssConstants.TSS_PS_TYPE_SYSTEM, 
> TcUuidFactory.getInstance().getUuidSRK());//system storage DB 
> storage/system
>           Log.info("Sign Key registered in persistance sys storage" + 
> mySignKeyUUID.toString());
>           mySignKey.loadKey(srk);
>          
>  //********************************************************************************************************************
>
>           //create encrypt 
> key**********************************************************************************************
>           TcIRsaKey myEncKey = context.createRsaKeyObject(
>                     TcTssConstants.TSS_KEY_SIZE_2048
>                   | TcTssConstants.TSS_KEY_TYPE_BIND
>                   //    | TcTssConstants.TSS_KEY_NON_VOLATILE
>                   //    | TcTssConstants.TSS_KEY_MIGRATABLE
>                   | TcTssConstants.TSS_KEY_AUTHORIZATION);
>
>           TcBlobData encKeyUsgSecret = 
> TcBlobData.newString("Pass4UseEncKey", false);
>           TcIPolicy encKeyUsgPolicy = 
> context.createPolicyObject(TcTssConstants.TSS_POLICY_USAGE);
>          
>  encKeyUsgPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN, 
> encKeyUsgSecret);
>           encKeyUsgPolicy.assignToObject(myEncKey);
>           TcBlobData encKeyMigSecret = 
> TcBlobData.newString("Pass4MigEncKey", false);
>           TcIPolicy encKeyMigPolicy = 
> context.createPolicyObject(TcTssConstants.TSS_POLICY_MIGRATION);
>          
>  encKeyMigPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN, 
> encKeyMigSecret);
>           encKeyMigPolicy.assignToObject(myEncKey);
>
>           myEncKey.createKey(srk, null);
>          
>  //********************************************************************************************************************
>
> //create uniqe identifier for later use to enc key and load 
> it********************************************************
>           TcTssUuid myEncKeyUUID = 
> TcUuidFactory.getInstance().generateRandomUuid();
>           context.registerKey(myEncKey, 
> TcTssConstants.TSS_PS_TYPE_SYSTEM, myEncKeyUUID,
>                   TcTssConstants.TSS_PS_TYPE_SYSTEM, 
> TcUuidFactory.getInstance().getUuidSRK());//system storage DB 
> storage/system
>           Log.info("Enc Key registered in persistance sys storage" + 
> myEncKeyUUID.toString());
>           System.out.println(myEncKeyUUID.toString());
>           myEncKey.loadKey(srk);
>          
>  //********************************************************************************************************************
>
>           //using 
> AIK*********************************************************************************************************
>           TcIRsaKey aikKey = context.loadKeyByBlob(srk, keyblob_);
>
>           TcBlobData aikUsgSecret = TcBlobData.newString(keysecret,false);
>           TcIPolicy aikUsgPolicy = 
> context.createPolicyObject(TcTssConstants.TSS_POLICY_USAGE);
>           aikUsgPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN, 
> aikUsgSecret);
>           aikUsgPolicy.assignToObject(aikKey);
>
>           TcBlobData aikMigSecret = TcBlobData.newString(keysecret,false);
>           TcIPolicy aikMigPolicy = 
> context.createPolicyObject(TcTssConstants.TSS_POLICY_MIGRATION);
>           aikMigPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN, 
> aikMigSecret);
>           aikMigPolicy.assignToObject(aikKey);
>          
>  //*********************************************************************************************************************
>
>           //SIGNING myEncKey 
> withAIK***********************************************************************************
>           TcBlobData encKeysigned = 
> TcBlobData.newByteArray(myEncKey.getPubKey().asByteArray());
>           TcIHash hashForSign = 
> context.createHashObject(TcTssConstants.TSS_HASH_SHA1);
>           hashForSign.updateHashValue(encKeysigned);
>           System.out.println(encKeysigned);
>           System.out.println(hashForSign.toString());
>           TcBlobData signature1 = hashForSign.sign(mySignKey);//work fine
>           TcBlobData signature2 = hashForSign.sign(aikKey);//make 
> exception
>          
>  //**********************************************************************************************************************
>           context.closeContext();
>       } catch (TcTssException ex) {
>           Log.err(ex);
>       }
>
>
> It works fine for using mySignKey but not for aikKey,
> It give me The usage of a key is not allowed Exception.
>
> I see The TPM Specs, Rev. 103, Part 3, Ch. 13, Signing Section, but 
> this does not help me.
>
> So
> How can I sign by AIK the Encryption Key?
> Or
> Does the only way to sign by AIK private part is by using quoting?
>
> Thanks
>
> ------------------------------------------------------------------------
> *From:* Ronald Tögl <ron...@ia...>
> *To:* tru...@li...
> *Cc:* FADY FADY <fad...@ya...>
> *Sent:* Wed, October 20, 2010 2:40:46 PM
> *Subject:* Re: [Trustedjava-support] How to Encrypt by the private 
> part of AIK
>
> Hello,
>
> On 10/20/2010 02:24 PM, FADY FADY wrote:
> > Dear Ronald
> > Thank U for your response
> >
> > My Question is
> > If we have two entities 1 and 2 with Keys AIK1 and AIK2 respectively
> > can entity 1 sign by AIK1private then encrypt by AIK2public
> > so entity 2 decrypt by AIK2private then by AIK1public?
> This cannot be done, because AIKs can only sign but not encrypt.
>
> > If this cant not be done, can we make two binding keys where there
> > parents are AIK1 and AIK2 respectively, and do by these binding keys
> > what we try to do by AIKs in the first question?
> Yes. You can implement the scheme presented in
> "Securing the Distribution and Storage of Secrets with Trusted 
> Platform Modules" by Paul E. Sevinç, Mario Strasser and David Basin. 
> http://www.springerlink.com/content/b77jr665x9122q16/
>
> Depending on your use case, you might want to modify it according to
> "Formal Analysis of a TPM-Based Secrets Distribution and Storage Scheme"
> by Toegl, R.;  Hofferek, G.;  Greimel, K.;  Leung, A.;  Phan, 
> R.C.-W.;  Bloem, R.;
> http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=4709329&tag=1 
> <http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=4709329&tag=1>
>
> Have fun,
> Ronald
>
>
> -- Dipl.-Ing. Ronald Tögl          phone +43 316/873-5502
> Secure and Correct Systems      fax  +43 316/873-5520
> IAIK ron...@ia... <mailto:ron...@ia...>
> Graz University of Technology http://www.iaik.tugraz.at
>
>
>


