Hi Joseph,
I think it may be an optional standard but my TPM has some certs
permanently stored in nv-indices in the 0x1c0000x range that can be checked
against the manufacturer cert. I haven't learned how to leverage those
into trusted parameter encryption keys yet but they should be able to
verify there's a real TPM at the other end at the very least (and more if
you learn to use them correctly).
On Sun, Aug 1, 2021 at 8:33 PM Joseph Lee (ZeronsoftN) <
joseph(a)zeronsoftn.com> wrote:
Hi Dimi,
Sorry to bother you. By installing the latest version of tpm2-tools,
encrypted communication is possible.
Seal/unseal was possible as shown below.
But I have one question. How can I detect if a MITM attack occurs during
the seal/unseal process? After establishing a session, is there any way to
get the EK certificate of that session?
It seems that the tpm2_getekcertificate command can only get certificates
created via the createek command. I'd like to know if the TPM I've made a
session with is genuine.
Seal:
> tpm2_createprimary -c prim.ctx
> tpm2_startauthsession --hmac-session -c prim.ctx -S sess.ctx
> tpm2_create -Q -g sha256 -u seal.pub -r seal.priv -i temp.key -C
prim.ctx -S sess.ctx
> tpm2_load -Q -C prim.ctx -u seal.pub -r seal.priv -n seal.name -c
sealctx
> tpm2_evictcontrol -C o -c seal.ctx 0x81010001
> tpm2_flushcontext sess.ctx
Unseal:
> tpm2_startauthsession --hmac-session -c prim.ctx -S sess.ctx
> tpm2_unseal -c seal.ctx -S sess.ctx -o out.key
> tpm2_flushcontext sess.ctx
Thanks & Regards,
Joseph
------ Original Message ------
보낸 사람: "Joseph Lee (ZeronsoftN)" <joseph(a)zeronsoftn.com>
받는 사람: "Dimitar Tomov" <dimi(a)designfirst.ee>;
"tpm2(a)lists.01.org" <
tpm2(a)lists.01.org>
보낸 날짜: 2021-08-02 오전 6:27:36
제목: [tpm2] Re: Is the tpm2_create command safe against sniffing attacks?
Hi Dimi,
Thank you for your kind answer. Looking at the link you gave, I think I
can get more ideas.
I've been trying session encryption via tpm2-tools all weekend.
But I haven't found a way to create an encrypted session in tpm2-tools
yet. Maybe tpm2-tools doesn't support encrypted sessions?
If this is clear, I will implement parameter encryption through tpm2-tools
with referring to wolfTPM
Thanks & Regards,
Joseph
------ Original Message ------
보낸 사람: "Dimitar Tomov" <dimi(a)designfirst.ee>
받는 사람: "tpm2(a)lists.01.org" <tpm2(a)lists.01.org>; "Joseph Lee
(ZeronsoftN)"
<joseph(a)zeronsoftn.com>
보낸 날짜: 2021-08-02 오전 4:33:02
제목: [tpm2] Re: Is the tpm2_create command safe against sniffing attacks?
Hi Joseph,
TPM 2.0 offers Parameter Encryption capability and HMAC sessions as
measures against Man-in-the-middle attacks
Examples in wolfTPM demonstrate how to enable Parameter Encryption
https://github.com/wolfSSL/wolfTPM/blob/b0a65e44b8a25be88b2f9ff4e35fbf083...
There is also Keygen , Key import and Key loading examples with Parameter
Encryption
https://github.com/wolfSSL/wolfTPM/blob/b0a65e44b8a25be88b2f9ff4e35fbf083...
Last week we discussed the Dolos Group story about a stolen laptop with
TPM
https://developers.tpm.dev/posts/15883726
If Parameter Encryption and HMAC session have been used, this story would
have developed differently.
Hope this helps.
Dimi
--
Founder of TPM.dev
------------------------------
*From:* Joseph Lee (ZeronsoftN) <joseph@zeronsoftncom
<joseph(a)zeronsoftn.com>>
*Sent:* Saturday, July 31, 2021 2:09 AM
*To:* tpm2(a)lists.01.org <tpm2(a)lists.01.org>
*Subject:* [tpm2] Is the tpm2_create command safe against sniffing
attacks?
Hello,
https://pulsesecurity.co.nz/articles/TPM-sniffing
In this article, can see that communication with the TPM is vulnerable to
sniffing if not careful.
https://tpm2-software.github.io/2020/04/13/Disk-Encryption.html
Is the disk encryption described in tpm2-software's blog safe against
these attacks?
1. tpm2_createprimary -Q -C o -c prim.ctx
2. dd if=/dev/urandom bs=1 count=32 status=none | tpm2_create -Q -g
sha256 -u seal.pub -r seal.priv -i- -C prim.ctx
3. tpm2_load -Q -C prim.ctx -u seal.pub -r seal.priv -n seal.name -c
seal.ctx
4. tpm2_evictcontrol -C o -c seal.ctx 0x81010001
My question is:
1. Is there a tool in linux that can sniff communication with the
current system's TPM?
2. How to encrypt communications if the methods described above are
not secure?
It seems that encryption is possible through tpm2_startauthsession
, but I do not know how to apply it to tpm2_create . (The -S option simply
did not work.)
Thank you.
_______________________________________________
tpm2 mailing list -- tpm2(a)lists.01.org
To unsubscribe send an email to tpm2-leave(a)lists.01.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s