ok, sorry I misread your original email...
Regarding key usage: If you use a session for authorization, then the password is never
send in the clear. Instead it is used to calculate an HMAC that is used for
authentication. This also applies to parent keys during Esys_/TPM2_Create().
Regarding key creation: If you use a session with the attribute TPMA_SESSION_DECRYPT set
(as I showed before), then the first parameter of the command (this is the parameter that
contains the password for the newly created key).
Thus, all passwords will be encrypted.
Further if you use a session with TPMA_SESSION_DECRYPT set for the TPM2_Sign() command,
also the digest that you sign is encrypted.
Hope this is clearer now...
From: tpm2 [tpm2-bounces(a)lists.01.org] on behalf of Tomasz Przybysz
Sent: Wednesday, March 28, 2018 09:34
Subject: Re: [tpm2] How to protect and encrypt communication between host and TPM
This is one thing I can't understand.
I want to use RSA key (not persistent). Why should I use NV ?
Is this shared password set for NV index used for generate session key
to read RSA key ?
Could you explain ?
W dniu 2018-03-28 o 09:25, Fuchs, Andreas pisze:
I'd also recommend using ESAPI for this.
Basically, what you do is:
- Esys_TR_Deserialize or Esys_Load some well-known key of the target TPM
- Esys_StartAuthSession() Use the well-known key as tpmkey here. This protects against
Man-in-the-middle attacks on the session itself if you're not using an authValue on
- Esys_TRSess_SetAttribute(session, TPMA_SESSION_DECRYPT, TPMA_SESSION_DECRYPT) This
makes the session use encryption. (Flag names are from the perspective of the TPM)
- Esys_NV_Write() using the session will automatically encrypt your first parameter and
also authenticate the command.
Respectively you can also do:
- Esys_TRSess_SetAttribute(session, TPMA_SESSION_ENCRYPT, TPMA_SESSION_ENCRYPT)
A simple example on talking to NV-Space can be found in
An example for encrypted sessions here:
From: Roberts, William C [william.c.roberts(a)intel.com]
Sent: Wednesday, March 28, 2018 03:56
To: Tomasz Przybysz; tpm2(a)lists.01.org; Fuchs, Andreas
Subject: RE: [tpm2] How to protect and encrypt communication between host and TPM
> -----Original Message-----
> From: tpm2 [mailto:firstname.lastname@example.org] On Behalf Of Tomasz Przybysz
> Sent: Monday, March 26, 2018 11:55 PM
> To: tpm2(a)lists.01.org
> Subject: [tpm2] How to protect and encrypt communication between host and
> Hi, we are working on TPM2.0 integration with our devices.
> We use Infineon TPM 2.0 chip and It works as expect.
> We are using tpm2-tss 1.4.0 library.
> We want to use transient RSA key generated inside device. Key is of course
> protected by its parent password, but we want to protect i2c communication
> between host and tpm chip. We want communication be encrypted, we don't
> want to send parent's password or key's password in clear text.
> We have found good example tpmclient.int.cpp, but there is an example how to
> encrypt access to the NV Index. There is no anything about RSA keys.
> How to call Tss2_Sys_Create for creating RSA key and then set password to use
> with session protected by TPM2_SE_HMAC and password.
If you can work off of master until the next tss release, I think encrypted sessions is
one of the things
that the ESAPI makes easier, Andreas care to elaborate?
> In the example there is StartAuthSessionWithParams and StartAuthSession.
> There is KDFa function called but we need something shared password to create
> session key.
> Which shared keys ? Is this parent's key password or keys password ?
> Thanks in advance,
tpm2 mailing list