-- 
Dipl.-Ing. Ronald Tögl          phone +43 316/873-5502
Secure and Correct Systems      fax   +43 316/873-5520
IAIK                            ron...@ia...
Graz University of Technology   http://www.iaik.tugraz.at

Re: [Trustedjava-support] How to Encrypt by the private part of AIK

[FADY F. <fad...@ya...>]

Hello,

Really Thank U again for your support

I love the 15 steps of the suggested protocol, specially when you make some 
enhancements in the second paper after removing steps 5, 6, and 7.

But when I try to implement step 9 of the protocol neglecting nonce and 
PCR_INFO, I try the code:-

try {
          
          //connect to 
context**********************************************************************************************

          context = new TcTssContextFactory().newContextObject();
          context.connect();
         
 //********************************************************************************************************************

          
          //use 
srk***********************************************************************************************************

          TcIRsaKey srk = 
context.createRsaKeyObject(TcTssConstants.TSS_KEY_TSP_SRK);//loadKey
          TcBlobData srkSecret = 
TcBlobData.newByteArray(TcTssConstants.TSS_WELL_KNOWN_SECRET);
          TcIPolicy srkPolicy = 
context.createPolicyObject(TcTssConstants.TSS_POLICY_USAGE);
          srkPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_SHA1, srkSecret);
          srkPolicy.assignToObject(srk);
         
 //********************************************************************************************************************
          

          //create sign 
key**************************************************************************************************

          TcIRsaKey mySignKey = context.createRsaKeyObject(
                    TcTssConstants.TSS_KEY_SIZE_2048
                  | TcTssConstants.TSS_KEY_TYPE_SIGNING
                  //    | TcTssConstants.TSS_KEY_NON_VOLATILE
                  //    | TcTssConstants.TSS_KEY_MIGRATABLE
                  | TcTssConstants.TSS_KEY_AUTHORIZATION);

          TcBlobData signKeyUsgSecret = TcBlobData.newString("Pass4UseSignKey", 
false);
          TcIPolicy signKeyUsgPolicy = 
context.createPolicyObject(TcTssConstants.TSS_POLICY_USAGE);
          signKeyUsgPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN, 
signKeyUsgSecret);
          signKeyUsgPolicy.assignToObject(mySignKey);

          TcBlobData signKeyMigSecret = TcBlobData.newString("Pass4MigSignKey", 
false);
          TcIPolicy signkeyMigPolicy = 
context.createPolicyObject(TcTssConstants.TSS_POLICY_MIGRATION);
          signkeyMigPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN, 
signKeyMigSecret);
          signkeyMigPolicy.assignToObject(mySignKey);

          mySignKey.createKey(srk, null);
         
 //********************************************************************************************************************


          //create uniqe identifier for later use to sign key and load 
it***************************************************
          TcTssUuid mySignKeyUUID = 
TcUuidFactory.getInstance().generateRandomUuid();
          context.registerKey(mySignKey, TcTssConstants.TSS_PS_TYPE_SYSTEM, 
mySignKeyUUID,
                  TcTssConstants.TSS_PS_TYPE_SYSTEM, 
TcUuidFactory.getInstance().getUuidSRK());//system storage DB storage/system
          Log.info("Sign Key registered in persistance sys storage" + 
mySignKeyUUID.toString());          
          mySignKey.loadKey(srk);
         
 //********************************************************************************************************************


          //create encrypt 
key**********************************************************************************************

          TcIRsaKey myEncKey = context.createRsaKeyObject(
                    TcTssConstants.TSS_KEY_SIZE_2048
                  | TcTssConstants.TSS_KEY_TYPE_BIND
                  //    | TcTssConstants.TSS_KEY_NON_VOLATILE
                  //    | TcTssConstants.TSS_KEY_MIGRATABLE
                  | TcTssConstants.TSS_KEY_AUTHORIZATION);

