1

I am currently researching the capabilities of TPM in creating and storing different kinds of cryptographic keys. I know that a TPM can create and store keys for asymmetric algorithms like RSA or elliptic curves. But what about symmetric keys, like those generated as session keys? Can a TPM create and store those as well?

I found sources in the internet claiming both possible answers to be true. One source says that a TPM cannot handle symmetric cryptography and additional technology is necessary here. Meanwhile the documentation of the TPM library by the trusted computing group refers to some symmetric key operations, indicating that a TPM just might be able to handle them like their asymmetric counterpart. What is the truth?

Sushiman
  • 55
  • 5
  • Your question is readily answered on the [TPM Wikipedia article](https://en.wikipedia.org/wiki/Trusted_Platform_Module#TPM_1.2_vs_TPM_2.0) where it compares TPM 1.2 to TPM 2.0 – user71659 Sep 28 '18 at 01:50

1 Answers1

1

TPMs can seal arbitrary data. When you seal a key, you are not actually storing it inside the TPM. You are sending the raw key to the TPM which encrypts it with an internally protected key (the Storage Root Key, or SRK) and returns the encrypted, or sealed, blob. It is up to you to store this encrypted blob.

forest
  • 64,616
  • 20
  • 206
  • 257
  • So that means, that symmetric and asymmetric keys both can be wrapped and protected by the SRK of the TPM? But can I make the TPM generate those asymmetric and symmetric keys before they are saved on my HDD as blobs? Because if I create them without the help of the TPM and only wrap them with the SRK afterwards, they might already be compromised in a hostile environment. – Sushiman Sep 29 '18 at 12:56
  • @Sushiman You can create the keys either using the TPM, or by using any other method. You are right in that, if you generate them without using the TPM, they could be, in theory, compromised. – forest Oct 24 '18 at 10:04