2

The question How to use TPM to perform platform authentication is basically asking if the TPM's EK can be used to "authenticate" a host/device. And one of the answers says

The Endorsement Key (EK) is not directly accessible as this would be privacy issue - we could track a system using this unique identifier.

But the EK's public key hash (and public key too, I guess) is publicly available (if you have access to the machine), e.g.,

PS C:\windows\system32> get-tpmendorsementkeyinfo -hash "Sha256"


IsPresent                : True
PublicKey                : System.Security.Cryptography.AsnEncodedData
PublicKeyHash            : 18e3b568aeb17b4e75f3838d7b01ffe63c52d976950943a10968761b5bfe3f4d
ManufacturerCertificates : {[Subject]
                             TPMVersion=id:0808, TPMModel=ST19NP18PVMT, TPMManufacturer=id:53544D20

                           [Issuer]
                             CN=STM TPM EK Intermediate CA 01, O=STMicroelectronics NV, C=CH

...

Why isn't the EK's public key hash sufficient to identify a unique host/device? (Assuming all you want is a "fingerprint" and not to encrypt/decrypt with it.)

And in fact, this is sort of suggested by the other answer to the question which suggests generating an AIK and using its public key. (But why do you need the extra step of generating an AIK when you can just use the EK's public key?)

Update: @Andre, in a comment below, says that the EK can be reset and regenerated by the device. I didn't know this, thanks! Microsoft says "The endorsement key is an encryption key that is permanently embedded in the Trusted Platform Module (TPM) security hardware, generally at the time of manufacture." in technet, here - but generally of course means "not always". This result from the book "Trusted Computing Platforms: TCPA Technology in Context" (page 124) talks about how originally the private endorsement key was generated on the device - but that was later relaxed because it caused manufacturing problems, and now the manufacturer generates the EK off the device and injects it into the device. Finally, the book "A Practical Guide to TPM 2.0: Using the Trusted Platform Module in the New Age of Security" agrees with an important caveat: The EK can be reset but if you do long-living certificates (including some the TPM chip manufacturer is holding that are used in some attestation scenarios) are all invalidated.

So, for purposes of this question: Let's say the fingerprint needn't be absolutely permanent so that you will always get the same fingerprint for the device for all time. Rather, let's say the fingerprint needs to be unique, so that you'll never confuse this device with another device (though you might lose the relationship of this device to itself earlier). With that interpretation: Can the EK's public key (hash) be used to uniquely fingerprint the device?

Community
  • 1
davidbak
  • 153
  • 1
  • 10
  • As far as I know the endorsement key can be reset, so it doesn't uniquely identify a device as the user can tell the TPM to generate a new one at any moment. –  May 28 '15 at 03:12
  • 1
    I don't see that the EK can be *re*set by the end-user in any of your references. Can you be more specific? As far I know, it is not possible and would defy the purpose. If any reset was possible, it would require the involvement of the manufacturer as he's the only one who can attest whether this is a real/valid TPM and the EK is properly secured to TCG standards. – northox Oct 18 '15 at 14:40
  • @northox I thought I said above that the book referenced said long-lived certificates that the TPM chip manufacturer is holding that are used for attestation of some kind will be invalidated if you reset the EK. Is that not what you're referring to? I see your answer below, BTW, I haven't accepted it yet because a) didn't answer whether I can use the PK as a fingerprint, and b) I have to go back to the books and make sure I understand the "context of remote attestation" you're talking about. I'll look for the page number in the book so I can provide a better link. – davidbak Oct 19 '15 at 01:30
  • Understood. I'll add some clarifications. – northox Oct 19 '15 at 14:11

1 Answers1

3

EK cannot be reset. It is this certificate that identifies the TPM as being real/trustworthy (e.g. not software-based) and TCG compliant.

The statement about EK being private refers to a 3rd party in the context of remote attestation - not someone already on the local machine which as many other means to fingerprint the device.

In other words, if you were to do remote attestation via the EK directly, you would always expose the same identity. With AIK, you can have as many identities as you want and only the CA knows your real identity (public EK).

So the answer is NO in the context of remote attestation and YES in the context of someone already on your system.

northox
  • 1,403
  • 16
  • 26