Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent fake Attestation Key #15

Open
ernesto418 opened this issue Jun 10, 2021 · 4 comments
Open

Prevent fake Attestation Key #15

ernesto418 opened this issue Jun 10, 2021 · 4 comments
Assignees
@nicowilliams
Labels
enhancement New feature or request question Further information is requested

Comments

@ernesto418
Copy link

It is important that the server validates the attributes of the Attestation Key when it receives the AKpub to verify that if it is loaded in the TPM, it is a genuine attestation key.

If not, the client could load an externally generated key with a well-known private key in the TPM and use it to sign externally a fake quote. Then, because it is loaded in the TPM, it would pass the Make/Activate_credential.

I was reading the Attestation Protocols and I didn't find anything related to it in the Readme.
@nicowilliams
Copy link
Contributor

nicowilliams commented Jun 10, 2021
edited
Loading

Correct. The attestation server MUST compute the cryptographic name of the client's AK using only a) the AKpub presented by the client, b) the attributes the server wants the AK to have. In particular the server should insist on fixedTPM and fixedParent, and probably also stClear, and any authPolicy. And if it wants an authPolicy, then the server must also add adminWithPolicy to the key's attributes before computing its name.

EDIT: And as you noted elsewhere, the AK also must be restricted, otherwise an attacker with access to the client's TPM can fake a quote.

@tomoveu tomoveu added the question Further information is requested label Jun 10, 2021
@tomoveu
Copy link
Contributor

tomoveu commented Jun 10, 2021

Great response @nicowilliams

The TCG requirement for AK as I know it is for the AK to be:

  • restricted key
    • (to work only with TPM generated data)
  • fixedTPM
    • (can be loaded only on this particular TPM)
  • fixedParent
    • (AK is wrapper using specific TPM Primary Key)

stClear is a nice addition that @osresearch clarifies in his FAQ as

" ... the TPM will not allow it to be persisted and will refuse to reload it when the reboot counter increments."

@tomoveu tomoveu added the enhancement New feature or request label Jun 10, 2021
@tomoveu
Copy link
Contributor

tomoveu commented Jun 14, 2021
edited
Loading

@ernesto418 please see if the latest changes merged into master for the tutorials address your question

If yes, confirm, so we could close this ticket as resolved. Thanks

@ernesto418
Copy link
Author

I think you refer to:

d0cbddf#diff-e52a82c98b3ab3495218220dd008585165b7edfb9e2541aaacf1c3d8cd6f3d85

I didn't find in all the commit the words:
restricted, fixedTPM and fixedParent

That are the mandatory attributes to be asserted when generating the AK name to be used in TPM_makecredential.

Maybe it is explained in a different way, but I didn't find it. Therefore, I think it doesn't address the Issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nicowilliams nicowilliams

Labels
enhancement New feature or request question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nicowilliams @tomoveu @ernesto418