          TcBlobData encKeyUsgSecret = TcBlobData.newString("Pass4UseEncKey", 
false);
          TcIPolicy encKeyUsgPolicy = 
context.createPolicyObject(TcTssConstants.TSS_POLICY_USAGE);
          encKeyUsgPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN, 
encKeyUsgSecret);
          encKeyUsgPolicy.assignToObject(myEncKey);
          
          TcBlobData encKeyMigSecret = TcBlobData.newString("Pass4MigEncKey", 
false);
          TcIPolicy encKeyMigPolicy = 
context.createPolicyObject(TcTssConstants.TSS_POLICY_MIGRATION);
          encKeyMigPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN, 
encKeyMigSecret);
          encKeyMigPolicy.assignToObject(myEncKey);

          myEncKey.createKey(srk, null);
         
 //********************************************************************************************************************


//create uniqe identifier for later use to enc key and load 
it********************************************************
          TcTssUuid myEncKeyUUID = 
TcUuidFactory.getInstance().generateRandomUuid();
          context.registerKey(myEncKey, TcTssConstants.TSS_PS_TYPE_SYSTEM, 
myEncKeyUUID,
                  TcTssConstants.TSS_PS_TYPE_SYSTEM, 
TcUuidFactory.getInstance().getUuidSRK());//system storage DB storage/system
          Log.info("Enc Key registered in persistance sys storage" + 
myEncKeyUUID.toString());
          System.out.println(myEncKeyUUID.toString());
          myEncKey.loadKey(srk);
         
 //********************************************************************************************************************


          //using 
AIK*********************************************************************************************************

          TcIRsaKey aikKey = context.loadKeyByBlob(srk, keyblob_);

          TcBlobData aikUsgSecret = TcBlobData.newString(keysecret,false);
          TcIPolicy aikUsgPolicy = 
context.createPolicyObject(TcTssConstants.TSS_POLICY_USAGE);
          aikUsgPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN, 
aikUsgSecret);
          aikUsgPolicy.assignToObject(aikKey);

          TcBlobData aikMigSecret = TcBlobData.newString(keysecret,false);
          TcIPolicy aikMigPolicy = 
context.createPolicyObject(TcTssConstants.TSS_POLICY_MIGRATION);
          aikMigPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN, 
aikMigSecret);
          aikMigPolicy.assignToObject(aikKey);
         
 //*********************************************************************************************************************


          //SIGNING myEncKey 
withAIK***********************************************************************************

          TcBlobData encKeysigned = 
TcBlobData.newByteArray(myEncKey.getPubKey().asByteArray());
          TcIHash hashForSign = 
context.createHashObject(TcTssConstants.TSS_HASH_SHA1);
          hashForSign.updateHashValue(encKeysigned);
          System.out.println(encKeysigned);
          System.out.println(hashForSign.toString());
          TcBlobData signature1 = hashForSign.sign(mySignKey);//work fine
          TcBlobData signature2 = hashForSign.sign(aikKey);//make exception
         
 //**********************************************************************************************************************

              
          context.closeContext();
          
      } catch (TcTssException ex) {
          Log.err(ex);
      } 


It works fine for using mySignKey but not for aikKey,
It give me The usage of a key is not allowed Exception.

I see The TPM Specs, Rev. 103, Part 3, Ch. 13, Signing Section, but this does 
not help me. 

So
How can I sign by AIK the Encryption Key?
Or 
Does the only way to sign by AIK private part is by using quoting?

Thanks



________________________________
From: Ronald Tögl <ron...@ia...>
To: tru...@li...
Cc: FADY FADY <fad...@ya...>
Sent: Wed, October 20, 2010 2:40:46 PM
Subject: Re: [Trustedjava-support] How to Encrypt by the private part of AIK

Hello,

On 10/20/2010 02:24 PM, FADY FADY wrote:
> Dear Ronald
> Thank U for your response
> 
> My Question is
> If we have two entities 1 and 2 with Keys AIK1 and AIK2 respectively
> can entity 1 sign by AIK1private then encrypt by AIK2public
> so entity 2 decrypt by AIK2private then by AIK1public?
This cannot be done, because AIKs can only sign but not encrypt.

> If this cant not be done, can we make two binding keys where there
> parents are AIK1 and AIK2 respectively, and do by these binding keys
> what we try to do by AIKs in the first question?
Yes. You can implement the scheme presented in
"Securing the Distribution and Storage of Secrets with Trusted Platform Modules" 
by Paul E. Sevinç, Mario Strasser and David Basin. 
http://www.springerlink.com/content/b77jr665x9122q16/

Depending on your use case, you might want to modify it according to
"Formal Analysis of a TPM-Based Secrets Distribution and Storage Scheme"
by Toegl, R.;   Hofferek, G.;   Greimel, K.;   Leung, A.;   Phan, R.C.-W.;   
Bloem, R.;
http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=4709329&tag=1

Have fun,
Ronald


-- Dipl.-Ing. Ronald Tögl          phone +43 316/873-5502
Secure and Correct Systems      fax   +43 316/873-5520
IAIK                            ron...@ia...
Graz University of Technology  http://www.iaik.tugraz.at


      

Re: [Trustedjava-support] How to Encrypt by the private part of AIK

[Ronald T. <ron...@ia...>]

Hello,

On 10/20/2010 02:24 PM, FADY FADY wrote:
> Dear Ronald
> Thank U for your response
>
> My Question is
> If we have two entities 1 and 2 with Keys AIK1 and AIK2 respectively
> can entity 1 sign by AIK1private then encrypt by AIK2public
> so entity 2 decrypt by AIK2private then by AIK1public?
This cannot be done, because AIKs can only sign but not encrypt.

