Hi Dimi,
Sorry to bother you. By installing the latest version of tpm2-tools,
encrypted communication is possible.
Seal/unseal was possible as shown below.
But I have one question. How can I detect if a MITM attack occurs during
the seal/unseal process? After establishing a session, is there any way
to get the EK certificate of that session?
It seems that the tpm2_getekcertificate command can only get
certificates created via the createek command. I'd like to know if the
TPM I've made a session with is genuine.
Seal:
tpm2_createprimary -c prim.ctx
tpm2_startauthsession --hmac-session -c prim.ctx -S sess.ctx
tpm2_create -Q -g sha256 -u seal.pub -r seal.priv -i temp.key -C
prim.ctx -S
sess.ctx
tpm2_load -Q -C prim.ctx -u seal.pub -r seal.priv -n seal.name -c
seal.ctx
tpm2_evictcontrol -C o -c seal.ctx 0x81010001
tpm2_flushcontext sess.ctx
Unseal:
tpm2_startauthsession --hmac-session -c prim.ctx -S sess.ctx
tpm2_unseal -c seal.ctx -S sess.ctx -o out.key
tpm2_flushcontext sess.ctx
Thanks & Regards,
Joseph
------ Original Message ------
보낸 사람: "Joseph Lee (ZeronsoftN)" <joseph(a)zeronsoftn.com>
받는 사람: "Dimitar Tomov" <dimi(a)designfirst.ee>;
"tpm2(a)lists.01.org"
<tpm2(a)lists.01.org>
보낸 날짜: 2021-08-02 오전 6:27:36
제목: [tpm2] Re: Is the tpm2_create command safe against sniffing attacks?
Hi Dimi,
Thank you for your kind answer. Looking at the link you gave, I think I
can get more ideas.
I've been trying session encryption via tpm2-tools all weekend.
But I haven't found a way to create an encrypted session in tpm2-tools
yet. Maybe tpm2-tools doesn't support encrypted sessions?
If this is clear, I will implement parameter encryption through
tpm2-tools with referring to wolfTPM.
Thanks & Regards,
Joseph
------ Original Message ------
보낸 사람: "Dimitar Tomov" <dimi(a)designfirst.ee>
받는 사람: "tpm2(a)lists.01.org" <tpm2(a)lists.01.org>; "Joseph Lee
(ZeronsoftN)" <joseph(a)zeronsoftn.com>
보낸 날짜: 2021-08-02 오전 4:33:02
제목: [tpm2] Re: Is the tpm2_create command safe against sniffing
attacks?
>Hi Joseph,
>
>TPM 2.0 offers Parameter Encryption capability and HMAC sessions as
>measures against Man-in-the-middle attacks
>
>Examples in wolfTPM demonstrate how to enable Parameter Encryption
>
>
>https://github.com/wolfSSL/wolfTPM/blob/b0a65e44b8a25be88b2f9ff4e35fbf08360e5d01/examples/nvram/store.c#L121
>
>There is also Keygen , Key import and Key loading examples with
>Parameter Encryption
>
>https://github.com/wolfSSL/wolfTPM/blob/b0a65e44b8a25be88b2f9ff4e35fbf08360e5d01/examples/nvram/store.c#L121
>
>Last week we discussed the Dolos Group story about a stolen laptop
>with TPM
https://developers.tpm.dev/posts/15883726
>
>If Parameter Encryption and HMAC session have been used, this story
>would have developed differently.
>
>Hope this helps.
>
>Dimi
>--
>Founder of TPM.dev
>
>--------------------------------------------------------------------------------
>From: Joseph Lee (ZeronsoftN) <joseph@zeronsoftncom
><mailto:joseph@zeronsoftn.com>>
>Sent: Saturday, July 31, 2021 2:09 AM
>To:tpm2@lists.01.org <tpm2(a)lists.01.org>
>Subject: [tpm2] Is the tpm2_create command safe against sniffing
>attacks?
>
>Hello,
>
>https://pulsesecurity.co.nz/articles/TPM-sniffing
>In this article, can see that communication with the TPM is vulnerable
>to sniffing if not careful.
>
>https://tpm2-software.github.io/2020/04/13/Disk-Encryption.html
>Is the disk encryption described in tpm2-software's blog safe against
>these attacks?
>
>tpm2_createprimary -Q -C o -c prim.ctx
>dd if=/dev/urandom bs=1 count=32 status=none | tpm2_create -Q -g
>sha256 -u seal.pub -r seal.priv -i- -C prim.ctx
>tpm2_load -Q -C prim.ctx -u seal.pub -r seal.priv -n seal.name -c
>seal.ctx
>tpm2_evictcontrol -C o -c seal.ctx 0x81010001
>
>My question is:
> 1. Is there a tool in linux that can sniff communication with the
>current system's TPM?
> 2. How to encrypt communications if the methods described above
>are not secure?
> It seems that encryption is possible through
>tpm2_startauthsession , but I do not know how to apply it to
>tpm2_create . (The -S option simply did not work.)
>
>Thank you.
>
>
>
>