Dear List;
Although TPMs have been shipping in large quantities in laptop computers,
actual adoption has been moderate to say the least.
In the mean-time things like the iPhone have quickly become our closest link to
the Internet making the need for credible authentication solutions imminent.
However, there is no PKI provisioning protocol out there (=adopted) that can
use a TPM in any verifiable secure way.
Due to that I have begun to develop an authentication-oriented TPM which
departs from the 1.2 specification in several aspects:
- Independent of PCR measurements, runs on any platform "as is"
- Attests all components of user-credentials, including PIN policies
- Conventional approach to security and privacy, no DAAs or Privacy CAs.
Unlike previous efforts in this space, this "TPM" project is addressing the
entire chain ranging from key-store to required browser enhancements.
Since a standardization effort would (easily) take another five years to
accomplish the concept will be introduced in an iterative way as an Open Software
and Open Hardware project. The "alternative" is probably things like:
http://www.trustdigital.com/downloads/TD_EMM_CAC_Pack_101008.pdf
Who wants that???
"Air-tight" provisioning, the basics:
http://webpki.org/papers/keygen2/secure-key-store.pdf
"Air-tight" provisioning", core facility:
http://webpki.org/papers/keygen2/session-key-establishment--security-element-2-server.pdf
Protocol emulator (not yet fully compliant) but (at least) shows the user experience:
http://keycenter.webpki.org
Initial Open Hardware TPM target:
http://www.atmel.com/dyn/products/tools_card.asp?tool_id=3879
which I hope will become the first true multi-issuer token based on open technology.
[Planned] feature-set at a glance:
- Double-use as a regular USB 2.0 mass memory stick
- 4 MB of key-space
- PKI, OTP, and InfoCards
- Issuer-specific PINs, PUKs, and policies
- Universal credential provisioning and management protocol
- Issuer-separated credential-management through proof-of-issuance signatures
- "Air-tight provisioning" through device attestations
Anders Rundgren
WebPKI.org
|