> If this cant not be done, can we make two binding keys where there
> parents are AIK1 and AIK2 respectively, and do by these binding keys
> what we try to do by AIKs in the first question?
Yes. You can implement the scheme presented in
"Securing the Distribution and Storage of Secrets with Trusted Platform 
Modules" by Paul E. Sevinç, Mario Strasser and David Basin. 
http://www.springerlink.com/content/b77jr665x9122q16/

Depending on your use case, you might want to modify it according to
"Formal Analysis of a TPM-Based Secrets Distribution and Storage Scheme"
by Toegl, R.;   Hofferek, G.;   Greimel, K.;   Leung, A.;   Phan, 
R.C.-W.;   Bloem, R.;
http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=4709329&tag=1

Have fun,
Ronald


-- 
Dipl.-Ing. Ronald Tögl          phone +43 316/873-5502
Secure and Correct Systems      fax   +43 316/873-5520
IAIK                            ron...@ia...
Graz University of Technology   http://www.iaik.tugraz.at

Re: [Trustedjava-support] How to Encrypt by the private part of AIK

[FADY F. <fad...@ya...>]

Dear Ronald
Thank U for your response

My Question is 
If we have two entities 1 and 2 with Keys AIK1 and AIK2 respectively
can entity 1 sign by AIK1private then encrypt by AIK2public
  so entity 2 decrypt by AIK2private then by AIK1public?

If this cant not be done, can we make two binding keys where there parents are 
AIK1 and AIK2 respectively, and do by these binding keys what we try to do by 
AIKs in the first question?

Thanks 



________________________________
From: Ronald Tögl <ron...@ia...>
To: tru...@li...
Cc: FADY FADY <fad...@ya...>
Sent: Mon, October 18, 2010 10:10:07 AM
Subject: Re: [Trustedjava-support] How to Encrypt by the private part of AIK

Hi,

I'm not quite sure what your question is. In case that you'd like to use the AIK 
private part for decryption, I doubt that this is a legal operation for this 
signing-type key. If you need to encrypt data to an TPM-identified remote host, 
you can use Binding together with certification of the Binding key.

hth,
Ronald

On 10/17/2010 11:24 AM, FADY FADY wrote: 

>I use the public part of AIK Key to encrypt a data and it works, I just ask how 
>can I do it but by the private part of AIK.
>


--  Dipl.-Ing. Ronald Tögl          phone +43 316/873-5502 Secure and Correct 
Systems      fax   +43 316/873-5520 IAIK                            
ron...@ia... Graz University of Technology   
http://www.iaik.tugraz.at   



      

Re: [Trustedjava-support] How to Encrypt by the private part of AIK

[Ronald T. <ron...@ia...>]

Hi,

I'm not quite sure what your question is. In case that you'd like to use 
the AIK private part for decryption, I doubt that this is a legal 
operation for this signing-type key. If you need to encrypt data to an 
TPM-identified remote host, you can use Binding together with 
certification of the Binding key.

hth,
Ronald

On 10/17/2010 11:24 AM, FADY FADY wrote:
>
> I use the public part of AIK Key to encrypt a data and it works, I 
> just ask how can I do it but by the private part of AIK.
>


-- 
Dipl.-Ing. Ronald Tögl          phone +43 316/873-5502
Secure and Correct Systems      fax   +43 316/873-5520
IAIK                            ron...@ia...
Graz University of Technology   http://www.iaik.tugraz.at

[Trustedjava-support] How to Encrypt by the private part of AIK

[FADY F. <fad...@ya...>]

Dear Trusted Java Team

I use the public part of AIK Key to encrypt a data and it works, I just ask how 
can I do it but by the private part of AIK.
This is my code
***************************************************************************

        // Context Object
        context = new TcTssContextFactory().newContextObject();
        context.connect();
       
        // get SRK and Set SRK Secret
        TcIRsaKey srk = 
context.loadKeyByUuidFromSystem(TcUuidFactory.getInstance().getUuidSRK());
        TcIPolicy srkUsgPolicy = 
context.createPolicyObject(TcTssConstants.TSS_POLICY_USAGE);
        TcBlobData srkSecret = 
TcBlobData.newByteArray(TcTssConstants.TSS_WELL_KNOWN_SECRET);
        srkUsgPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_SHA1, srkSecret);
        srkUsgPolicy.assignToObject(srk);
        
        // Load AIK
        TcIRsaKey aikKey = context.loadKeyByBlob(srk, keyblob_);
        
