trustedjava-support

[Trustedjava-support] Migration

[Simon M. <sim...@in...>]

Hello,

we built some sort of certificate authority with a TPM inside.

We are currently searching for a sort of backup mechanism.
The Problem is that at the point when the backup blob should be  
created we don't have another TPM, so the REWRAP function isn't  
practicable.
To develop a migration authority to handle this, seems to be too much  
effort, as it is only a proof of concept project.
My question now is: Is there a third option for to make a backup of  
migratable keys? We are searching something which covers the function  
described in 1.4.2 of the following paper: http://www.ei.rub.de/media/ei/lehrmaterialien/trusted-computing/KeyReplication_.pdf

I grabbed the TPM specification already and didn't find something like  
that.

Thanks in advance,
best regards
Simon Mittelberger

Re: [Trustedjava-support] Migration

[Ronald T. <ron...@ia...>]

Hello,

You could consider to first generate your key in software, create a 
backup by any mechanism you prefer and then import it it the TPM and 
Finally remove it from the host system.

Not highly elegant, but it should work just fine..

Ronald


Simon Mittelberger wrote:

> We are currently searching for a sort of backup mechanism.
> The Problem is that at the point when the backup blob should be  
> created we don't have another TPM,

> To develop a migration authority to handle this, seems to be too much  
> effort, as it is only a proof of concept project.



-- 
Dipl.-Ing. Ronald Tögl          phone +43 316/873-5502
Trusted Computing Labs          fax   +43 316/873-5520
IAIK                            ron...@ia...
Graz University of Technology   http://www.iaik.tugraz.at

Re: [Trustedjava-support] Migration

[Simon M. <sim...@in...>]

Hello,

sorry to getting back to you in such delay.

I am having problems to load the private part of an externally generated 
key to the TPM.
I tried to extend the code in the function pubJavaToTpm in TcCrypto to 
load also the private part. But it fails in an exception.
So i generate two Objects:

TcTpmStorePrivkey storePrivKey = new TcTpmStorePrivkey();
TcTpmStorePubkey storePubKey = new TcTpmStorePubkey();
storePrivKey.setKey(TcBlobData.newByteArray(modulusPriv));
storePubKey.setKey(TcBlobData.newByteArray(modulusPub));

The modulus is transformed in the same way than in TcCrypto.
The public part is loaded in this way:

TcTpmPubkey pubKeyStruct = 
TcCrypto.pubJavaToTpmKey((RSAPublicKey)keyPair.getPublic());
key.setAttribData(TcTssConstants.TSS_TSPATTRIB_KEY_BLOB, 
TcTssConstants.TSS_TSPATTRIB_KEYBLOB_PUBLIC_KEY, pubKeyStruct.getEncoded());

Now i am trying to load the private keyblob into the tpm:

key.setAttribData(TcTssConstants.TSS_TSPATTRIB_KEY_BLOB, 
TcTssConstants.TSS_TSPATTRIB_KEYBLOB_PRIVATE_KEY, "here is my problem");
Something like storePrivKey.getKey() doesnt work. I get the TSS Error: 
0x28: The key properties in TPM_KEY_PARMs are not supported by this TPM.
This exception is thrown at the point:

key.createKey(srk_, null);

I also tried to set all the flags in a correct manner (at least it 
seemed correct to me).
Does this mean my tpm doesnt support the whole funciton of loading an 
extern key to it?
TPM 1.2 Version Info:
  Chip Version:        1.2.13.9
  Spec Level:          2
  Errata Revision:     1
  TPM Vendor ID:       ATML
  TPM Version:         01010000
  Manufacturer Info:   41544d4c

I did not find the right class or piece of code which has an example of 
that in it.

I am really exhausted from trying. If someone could give me an example 
how to load a normally created RSA key into a TPM i would really 
appreciate that.

Regards,
Simon


Ronald Tögl wrote:
> Hi Simon,
>
> You can also set the private part using the 
> TSS_TSPATTRIB_KEYBLOB_PRIVATE_KEY attribute.
>
> Of course, any such created TPM key MUST be initialized as "migratable".
>
> > But the private part has a few more troubles.
> Please try to be a bit more specific next time.. ;-)
>
> Ronald
>
>
>
> Simon Mittelberger wrote:
>> Hello,
>>
>> i didn't find a way to import an externally created RSA key into the 
>> TPM. Could you please describe a way how to do so?
>>
>> How to load the public part is quite clear:
>>
>>    KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA");
>>    generator.initialize((int)DeviceDefines.DEVICE_KEY_LENGTH);
>>    KeyPair keyPair = generator.generateKeyPair();
>>
>>    TcTpmPubkey pubKeyStruct = 
>> TcCrypto.pubJavaToTpmKey((RSAPublicKey)keyPair.getPublic());
>>    TcIRsaKey tpmmKey = 
>> context_.createRsaKeyObject(TcTssConstants.TSS_KEY_EMPTY_KEY);
>>
>>    pubKey.setAttribData(TcTssConstants.TSS_TSPATTRIB_KEY_BLOB, 
>> TcTssConstants.TSS_TSPATTRIB_KEYBLOB_PUBLIC_KEY, 
>> pubKeyStruct.getEncoded());
>>
>> But the private part has a few more troubles.
>>
>> all the best
>> Simon
>>
>
>

Re: [Trustedjava-support] external keypair import

[Martin P. <Mar...@ia...>]

Simon Mittelberger wrote:
> Does this mean my tpm doesnt support the whole funciton of loading an 
> extern key to it?
> I did not find the right class or piece of code which has an example of 
> that in it.

