Giter Club home page Giter Club logo

tpm2attestationcertificationauthority's Introduction

Tpm2AttestationCertificationAuthority

Test project for Attestation CA, previously referred to as Privacy CA.

+-----+ ------ ek_rsa.cert --->  +--------------+
|     | ------ ak_rsa.pub ---->  | Attestation  |
| T P | ------ ak_rsa.name --->  | Certificate  |
| R L |                          |  Authority   |
| U A | <---- credentials -----  |              |
| S T | <---- ak_cert.enc -----  +--------------+
| T F |                       
| E O | ( Decrypt AKCert using TPM.EKpriv / TPM2_ActivateCredential )
| D R |    
|   M |    
| M   |                           +--------------+
| O   | -------- ak_cert ------>  |    Remote    |
| D   | ------ tpm2_quote ----->  | Attestation  |
| U   |                           |    Server    |
| L   |                           +--------------+
| E   |
+-----+

Attestation CA is responsible for:

  • Ensuring proof of ownership, i.e. TPMs must authenticate by successfully decrypting the TPM Credential using TPM2_ActivateCredentials.
  • Validating TPM Endorsement Key Certificate against trusted TPM manufacturer. (Optionally, not yet implemented: verify Endorsement Key against trusted list of specific tpm keys)
  • Generating an Authentication Certificate for the TPM's Attestation Key. The certificate should reflect the privacy and identification requirements of the attestation system, and validity etc should be set appropriately.

Dependencies

  • Depends on gov.niarl.his.privacyca from opencit.
  • Read/write TPM2Tools 3.1.0 compatible files.

Command line

The CA can be used from command line:

java -cp bin:libs/bcpkix-jdk15on-160.jar:libs/bcprov-jdk15on-160.jar \
blaufish.test.tpm2.Tpm2AttestationCACli \
  --in-akname=test/ak_rsa.name \
  --in-akpub=test/ak_rsa.pub \
  --in-ekcert=test/nvread.1c0002.cert \
  --in-tpm-manufacturer-cert=test/OptigaRsaMfrCA022.crt \
  --out-cacert=test/temp.ca.cert \
  --out-tpm-akcert-encrypted=test/temp.akcert.encrypted \
  --out-tpm-credential=test/temp.credential

The CA will generate:

  • test/temp.crediantial, a file that can be only decrypted with the TPM Endorsement Key using the tpm2_activatecredential (Proof of Ownership). In this demo, the credentials contained within is an AES-key.
  • test/temp.akcert.encrypted, a file that can only be decrypted by the AES-key hidden inside the credentials.
  • temp.ca.cert, the root CA certificate (just a dummy for now).

Input files are generated as follows:

tpm2_evictcontrol -Q -A o -H 0x81010007 --tcti device:/dev/tpmrm0
tpm2_evictcontrol -Q -A o -H 0x81010008 --tcti device:/dev/tpmrm0
tpm2_getpubek --tcti device:/dev/tpmrm0 -H 0x81010007 -g 0x0001 -f ek_rsa.pub
tpm2_getpubak --tcti device:/dev/tpmrm0 -E 0x81010007 -k 0x81010008 -g 0x0001 -D 0x000b -s 0x0016 -f ak_rsa.pub -n ak_rsa.name
loaded-key:
  handle: 80ffffff
  name: 000bd3dc102187be259f12f361bc0c231f5a9788a48a6a832d11d99dc8ce1b5eafca

Bugs and future improvements

  • TPMT_PUBLIC parsing of TPM Authentication Key is, eh, very crude and not portable.
  • Whitelisting specific TPMs Endorsement Keys is not yet implemented.
  • Authentication Key Certificates generated does not include anything useful currently.
  • gov.niarl.his.privacyca classes only support RSA, not ECC.

tpm2attestationcertificationauthority's People

Contributors

blaufish avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar

Forkers

littlelearnlive muskanb

tpm2attestationcertificationauthority's Issues

Please Tell Me The Runtime Environment

I'm working on the PrivacyCA, and found this project. It's a great experiment, easy to understand and is already perfect.

So I want to run this project first, to understand the whole process. The tpm2-tools part is clear to me. The following is the Java part that I want to confirm:

Java: JDK 15, I use openjdk-15.0.2
External jar: bcpkix-jdk15on-1.60.jar, bcprov-jdk15on-1.60.jar
For OpenCit, I think the 3 code files attached in project are enough. Later I'll study on the whole OpenCit.

If there is anything wrong or something I didn't mentioned, PLEASE tell me.

By the way, is the tpm manufacteror cert downloaded from TCG website? I think I have seen it before.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.