        //Set Usage and Migration Policy
        TcIPolicy aikUsgPolicy = 
context.createPolicyObject(TcTssConstants.TSS_POLICY_USAGE);
        
aikUsgPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN,TcBlobData.newString(keysecret));

        aikUsgPolicy.assignToObject(aikKey);
        TcIPolicy aikMigPolicy = 
context.createPolicyObject(TcTssConstants.TSS_POLICY_MIGRATION);
        
aikMigPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN,TcBlobData.newString(keysecret));

        aikMigPolicy.assignToObject(aikKey);

         //Encrypt by the public Part of AIK
        TcTpmPubkey pubKey = new TcTpmPubkey (aikKey.getAttribData (
                                                             
TcTssConstants.TSS_TSPATTRIB_KEY_BLOB,                                

                                                             
TcTssConstants.TSS_TSPATTRIB_KEYBLOB_PUBLIC_KEY));
        String plaintext = "Daten";        
        try {
            TcBlobData data;
            data = TcBlobData.newByteArray(plaintext.getBytes("UTF_16LE"));
            System.out.println(data.toString());
            TcBlobData DataEncrypted = 
TcCrypto.pubEncryptRsaOaepSha1Mgf1(pubKey, data);
            //TcBlobData DataEncrypted= 
TcCrypto.pubEncryptRsaEcbPkcs1Padding(pubKey, Data);
            System.out.println(DataEncrypted.toString());
        } catch (UnsupportedEncodingException ex) {
            Logger.getLogger(APKIC1.class.getName()).log(Level.SEVERE, null, 
ex);
        }

***************************************************************************

Thank You Very Much
I  Really appreciate your help.

Thanks


      

Re: [Trustedjava-support] How to compute Hash over PCRs without TPM

[Martin P. <Mar...@ia...>]

Hi Account Info...

On 10/07/10 15:44, Account Info wrote:
> And a question for my understanding: Conceptually, is it allowed/possible to 
> create context object on a machine which does not have TPM?

Yes. Creating a Context object does not need a TPM,
calling context.connect requires a TPM.

HTH,
Martin

[Trustedjava-support] FYI: acTvSM platform 0.2

[Martin P. <Mar...@ia...>]

Following up, IAIK releases another Trusted Computing package,
the second public release of the acTvSM platform - download at [1].

acTvSM is a proof-of-concept integration of Trusted Computing and
Intel TXT into an off-the-shelf Debian Linux system. TBoot is used to
anchor the chain-of-trust in the DRTM and the initial ramdisk obtains the
key for the encrypted system root partition only if the TPM PCRs are in
the correct state.
Also, acTvSM provides management scripts for the sysadmin to reseal
the system to a new administrator defined state. Using KVM, on top
of the tightly controlled base system custom virtual applications
can be run.

This is an experimental prototype, it still contains sharp edges to hurt
yourself and some debugging code obviously contrary to security.
However, there are no bugs ;-)

Again, we want to thank every helping hand who contributed to this platform.

Have fun,
  Martin & Ronald

[1] http://trustedjava.sourceforge.net/

Re: [Trustedjava-support] How to compute Hash over PCRs without TPM

[Account I. <mud...@ho...>]

Hi Ronald,

Thanks for your reply. I used jTSS 0.6 to get it done quite simply.

TcPcrCompositeInfoLong expectedPcrComposite = new 
TcPcrCompositeInfoLong(24);

expectedPcrComposite.selectPcrIndexEx(16, 
TcTssConstants.TSS_PCRS_DIRECTION_RELEASE);
expectedPcrComposite.setPcrValue(16, expectedPCR);
TcBlobData expectedCompositeDigest = 
expectedPcrComposite.getPcrCompositeHash();

And a question for my understanding: Conceptually, is it allowed/possible to 
create context object on
a machine which does not have TPM?

Regards.
Mudassar.

--------------------------------------------------
From: "Ronald Tögl" <ron...@ia...>
Sent: Wednesday, October 06, 2010 4:20 PM
To: "Account Info" <mud...@ho...>
Subject: Re: [Trustedjava-support] How to compute Hash over PCRs without TPM

