0

What are some standard device authentication methods, in a scenario when:

  • The desktop computer is being authenticated on web service
  • I provide the .exe on the desktop
  • I control the web service
  • The desktop has a TPM chip installed

Should I get the device ID from the desktop, then somehow sign it with TPM and send it to web service? What is the standard method?

schroeder
  • 123,438
  • 55
  • 284
  • 319
guest
  • 1
  • 2
  • Take a look at FIDO U2F / UAF and WebAuthn. This is state of the art authentication protocols, and probably the best option to implement. You can use the TPM to protect the device key in this protocol. – Natanael Feb 26 '19 at 17:12
  • Thanks, but this seems rather complex to implement, i was hoping for a simple protocol that can leverage TPM on client, for device authentication on web service. Note that i only need to positively id the device. – guest Feb 28 '19 at 12:17
  • I don't believe anything simpler exists that would be considered secure, and that is well supported. Keep in mind that webauthn / U2F has existing support in web browsers and server authentication libraries, the only thing you need is a local program that call the TPM and that emulate a U2F device, and code for the TPM itself. The only simpler option is TOTP, but this won't have native browser support, the user must type the generated code – Natanael Mar 01 '19 at 15:08

1 Answers1

0

Trying to answer my question, reviews are welcome.

On https connection :

  • Alice requests random number from Bob in publicly accessible web service

  • Alice signs random number with her private key within TPM 2.0

  • Alice sends signed random number to Bob

  • Bob verifies that Alice signed random number

guest
  • 1
  • 2
  • How long is a request valid? Are you properly binding it to the client / server so that replay attacks can't work? – Natanael Mar 01 '19 at 15:12