There is one in jTssWrapper where public and private part is imported,
see directory src_tsp_tests, TestKeys.java, method testWrapKeys()

jTSS and jTSSwrapper use the same top-level API, so this should
be portable - however I do not remember why this hasn't been ported
to the jTSS testsuite (yet?).

HTH,
Martin

Re: [Trustedjava-support] external keypair import

[Simon M. <sim...@in...>]

On 18 Aug 2009, at 11:46, Martin Pirker wrote:
> Simon Mittelberger wrote:
>> Does this mean my tpm doesnt support the whole funciton of loading an
>> extern key to it?
>> I did not find the right class or piece of code which has an  
>> example of
>> that in it.
>
> There is one in jTssWrapper where public and private part is imported,
> see directory src_tsp_tests, TestKeys.java, method testWrapKeys()
>
> jTSS and jTSSwrapper use the same top-level API, so this should
> be portable - however I do not remember why this hasn't been ported
> to the jTSS testsuite (yet?).

On the key.wrapKey(parentKey, null); i get an TSS ERROR.
TSS Error:
error layer: 0x3000 (TSP)
error code (without layer): 0x06
error code (full): 0x3006
error message: Not implemented.

I also tried to load the key by context_.loadKeyByBlob(unwrappingKey,  
blob). But this needs a wrapping key. Is there another possibility to  
load an unwrapped key into the TPM?

Regards,
Simon

Re: [Trustedjava-support] Migration

[Simon M. <sim...@in...>]

Hello,

i didn't find a way to import an externally created RSA key into the 
TPM. Could you please describe a way how to do so?

How to load the public part is quite clear:

    KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA");
    generator.initialize((int)DeviceDefines.DEVICE_KEY_LENGTH);
    KeyPair keyPair = generator.generateKeyPair();

    TcTpmPubkey pubKeyStruct = 
TcCrypto.pubJavaToTpmKey((RSAPublicKey)keyPair.getPublic());
    TcIRsaKey tpmmKey = 
context_.createRsaKeyObject(TcTssConstants.TSS_KEY_EMPTY_KEY);

    pubKey.setAttribData(TcTssConstants.TSS_TSPATTRIB_KEY_BLOB, 
TcTssConstants.TSS_TSPATTRIB_KEYBLOB_PUBLIC_KEY, pubKeyStruct.getEncoded());

But the private part has a few more troubles.

all the best
Simon

Ronald Tögl wrote:
> Hello,
>
> You could consider to first generate your key in software, create a 
> backup by any mechanism you prefer and then import it it the TPM and 
> Finally remove it from the host system.
>
> Not highly elegant, but it should work just fine..
>
> Ronald
>
>
> Simon Mittelberger wrote:
>
>> We are currently searching for a sort of backup mechanism.
>> The Problem is that at the point when the backup blob should be  
>> created we don't have another TPM,
>
>> To develop a migration authority to handle this, seems to be too 
>> much  effort, as it is only a proof of concept project.
>
>
>

Re: [Trustedjava-support] Migration

[Ronald T. <ron...@ia...>]

Hi Simon,

You can also set the private part using the 
TSS_TSPATTRIB_KEYBLOB_PRIVATE_KEY attribute.

Of course, any such created TPM key MUST be initialized as "migratable".

 > But the private part has a few more troubles.
Please try to be a bit more specific next time.. ;-)

Ronald



Simon Mittelberger wrote:
> Hello,
> 
> i didn't find a way to import an externally created RSA key into the 
> TPM. Could you please describe a way how to do so?
> 
> How to load the public part is quite clear:
> 
>    KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA");
>    generator.initialize((int)DeviceDefines.DEVICE_KEY_LENGTH);
>    KeyPair keyPair = generator.generateKeyPair();
> 
>    TcTpmPubkey pubKeyStruct = 
> TcCrypto.pubJavaToTpmKey((RSAPublicKey)keyPair.getPublic());
>    TcIRsaKey tpmmKey = 
> context_.createRsaKeyObject(TcTssConstants.TSS_KEY_EMPTY_KEY);
> 
>    pubKey.setAttribData(TcTssConstants.TSS_TSPATTRIB_KEY_BLOB, 
> TcTssConstants.TSS_TSPATTRIB_KEYBLOB_PUBLIC_KEY, 
> pubKeyStruct.getEncoded());
> 
> But the private part has a few more troubles.
> 
> all the best
> Simon
>


-- 
Dipl.-Ing. Ronald Tögl          phone +43 316/873-5502
Trusted Computing Labs          fax   +43 316/873-5520
IAIK                            ron...@ia...
Graz University of Technology   http://www.iaik.tugraz.at