> Hello Mudassar,
>
> This is a code fragment on how to do quote validation. I guess it is 
> pretty self-explanatory.
> As of jTSS 0.6 you can also create the PCR CompositeInfo(Long|Short) 
> objects offline from the implementation classes in package
> iaik.tc.tss.impl.java.tsp.
>
> hth, Ronald
>
>
>     try {
>             TcBlobData dataBlob = TcBlobData.newByteArray(dataToValidate
>                     .getData());
>             TcTpmQuoteInfo2 quoteInfo = new TcTpmQuoteInfo2(dataBlob);
>
>             TcTpmPcrInfoShort pcrInfo = quoteInfo.getInfoShort();
>             TcTpmCompositeHash compositeHash = 
> pcrInfo.getDigestAtRelease();
>             TcBlobData digestAtRelease = compositeHash.getDigest();
>
>             TcIPcrComposite expectedComp = ((TPMContextImpl) context_)
>                     .getTcIContext().createPcrCompositeObject(
>                             TcTssConstants.TSS_PCRS_STRUCT_INFO_SHORT);
>
>             int[] expectedIndices = expectedValues.getValueIndices();
>
>             for (int i = 0; i < expectedIndices.length; i++) {
>                 expectedComp.setPcrValue(expectedIndices[i], TcBlobData
>                         .newByteArray(expectedValues.getPCRValue(
>                                 expectedIndices[i]).getBytes()));
>             }
>
>             TcBlobData expectedDigestAtRelease = expectedComp
>                     .getPcrCompositeHash();
>
>             if (!Arrays.equals(digestAtRelease.asByteArray(),
>                     expectedDigestAtRelease.asByteArray())) {
>                 return false;
>             }
>
>             Signature sig = Signature.getInstance("SHA1withRSA");
>             sig.initVerify(identityKey);
>             sig.update(dataToValidate.getData());
>             boolean valid = 
> sig.verify(dataToValidate.getValidationData());
>
>             return valid;
>
>         } catch (TcTssException e) {
>
>
> On 10/06/2010 04:04 PM, Account Info wrote:
>> Hi,
>> I have the same problem as listed in the following attached post by Till
>> Bentz. The answer to this question refers to another post with
>> Subject: "Re: Recompute PRC based on SML and TPM_Quote problem" and
>> Message-ID:<469...@ia...>  posted on Date: Mon, 16 Jul 
>> 2007
>> 09:28:06 +0200. But this message is blank.
>>
>> I could not find any code in tests which could compute the hash over the
>> quoted PCRs WITHOUT USING TPM (i.e. TcIPcrComposite object). I guess that 
>> I
>> should do something as follows:
>>
>> TcTpmPcrInfoShort pcrInfo = new TcTpmPcrInfoShort(); // short because PCR 
>> 16
>> intended
>>
>> TcTpmPcrSelection pcrSelection = new TcTpmPcrSelection();
>> // 1. how to say that PCR 16 should be selected ???????
>>
>> TcTpmPcrValue pcrValue = new TcTpmPcrValue();
>> // 2. how to put some value at PCR 16 ??????
>>
>> pcrInfo.setPcrSelection(pcrSelection); // if done in step 1
>> // 3. How to associate PCR value with pcrinfo ?????
>>
>> pcrInfo.getDigestAtRelease().getDigest();// It will give the required 
>> digest
>> having set the expected value in PCR 16
>>
>> Regards
>>
>> Mudassar.
>>
>>
>> ----------------------------------------------------------------------------------------------
>>
>> Hello,
>>
>> I try to do a tpm_quote. I managed to set the relevant pPCRs, the 
>> validation
>> information and actually execute the
>> quote call.
>>
>> My problem is now that i somehow want to check the quote. How can I do 
>> that
>> on a PC without a TPM. As far as I understood the quote process computes 
>> a
>> hash over the quoted PCRs and stores it in 
>> TcTpmQuoteInfo.getDigestValue()
>>
>> I have the values of each quoted PCR, but how do I manually recompute 
>> that
>> value so I can check the quote?
>>
>> Thanks.
>>
>
> 

Re: [Trustedjava-support] How to compute Hash over PCRs without TPM

[Ronald T. <ron...@ia...>]

Hello Mudassar,

This is a code fragment on how to do quote validation. I guess it is 
pretty self-explanatory.
As of jTSS 0.6 you can also create the PCR CompositeInfo(Long|Short) 
objects offline from the implementation classes in package
iaik.tc.tss.impl.java.tsp.

hth, Ronald


     try {
             TcBlobData dataBlob = TcBlobData.newByteArray(dataToValidate
                     .getData());
             TcTpmQuoteInfo2 quoteInfo = new TcTpmQuoteInfo2(dataBlob);

             TcTpmPcrInfoShort pcrInfo = quoteInfo.getInfoShort();
             TcTpmCompositeHash compositeHash = 
pcrInfo.getDigestAtRelease();
             TcBlobData digestAtRelease = compositeHash.getDigest();

             TcIPcrComposite expectedComp = ((TPMContextImpl) context_)
                     .getTcIContext().createPcrCompositeObject(
                             TcTssConstants.TSS_PCRS_STRUCT_INFO_SHORT);

             int[] expectedIndices = expectedValues.getValueIndices();

             for (int i = 0; i < expectedIndices.length; i++) {
                 expectedComp.setPcrValue(expectedIndices[i], TcBlobData
                         .newByteArray(expectedValues.getPCRValue(
                                 expectedIndices[i]).getBytes()));
             }

             TcBlobData expectedDigestAtRelease = expectedComp
                     .getPcrCompositeHash();

             if (!Arrays.equals(digestAtRelease.asByteArray(),
                     expectedDigestAtRelease.asByteArray())) {
                 return false;
             }

             Signature sig = Signature.getInstance("SHA1withRSA");
             sig.initVerify(identityKey);
             sig.update(dataToValidate.getData());
             boolean valid = 
sig.verify(dataToValidate.getValidationData());

             return valid;

