Desktop version

Home arrow Computer Science arrow A Practical Guide to TPM 2.0

A short course of lectures
«A Practical Guide to TPM 2.0»

NonceSatisfying a PolicyTransforming the Approved Policy in the Flexible PolicyThe Platform Crypto ProviderPCR AlgorithmsWave Systems Embassy SuitePlatform Configuration RegistersDebugging High-level ApplicationsAsymmetric KeysDefinitions of the Major Fields of the Response Byte StreamExample 6: A Policy for Group AdmissionDigest PrimitivesPCRs for AttestationHMAC: Message Authentication CodeNVRAM StorageUnderstudy RoleHMAC Authorization LifecycleKey ActivationTPM Internal SlotsMultifactor AuthenticationDebug ProcessConsiderations in Creating PoliciesHow to Find Information in the SpecificationPolicies and PasswordsNV NamesSeparation of PrivilegeKey ManagementAudit LogDigital Signatures (such as Smart Cards)IBM File and Folder EncryptionAnalyze the Error CodeHow TPM 2.0 Devices Are UsedNV Counter IndexExample: A Policy for Work or Home ComputersTechnique 3Bound vs. UnboundGeneral DefinitionsTSS 2.0Starting the PolicyWillStartup InitializationExclusive AuditObjectsStructure with UnionCanonicalizationKey Types and AttributesKDF: Key Derivation FunctionDuplication AttributesPassword, HMAC, and Policy Sessions: What Are They?Making a Compound PolicyBad SizeRSA Asymmetric-Key AlgorithmWhy a TPM?What Do Encrypt/Decrypt Sessions Do?ECDSA Asymmetric-Key Algorithm to Use Elliptic Curves for SignaturesInternal Value of an NV RAM LocationApplications That Should Use the TPM but Don'tPseudocode FlowPlatform Security Technologies That Use TPM 2.0Building the Entity's Policy DigestExample 2: An Enterprise IT Organization with Windows TPM 2.0 Enabled SystemsFlexible (Wild Card) PolicyNV IndexesInterruptsFlexible Management (New in 2.0)HMAC PrimitivesPolicy Authorization Time IntervalsAudit Data: Notation SyntaxAltering or Creating an Entity That Requires HMAC AuthorizationPlatform OEM ProvisioningManagement of Objects, Sessions, and SequencesTPM2B_XXX StructuresGuidelines for TPM2_StartAuthSession Handles and ParametersLocking Firmware in an Embedded System, but Allowing for UpgradesPlatform NV EnableMissing ObjectsResponse Authorization StructuresECC Asymmetric-Key AlgorithmCreating PoliciesExecution EnvironmentResource Manager OperationsKenRemote Provisioning of PCs with IDevIDs Using the EKTechnique 2HierarchiesStrategies for Ramping Up on TPM 2.0TSS.netThe MonitorDebug Trace AnalysisEntity NamesCommonly Used Sections of the SpecificationSystem API Test CodeWrong TypeActivating a CredentialAudit CommandsPassword Authorization SessionContext Management vs. LoadingPCRsWhy Extended Authorization?The Stack: a High-Level ViewExisting Applications That Use TPMsPCR Authorization and PolicyMultifactor AuthenticationSession VariationsHMAC and Policy Session Code ExampleEnd User RoleMicrosoft SimulatorEndorsement HierarchySymmetric-Key ModesBuilding Applications for TPM 1.2TPM Context-Management FeaturesProtection TargetTechnique 1Compound Policies: Using Logical OR in a PolicyTPM Access Broker (TAB)Nonvolatile IndexesSystem-Wide SecurityPersistence of KeysPersistent HierarchiesTPM 2.0 Library Specification: The PartsPolicy AuthorizationKey GenerationRandom Number GeneratorRandom Number GeneratorCode Example: Password SessionRestricted Signing KeyPractical Use CasesRunning the SimulatorBuilding the Simulator from Source CodeUsing a Password AuthorizationIntel TXT Boot SequenceMultiple Varieties of AuthenticationResource ManagerStartup, Shutdown, and ProvisioningSession and Authorization: Compared and ContrastedHistory of TPM 2.0 Specification DevelopmentNV Ordinary IndexNon-Brittle PCRs (New in 2.0)TSS.Net and TSS.C++SKINITUsing a Policy to Authorize a CommandResource ManagerIntel TXT Platform ComponentsScenarios for Using Additional TPM 2.0 CapabilitiesIf the Policy Is CompoundDeprovisioningCryptographic FamiliesNavigating the SpecificationHow Does EA Work?Key HierarchyCommand Authorization AreaStartup and ShutdownSome TermsSpecial Error CodesPasswords (Plaintext and HMAC) of the ObjectSystem API Test CodeNV WrittenOther TPM 2.0 SpecificationsNew Manageability Solutions in TPM 2.0Setting Up the TPMCommon BugsState of the External Device (GPS, Fingerprint Reader, and So On)TPM Manufacturer ProvisioningCertificationThe Three TechnologiesSession Key and HMAC Key DetailsExample 2: A Policy for a Key Used Only for Signing with a PasswordCreating an HMAC SessionKey DistributionDictionary Attack Lockout ResetUse Cases for Session VariationsPCR Quote in Detail: