10

I understand that the TPM can be used to store an unlimited number of keys. However I am left with a few questions:

  • Presuming the TPM is connected on the LPC what protects the data travelling across that interface.
  • If I follow the SRK key approach what is used as the root key, i.e. is the SRK key hard code inside the TPM.
  • How can I distribute these keys across multiple systems with individual TPM's. Would I have to pre encode all keys using the TPM on each system pre-distribution.
Community
  • 1
Nark
  • 539
  • 1
  • 5
  • 15
  • This might be related to the last question. http://security.stackexchange.com/questions/38648/is-it-possible-to-share-bitlocker-decryption-keys-between-multiple-tpms/39137 – user1049697 Dec 11 '13 at 20:36

2 Answers2

7

  1. With version 1.2, that would be the concept of Locality which is implemented in hardware. In reality, the communication is not authenticated and 1.2 is -theoretically- still vulnerable to version 1.1 reset attack but it has never been proven (the window of attack is way smaller). One important thing to consider: not all TPMs are made equal and you get to choose your level of security. A lot of TPMs are now integrated within the chipset - since 2009 if I recall. Intel provide those TPMs as part of their vPro technology. They run as an application within the Management Engine within the Platform Controller Hub on new architecture or northbridge otherwise. In turn, it means the attack surface is most probably null.

  2. The SRK is created when the platform owner (that would be you) 'Take Ownership' of the TPM. This means you initialize the TPM and set a passphrase for the newly generated SRK. The only hardcoded key is the EK (Endorsement Key) which is used (when necessary) to prove it's a valid/compliant TPM to an external entity.

  3. TPMs have the concept of migratable keys which provide a way to move keys from one platform to another. Take note that a TPM does not really manage symmetrical keys but uses symmetrical keys to encrypt blobs. Obviously, you can encrypt a symmetrical key within a blob but this symmetrical key would not entirely benefit from the advantage of a TPM as it needs to be decrypted and loaded in memory in order to be used.

Oren Milman
  • 149
  • 7
northox
  • 1,403
  • 16
  • 26
3

If you use TPM to store a secret (seal it) then it can be retrieved only by a trusted system state, but it will be able to be retrieved. This makes it visible in memory (possibly swap) as well as vulnerable to wire tapping on the main board.

Yes the SRK is stored in the TPM, it is generated when it gets initialized and can generally never be read out with software instructions (and hard to reverse engineer with hardware access).

I guess you will have to re-encrypt your data you want to distribute to unique platform SRKs. But you might do that only for a single storage key. So basically you encrypt the file with a new storage key and ship it to all machines. And then you seal this key for all TPMs. Distributing this can be done safely by using the public part of the TPMs endorsement key.

eckes
  • 962
  • 8
  • 19