Attacks on the Algorithm Itself
Cryptographic algorithm design is a bit of an art. The mathematics are based on how hard it is to solve a particular type of problem, and that difficulty in turn is based on current knowledge. It's very difficult to design an algorithm against which no attacks can ever be mounted.
An attack on the SHA-1 hash algorithm  was one of the motivations for moving from TPM 1.2 to TPM 2.0. Under normal circumstances, a brute-force birthday attack on SHA-1 would take about 280 calculations, with a cryptographic strength of 80. The attack, which was based on a weakness in the underlying mathematics, successfully reduced the number of calculations required for a successful attack to 263—a cryptographic strength of 63. TPM 1.2 used SHA-1 throughout the design. With 56-bit DES encryption defeated by brute-strength attacks in 1998, it was clear that 63 bits was not enough for the industry. For that reason, TPM 2.0 removed this dependency on the SHA-1 algorithm. To defend against such an attack ever happening again, the specification was made algorithm agile—algorithms can be added to or subtracted from the specification without requiring that the entire specification be rewritten.
To summarize, in order to be secure, cryptographic algorithms must not have the following vulnerabilities:
• Weaknesses in algorithms: You can avoid weak algorithms by using well-vetted, internationally accepted, widely reviewed standards.
• Brute-force attacks: By choosing large key sizes and by allowing the end user to pick the key size they wish to use, you can avoid this vulnerability. Today 128 bits is generally considered a safe value for symmetric algorithms, but some researchers and security agencies insist on 192 bits.
Now that you've seen the attacks you're defending against, we can discuss the basic cryptography constructs used in the TPM specification. Let's begin with some definitions.
Several concepts are important for understanding the TPM architecture and cryptographic concepts. People often equate security solely with secrecy: the inability of an attacker to decode a secret message. Although secrecy is certainly important, there is much more to security. It's easiest to understand these concepts by considering an example. Because electronic business was a big motivator in the design of the TPM, the following example comes from e-business.
An electronic order is transmitted from a buyer to a seller. The seller and buyer may want to keep details (credit card numbers, for example) of the purchase secret. However, they may also want to ensure that the order really came from the buyer, not an attacker; that the order went only to the seller; that the order wasn't altered in transit (for example, by changing the amount charged); and that it was sent exactly once, not blocked or sent multiple times. Finally, the seller may wish to verify that the buyer is permitted by their company to buy the item and to spend the total amount of the purchase order. All these aspects are the problems that cryptography and security protocols attempt to solve.
Based on this example, we can describe several commonly used security terms and concepts, and then explain how they can be used to provide the various aspect of security.
• Message: An array of bytes sent between two parties.
• Secrecy: A means of preventing an unauthorized observer of a message from determining its contents.
• Shared secret: A value that is known to two parties. The secret can be as simple as a password, or it can be an encryption key both parties know.
• Integrity: An indication that a message has not been altered during storage or transmission.
• Authentication: A means of indicating that a message can be tied to the creator, so the recipient can verify that only the creator could have sent the message.
• Authorization: Proof that the user is permitted to perform an operation.
• Anti-replay: A means of preventing an attacker from reusing a valid message.
• Nonrepudiation: A means of preventing the sender of a message from claiming that they did not send the message.
Let's consider how each of these security concepts fits into the electronic purchase order example. The message is the number of items ordered and any confidential customer information, such as a credit card number. Integrity ensures that the order has not been altered in transit—for instance, from 3 items to 300 items. Authentication proves that the order came from the buyer. Authorization checks that the buyer is permitted to purchase the items on behalf of their company. Anti-replay prevents the attacker from sending the buyer's message again to purchase three items multiple times. And nonrepudiation means the buyer can't claim they never ordered the items.
To provide these security guarantees, designers of a security system have a toolbox of cryptographic functions that have been developed, analyzed, and standardized. Some items are fundamental mathematical building blocks, such as the SHA-256 secure hash algorithm or the RSA asymmetric-key encryption calculation. Other items, such as digital signatures, build on these fundamentals by using the RSA algorithm. These cryptographic functions are described next.
-  Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu, “Finding Collisions in the Full SHA-1,” Advances in Cryptology–CRYPTO 2005.