Table DecorationsAuthentication or Authorization TicketStarting HMAC and Policy SessionsNumber of PCRsUsing an HMAC Session to Authorize a Single CommandUsing an HMAC Session to Send Multiple Commands (Rolling Nonces)Putting It All TogetherIntel® Trusted Execution Technology (Intel® TXT)DebuggingCommand Execution FunctionsCommand Context Allocation FunctionsPerforming the Action That Requires AuthorizationKey StorageSystem APILocality of CommandSetting Up the Software StackExample 3: A PC state, a Password, and a FingerprintSymmetric Key PrimitivesAuthorization RolesExample 4: A Policy Good for One Boot CycleSolving Bigger Problems with the TPM 2.0EndiannessOffice RoleNULL HierarchyIdentificationHistory of Development of the TPM Specification from 1.1b to 1.2Privacy EnablementAdministrator RoleInternal State of the TPM (Boot Counter and Timers)Changing a Password Authorization for an Already Created EntityNV PasswordAMD Secure Technology™Symmetric-Encryption KeyRelationship to TPMsVirtual Smart CardSimple Assertions and Multifactor AssertionsHMAC AuthorizationExample 7: A Policy for NV RAM between 1 and 100Feature APIThe ProblemExample 1: Smart card and PasswordHow TPM 2.0 Developed from TPM 1.2Policy Authorization LifecycleKeys UnraveledCommand Authorization StructuresThe NS bitPrivacyDecrypt/Encrypt SetupTAB and the Resource Manager: A High-Level DescriptionPolicyKey DestructionCommand AuditTPM Administration and WMIRocks to Avoid When Developing TPM ApplicationsPermanent EntitiesCalculating the Strength of Algorithms by TypeCertified PoliciesEnd User ProvisioningDaveNV IndicesSalted vs. UnsaltedSession-Related DefinitionsDefinitions of the Major Fields of the Command Byte StreamSecure Hash (or Digest)Scenarios for Using TPM 1.2RSA for Key EncryptionKey CacheCombined Authorization LifecycleHardware Validated BootDevice DriverRSA for Digital SignaturesPCR CommandsKey Trees: Keeping Keys in a Tree with the Same Algorithm SetEphemeral HierarchyEncryptionState DiagramsSeparate CommandsCryptographic AttacksHigh-Level DescriptionCommand and Response Authorization Area DetailsAudit TypesSimple Code ExamplePassword Authorization LifecycleIdentifying Resources by Name (New in 2.0)ARM® TrustZone®TABCreating a Password Authorized EntityHash ExtendPlatform HierarchyTypical BugsStorage HierarchyHMAC Session SecurityPCR ValueApplication Interfaces Used to Talk to TPMsOther Privacy ConsiderationsCommon Structure ConstructsTesting the SimulatorEnhanced Authorization (New in 2.0)Extended Authorization (EA) PoliciesImplementation of TrustZoneGetting Started in Part 3: the CommandsPassword Authorization: The Simplest AuthorizationDisabled FunctionMicrosoft BitLockerContext ManagementQuick Tutorial on TPM 2.0Command-Based AssertionsExample 1: Simple Key ManagementHMAC and Policy Sessions: DifferencesPCRs: State of the MachineSample CodeApplications That Use TPMsSecuring a Server's LogonRestricted Decryption KeyKey CommandsMore Complex ErrorsData BackupsECDH Asymmetric-Key Algorithm to Use Elliptic Curves to Pass KeysLow-Level Application DebuggingCreating the Entity to Use the Policy DigestHistory of the TPMPython ScriptSetting Up a Binary Version of the SimulatorTPM EntitiesSatisfying the Approved PolicyCommand Preparation FunctionsKey AuthorizationData DetailsDecrypt/Encrypt SessionsAlgorithm Agility (New in 2.0)Authorizations and SessionsSecurity DefinitionsDuplicationKeysNonpersistent EntitiesAuditing TPM CommandsCryptographic PrimitivesAttacks on the Algorithm ItselfProvisioningPlatform Configuration RegistersWhy AuditNULL HierarchyPasswords of a Different ObjectPCR AttributesIf the Policy Is Flexible (Uses a Wild Card)Three Persistent HierarchiesKey DestructionBasic Security ConceptsPublic Key CertificationTPM Software StackKey GeneratorTPM on an AMD PlatformSymmetric and Asymmetric Keys AttributesAuthorizationSpecial Rules Related to Power and Shutdown EventsStarting the Real Policy SessionPrimary Keys and SeedsReserved HandlesHow Extended Authorization WorksTPM Context-Management CommandsTSS.netQuick Key Loading (new in 2.0)Simple Assertion PoliciesHigh-Level DescriptionBrute ForcePersistent EntitiesTrustZone Is an Architectural FeatureLast ResortSome DefinitionsPCRs for AuthorizationDecrypt/Encrypt LimitationsWorld SwitchingExample 5: A Policy for Flexible PCRsPlatform Configuration Registers (PCRs)Home RoleSession AuditTCTITPM2_StartAuthSession CommandSending Policy Commands to Fulfill the PolicyNV Index Handle Values
Found a mistake? Please highlight the word and press Shift + Enter