12:29 p.m.
Hello!
I would like to know if it is possible to calculate name of AK generated by host on a
remote server? I have read about remote attestation. To ensure the AK matches EK we have
to make credential using name of the AK. To achieve this we have to either:
a) calculate name of the AK on server
b) receive name of the AK from host and believe it's a name for a proper AK
Am I missing something?
I have searched for explanation in docs posted on TCG's site, but I just can't
find anything useful for nameAlg.
I would be thankful for any help or advice :D
4:12 p.m.
Hello kuba, welcome to the community.
Have you looked at this tutorial
https://tpm2-software.github.io/2020/06/12/Remote-Attestation-With-tpm2-t...
Hopefully it should answer some of your questions.
6:44 p.m.
Hello Imran! Thank You for your response
I have read this tutorial before writing my question. It's just amazing :D
My question relates to this command:
tpm2_makecredential \
--tcti none \
--encryption-key rsa_ek.pub \
--secret file_input.data \
--name $loaded_key_name \ # this line :)
--credential-blob cred.out
Anonymity is not our concern. We want to ensure that only those computers which were
handed by us to our employees can access internal resources. My idea was to generate EK
and AK just like in tutorial, and then send EK certificate and public part of AK to some
auth server. Then server would calculate the name and make use of tpm2_makecredential.
I have probably overlooked something really important.
Thank you in advance :D
6:28 p.m.
I see. A quick explainer :)
So AKname is not a secret. Neither is it possible to fake one. And so can be handed from
the client to the server anytime. (tpm2_readpublic -c ak.ctx -n ak.name)
The credential challenge posed by the server (makecredential) wraps and encrypts a
plaintext-credential using the EKpublic and AKname.
Only a client with access to the respective sensitive(private) portions of the EK and AK
will have to load the keys on the TPM and it is then able to unwrap/decrypt the
credentialBlob with credential-activation.
4:16 p.m.
Thank you for sharing this great article. https://km888b.net hopes you will have many more
articles for everyone to read.
4:20 p.m.
Thank you for sharing this great article. https://km888b.net hopes you will have many more
articles for everyone to read.
4
days inactive
480
days old
6 comments
3 participants
participants (3)
-
hoadao3493@gmail.com -
Imran Desai -
kuba.michal.n@gmail.com