         } catch (TcTssException e) {


On 10/06/2010 04:04 PM, Account Info wrote:
> Hi,
> I have the same problem as listed in the following attached post by Till
> Bentz. The answer to this question refers to another post with
> Subject: "Re: Recompute PRC based on SML and TPM_Quote problem" and
> Message-ID:<469...@ia...>  posted on Date: Mon, 16 
> Jul 2007
> 09:28:06 +0200. But this message is blank.
>
> I could not find any code in tests which could compute the hash over the
> quoted PCRs WITHOUT USING TPM (i.e. TcIPcrComposite object). I guess 
> that I
> should do something as follows:
>
> TcTpmPcrInfoShort pcrInfo = new TcTpmPcrInfoShort(); // short because 
> PCR 16
> intended
>
> TcTpmPcrSelection pcrSelection = new TcTpmPcrSelection();
> // 1. how to say that PCR 16 should be selected ???????
>
> TcTpmPcrValue pcrValue = new TcTpmPcrValue();
> // 2. how to put some value at PCR 16 ??????
>
> pcrInfo.setPcrSelection(pcrSelection); // if done in step 1
> // 3. How to associate PCR value with pcrinfo ?????
>
> pcrInfo.getDigestAtRelease().getDigest();// It will give the required 
> digest
> having set the expected value in PCR 16
>
> Regards
>
> Mudassar.
>
>
> ---------------------------------------------------------------------------------------------- 
>
>
> Hello,
>
> I try to do a tpm_quote. I managed to set the relevant pPCRs, the 
> validation
> information and actually execute the
> quote call.
>
> My problem is now that i somehow want to check the quote. How can I do 
> that
> on a PC without a TPM. As far as I understood the quote process 
> computes a
> hash over the quoted PCRs and stores it in 
> TcTpmQuoteInfo.getDigestValue()
>
> I have the values of each quoted PCR, but how do I manually recompute 
> that
> value so I can check the quote?
>
> Thanks.

[Trustedjava-support] How to compute Hash over PCRs without TPM

[Account I. <mud...@ho...>]

Hi,
I have the same problem as listed in the following attached post by Till 
Bentz. The answer to this question refers to another post with
Subject: "Re: Recompute PRC based on SML and TPM_Quote problem" and 
Message-ID: <469...@ia...> posted on Date: Mon, 16 Jul 2007 
09:28:06 +0200. But this message is blank.

I could not find any code in tests which could compute the hash over the 
quoted PCRs WITHOUT USING TPM (i.e. TcIPcrComposite object). I guess that I 
should do something as follows:

TcTpmPcrInfoShort pcrInfo = new TcTpmPcrInfoShort(); // short because PCR 16 
intended

TcTpmPcrSelection pcrSelection = new TcTpmPcrSelection();
// 1. how to say that PCR 16 should be selected ???????

TcTpmPcrValue pcrValue = new TcTpmPcrValue();
// 2. how to put some value at PCR 16 ??????

pcrInfo.setPcrSelection(pcrSelection); // if done in step 1
// 3. How to associate PCR value with pcrinfo ?????

pcrInfo.getDigestAtRelease().getDigest();// It will give the required digest 
having set the expected value in PCR 16

Regards

Mudassar.


----------------------------------------------------------------------------------------------

Hello,

I try to do a tpm_quote. I managed to set the relevant pPCRs, the validation
information and actually execute the
quote call.

My problem is now that i somehow want to check the quote. How can I do that
on a PC without a TPM. As far as I understood the quote process computes a
hash over the quoted PCRs and stores it in TcTpmQuoteInfo.getDigestValue()

I have the values of each quoted PCR, but how do I manually recompute that
value so I can check the quote?

Thanks.
-- 
MfG
  Till

**********************************************
      Der Benutzer ist eine nicht zu
  tolerierende Quelle der Unsicherheit
**********************************************


 

[Trustedjava-support] How to compute Hash over PCRs without TPM

[Account I. <mud...@ho...>]

Hi,I have the same problem as listed in the following attached post by Till Bentz. The answer to this question refers to another post with Subject: "Re: Recompute PRC based on SML and TPM_Quote problem" and Message-ID: <469...@ia...> posted on Date: Mon, 16 Jul 2007 09:28:06 +0200. But this message is blank.I could not find any code in tests which could compute the hash over the quoted PCRs WITHOUT USING TPM (i.e. TcIPcrComposite object). I guess that I should do something as follows: TcTpmPcrInfoShort pcrInfo = new TcTpmPcrInfoShort(); // short because PCR 16 intendedTcTpmPcrSelection pcrSelection = new TcTpmPcrSelection(); // 1. how to say that PCR 16 should be selected ??????? TcTpmPcrValue pcrValue = new TcTpmPcrValue();// 2. how to put some value at PCR 16 ??????pcrInfo.setPcrSelection(pcrSelection); // if done in step 1// 3. How to associate PCR value with pcrinfo ????? pcrInfo.getDigestAtRelease().getDigest();// It will give the required digest having set the expected value in PCR 16RegardsMudassar. ---------------------------------------------------------------------------------------------------------------------------------Hello,

I try to do a tpm_quote. I managed to set the relevant pPCRs, the validation
information and actually execute the
quote call.

My problem is now that i somehow want to check the quote. How can I do that
on a PC without a TPM. As far as I understood the quote process computes a
hash over the quoted PCRs and stores it in TcTpmQuoteInfo.getDigestValue()

I have the values of each quoted PCR, but how do I manually recompute that
value so I can check the quote?

