3

I understand the general operation of a TPM, and in particular the interest of using a pre-boot PIN: if someone gets access to the machine (turned off), turning on the computer will not be enough to get the keys stored in the TPM and thus decrypt the data.

I wonder how this PIN is used by the TPM? And how effective is it? For example, I know that it is possible to carry out physical attacks on the TPM, and some of these attacks can potentially extract secrets.

But naively, I imagine that if these secrets (let us say the master key of a BitLocker drive) are encrypted with the PIN, it is virtually impossible to obtain these secrets without knowing this PIN (unless attacking directly the encryption algorithm underlying). Is this how it works? Or the secrets are stored in clear, and the TPM releases them simply after checking that the PIN is correct?

Finally, I know that in a scenario where an attacker obtains total physical access, it is always possible to circumvent such measures (physical keylogger to retrieve the PIN, etc.). But the scenario I have in mind is that an attacker steals a laptop that is turned off (so no DMA attacks, cold boot attacks, etc.) with a disk encrypted with the key stored in the TPM with a PIN. Assuming this attacker is able to perform a physical attack (bypass anti-tamper protections, etc.) can they recover the secrets without knowing the PIN and without interaction with the legitimate user?

crypto-guest
  • 31
  • 2

1 Answers1

4

I have worked with TPM and HSMs in the realm of PCI PTS PED devices and certifications, so that is what I will use for the basis of my answers. They don't all work the same, and usually the datasheet is not publicly available.

Usually what I have seen is there is a sort of key derivation that isn't encrypted in the strict sense of a qualifying symmetric algorithms, but isn't clear text either, it is usually the result of a key derivation method

https://en.wikipedia.org/wiki/Key_derivation_function

The PCI standard, for example defines key derivation methods, storage, and zeroization. At some point at the top the master key has to be non encrypted as you pointed out, but can be stored in multiple parts, salted and hashed or XORED with a pin or any combination. A good TPM or HSM should only ever have the master key non encrypted, and the master key should never be used for any data encryption, only key derivation as to limit the chance for brute force discovery. It is not uncommon for the master key to be generated internally upon programming so that the master key cannot ever be output from the device.

The only attack vector I know of don't come from the TPM/HSM it self, rather the environment that they are used. I have done extensive SPA/DPA testing professionally. In this scenario you only have to convince the device to use the key many times(at least a few thousand) and you can moniter E/M emissions from the processor, or power, and do statistical analysis to determine the key.

I will attempt to illustrate this, Master top level key X is stored encrypted by an aes 256 key that the user has memorized and has to input each time to decrypt the OS. I make an assertion of 1 to 4 bits of the pin used. I then generate 5000 different pins that varry about 4 to 8 bits of the pins and leave the rest static. It only takes about 4 bits to make the processor look sufficiently random. I put in these 5000 pins and capture the EM signals and keep track of what pin they were for. I thin split them into 2 piles, 1 pile makes a particular sbox bit 1 and the other makes sbox bit 0. If there is any statistical correlation I then know that my bit assertion was correct, and I can continuously break the pin bit by bit.

Most new security modules now attempt to mitigate by putting in clock stretching, random delays and other erroneous operations.

And then more advanced DPA look at second order and higher correlations which take exponentially longer and the race continues

My example is assuming your pin is a full aes key but the same theory can be applied to virtually any mathematical algorithm.

noone392
  • 206
  • 1
  • 5