Hi Dimi,
Thank you for your kind answer. Looking at the link you gave, I think I
can get more ideas.
I've been trying session encryption via tpm2-tools all weekend.
But I haven't found a way to create an encrypted session in tpm2-tools
yet. Maybe tpm2-tools doesn't support encrypted sessions?
If this is clear, I will implement parameter encryption through
tpm2-tools with referring to wolfTPM.
Thanks & Regards,
Joseph
------ Original Message ------
보낸 사람: "Dimitar Tomov" <dimi(a)designfirst.ee>
받는 사람: "tpm2(a)lists.01.org" <tpm2(a)lists.01.org>; "Joseph Lee
(ZeronsoftN)" <joseph(a)zeronsoftn.com>
보낸 날짜: 2021-08-02 오전 4:33:02
제목: [tpm2] Re: Is the tpm2_create command safe against sniffing attacks?
Hi Joseph,
TPM 2.0 offers Parameter Encryption capability and HMAC sessions as
measures against Man-in-the-middle attacks.
Examples in wolfTPM demonstrate how to enable Parameter Encryption
https://github.com/wolfSSL/wolfTPM/blob/b0a65e44b8a25be88b2f9ff4e35fbf083...
There is also Keygen , Key import and Key loading examples with
Parameter Encryption
https://github.com/wolfSSL/wolfTPM/blob/b0a65e44b8a25be88b2f9ff4e35fbf083...
Last week we discussed the Dolos Group story about a stolen laptop with
TPM
https://developers.tpm.dev/posts/15883726
If Parameter Encryption and HMAC session have been used, this story
would have developed differently.
Hope this helps.
Dimi
--
Founder of TPM.dev
--------------------------------------------------------------------------------
From: Joseph Lee (ZeronsoftN) <joseph(a)zeronsoftn.com>
Sent: Saturday, July 31, 2021 2:09 AM
To:tpm2@lists.01.org <tpm2(a)lists.01.org>
Subject: [tpm2] Is the tpm2_create command safe against sniffing
attacks?
Hello,
https://pulsesecurity.co.nz/articles/TPM-sniffing
In this article, can see that communication with the TPM is vulnerable
to sniffing if not careful.
https://tpm2-software.github.io/2020/04/13/Disk-Encryption.html
Is the disk encryption described in tpm2-software's blog safe against
these attacks?
tpm2_createprimary -Q -C o -c prim.ctx
dd if=/dev/urandom bs=1 count=32 status=none | tpm2_create -Q -g sha256
-u seal.pub -r seal.priv -i- -C prim.ctx
tpm2_load -Q -C prim.ctx -u seal.pub -r seal.priv -n seal.name -c
seal.ctx
tpm2_evictcontrol -C o -c seal.ctx 0x81010001
My question is:
1. Is there a tool in linux that can sniff communication with the
current system's TPM?
2. How to encrypt communications if the methods described above are
not secure?
It seems that encryption is possible through
tpm2_startauthsession , but I do not know how to apply it to
tpm2_create . (The -S option simply did not work.)
Thank you.