Thanks.
-- 
MfG
  Till

**********************************************
      Der Benutzer ist eine nicht zu
  tolerierende Quelle der Unsicherheit
**********************************************

 

[Trustedjava-support] New releases of jTSS, jTpmTools, TCcert

[Martin P. <Mar...@ia...>]

Today, the Trusted Computing for the Java Platform project[1]
released an update of jTSS, a Trusted Software Stack (TSS)
implemented in 100% Java, and jTpmTools, a command-line tool to
exercise various TPM features.

Also, TCcert now comes with full sources. The idea of withholding
the sources in order to stimulate other parties to independently
interpret and implement the specs failed. Thus, unfortunately, no
robustness testing of the TCG certificate specifications happened.

We want to thank everyone who contributed to this release,
especially Michael, Josef, Brian and Jonathan.

Have fun,
  Martin & Ronald


[1] http://trustedjava.sourceforge.net/

Re: [Trustedjava-support] Problem with registerkey

[Ronald P. <ron...@un...>]

Hi Ronald,

thanks for your quick response. The configuration files are attached- I
configured them myself. 

I tried to somehow circumvent the problem by not registering the key but
rather save it on disk and use the function "loadKeyByUuidFromSystem" later
on but then I get a "not implemented" error. Thus, it would be great if
registerkey would work again as it did before... 

Best regards,
Ronald

> -----Ursprüngliche Nachricht-----
> Von: Ronald Tögl [mailto:ron...@ia...]
> Gesendet: Mittwoch, 8. September 2010 10:28
> An: tru...@li...
> Cc: Ronald Petrlic
> Betreff: Re: [Trustedjava-support] Problem with registerkey
> 
> Hi,
> 
> My guess would still be a minor issue with the configurations. Please post
the
> details. Do you use our .deb package or did you configure the ini's
manually?
> 
> Ronald
> 
> Am 07.09.2010 18:34, schrieb Ronald Petrlic:
> > Hi,
> >
> > when I try to register a new key I get the following error message:
> >
> > Exception in thread "main"
iaik.tc.tss.api.exceptions.tcs.TcTcsException:
> > TSS Error:
> > error layer:                0x3000 (TSP)
> > error code (without layer): 0x02
> > error code (full):          0x3002
> > error message: An internal error has been detected, but the source is
> > unknown. (TCS_E_FAIL) additional info: System persistent storage not
> properly initialized.
> >
> > 	at
iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.TcsiRegisterKey(TcTcsi.java:416)
> > 	at
>
iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsiRegisterKey
(TcT
> csBindingLocal.java:57)
> > 	at
> > iaik.tc.tss.impl.java.tsp.TcContext.registerKey(TcContext.java:953)
> >
> > I used the proper settings for the ini-files but now there seems to be
some
> problem with the system persistent storage. The code worked before I had
> to re-install my operating system (Debian), though... All the other TPM
> functionality works properly.
> >
> > Does anyone have an idea about this? Thanks a lot in advance and best
> > regards, Ronald
> >
> >
> > ----------------------------------------------------------------------
> > -------- This SF.net Dev2Dev email is sponsored by:
> >
> > Show off your parallel programming skills.
> > Enter the Intel(R) Threading Challenge 2010.
> > http://p.sf.net/sfu/intel-thread-sfd
> > _______________________________________________
> > Trustedjava-support mailing list
> > Tru...@li...
> > https://lists.sourceforge.net/lists/listinfo/trustedjava-support
> >

Re: [Trustedjava-support] Problem with registerkey

[Ronald T. <ron...@ia...>]

Hi,

My guess would still be a minor issue with the configurations. Please 
post the details. Do you use our .deb package or did you configure the 
ini's manually?

Ronald

Am 07.09.2010 18:34, schrieb Ronald Petrlic:
> Hi,
>
> when I try to register a new key I get the following error message:
>
> Exception in thread "main" iaik.tc.tss.api.exceptions.tcs.TcTcsException:
> TSS Error:
> error layer:                0x3000 (TSP)
> error code (without layer): 0x02
> error code (full):          0x3002
> error message: An internal error has been detected, but the source is unknown. (TCS_E_FAIL)
> additional info: System persistent storage not properly initialized.
>
> 	at iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.TcsiRegisterKey(TcTcsi.java:416)
> 	at iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsiRegisterKey(TcTcsBindingLocal.java:57)
> 	at iaik.tc.tss.impl.java.tsp.TcContext.registerKey(TcContext.java:953)
>
> I used the proper settings for the ini-files but now there seems to be some problem with the system persistent storage. The code worked before I had to re-install my operating system (Debian), though... All the other TPM functionality works properly.
>
> Does anyone have an idea about this? Thanks a lot in advance and best regards,
> Ronald
>
>
> ------------------------------------------------------------------------------
> This SF.net Dev2Dev email is sponsored by:
>
> Show off your parallel programming skills.
> Enter the Intel(R) Threading Challenge 2010.
> http://p.sf.net/sfu/intel-thread-sfd
> _______________________________________________
> Trustedjava-support mailing list
> Tru...@li...
> https://lists.sourceforge.net/lists/listinfo/trustedjava-support
>