TPM with the three main groups of functions

Question

I’m a little unclear on this (marked strong):

"The public key authentication functions provide for on-chip key pair generation using a hardware random number generator, along with public key signature, verification, encryption, and decryption. By generating the private keys in the chip, and encrypting them anytime they are transferred outside the chip, the TPM guarantees that malicious software cannot access the keys at all. Even the owner of the keys cannot give the private keys away to phishing or pharming attacks, as the keys are never visible outside the chip unencrypted. Malicious code could use the private keys on the TPM, so some way needs to be provided to ensure that malicious code cannot use the keys either. "

"The integrity measurement functions provide the capability to protect private keys from access by malicious code. In a trusted boot, the chip stores in the Platform Configuration Registers (PCRs) hashes of configuration information throughout the boot sequence. Once booted, data (such as private keys) can be “sealed” under a PCR. The sealed data can be unsealed only if the PCR has the same value as at the time of sealing. Thus, if an attempt is made to boot an alternative system, or a virus has “backdoored” the operating system, the PCR value will not match and the unseal will fail, thus protecting the data from access by the malicious code."

"The attestation functions keep a list of all the software measurements committed to the PCRs, and can then sign them with a private key known only by the TPM. Thus, a trusted client can prove to a third party that its software has or has not been compromised."

Please a small example for each would be appreciable.thanks

Answer 1

the TPM guarantees that malicious software cannot access the keys at all. Even the owner of the keys cannot give the private keys away to phishing or pharming attacks, as the keys are never visible outside the chip unencrypted.

The TPM never allows these private keys to be exported. The keys are said to be bound to the TPM. This means that the only way to sign something with one of those keys is to use the computer to send a request to the TPM. An attacker who wants to make use of those keys has to access the computer actively. They can't make a copy of the key and use it offline, even with the cooperation of the legitimate user (who could have been tricked).

Preventing passive attacks means that the attacker needs to obtain and keep a foothold on the computer, which gives more chances that they'll be detected. It also means that if the administrator find and closes the attacker's backdoor, then the attacker loses access to the keys. They can still use the signatures they've already generated but not make new ones new data. (It would be best to repudiate the keys nonetheless, of course.)

Once booted, data (such as private keys) can be “sealed” under a PCR. The sealed data can be unsealed only if the PCR has the same value as at the time of sealing.

Sealing data means to encrypt it (and possibly authenticate it) with a particular key. If you have some sealed data, the only way to recover the data is to obtain the key that was used to seal it. The keys that are discussed from this paragraph are derived from a key that is bound to the TPM and from the PCR values, and not stored anywhere¹. The only way to find a derived key is to use the same key derivation algorithm with the same inputs. Since one of the inputs is a TPM-bound secret, it's impossible to derive the same keys outside the TPM. Since another input is the PCR values, and the TPM is only willing to perform the key derivation using the current contents of the PCR, it's impossible to derive the same keys unless the platform is in the same state (as defined by the PCR values).

The attestation functions keep a list of all the software measurements committed to the PCRs, and can then sign them with a private key known only by the TPM. Thus, a trusted client can prove to a third party that its software has or has not been compromised.

The PCRs contain software measurements, which basically means a hash of the code images that run on the computer (the BIOS, the bootloader, the OS kernel, etc.). If the PCRs have a given value, this proves that the computer is running a particular code image (assuming that there are no bugs in the software or the hardware that could have caused the PCRs to be inaccurate or incomplete). The TPM can generate an attestation, which is a signed message containing the PCR values and additional data. The signing key is bound to the TPM. Given an attestation with a valid signature, this guarantees that the signature was made on the computer with the TPM that possesses the private key, at a time when the PCR had those particular values.

¹ _{Unless it's been exported for backup. Unlike signing keys, encryption keys are often not actually device-bound, because there has to be a way to recover the data if the device is damaged.}