Scenarios for Using Additional TPM 2.0 Capabilities
Lessons learned in the use of TPM 1.2 led to a number of changes in the architecture of TPM 2.0. In particular, the SHA-1 algorithm, on which most 1.2 structures were based, was subjected to cryptographic attacks. As a result, the new design needed to not be catastrophically broken if any one algorithm used in the design become insecure.
Algorithm Agility (New in 2.0)
Beginning in TPM 2.0, the specification allows a lot of flexibility in what algorithms a TPM can use. Instead of having to use SHA-1, a TPM can now use virtually any hash algorithm. SHA 256 will likely be used in most early TPM 2.0 designs. Symmetric algorithms like Advanced Encryption Standard (AES) are also available, and new asymmetric algorithms such as elliptic curve cryptography (ECC) are available in addition to RSA.
The addition of symmetric algorithms (enabled by the weakening of export-control laws) allows keys to be stored off the chip and encrypted with symmetric encryption instead of asymmetric encryption. With this major change to the method of key storage, TPM 2.0 allows any kind of encryption algorithm. This in turn means if another algorithm is weakened by cryptanalysis in the future, the specification won't need to change.
Ideally, the key algorithms should be matched in strength. Table 3-1 lists the key strengths of approved algorithms according to the National Institute of Standards and Technology NIST). ^{[1]}
Table 3-1. Approved algorithms
Type |
Algorithm |
Key strength (bits) |
Asymmetric |
RSA 1024 |
80 |
Asymmetric |
RSA 2048 |
112 |
Asymmetric |
RSA 3072 |
128 |
Asymmetric |
RSA 16384 |
256 |
Asymmetric |
ECC 224 |
112 |
Asymmetric |
ECC 256 |
128 |
Asymmetric |
ECC 384 |
192 |
Asymmetric |
ECC 521 |
260 |
Symmetric |
DES |
56 |
Symmetric |
3DES (2 keys) |
127 |
Symmetric |
3DES (3 key) |
128 |
Symmetric |
AES 128 |
128 |
Symmetric |
AES 256 |
256 |
Hash |
SHA-1 |
65 |
Hash |
SHA 224 |
112 |
Hash |
SHA 256 |
128 |
Hash |
SHA 384 |
192 |
Hash |
SHA 512 |
256 |
Hash |
SHA-3 |
Variable |
AES is typically used for the symmetric algorithm today. At 128 bits, the two most frequently used asymmetric algorithms are RSA 2048 or ECC 256. RSA 2048 isn't quite as strong as ECC 256 and is much slower. It also takes up a lot more space. However, the patents on RSA have expired, and it's compatible with most software today, so many people still use it. Many people are using RSA 2048 together with SHA-1 and AES-128, even though they're far from a matched set, because they're free and compatible. Most of the examples in this book use both RSA and ECC for encryption and decryption, but SHA 256 is used exclusively for hashing.
SHA-1 has been deprecated by NIST, and it won't be accepted after 2014 for any use for signatures (even though most uses of SHA-1 in TPM 1.2 don't fall prey to the types of attacks that are made possible by current cryptanalysis). The bit strength of SHA-1 is significantly weaker than that of the other algorithms, so there doesn't appear to be any good reason to use it other than backward compatibility.
TCG has announced the families of algorithms that can be supported by publishing a separate list of algorithm IDs that identify algorithms to be used with a TPM. This includes the hash algorithms to be used by the PCRs. This list may change with time.
Algorithm agility enables a number of nice features, including the following
• Using sets of algorithms compatible with legacy applications
• Using sets of algorithms compatible with the US Government's Suite B for Secret
• Using sets of algorithms compatible with the US Government's Suite B for Top Secret
• Using sets of algorithms compatible with other governments' requirements
• Upgrading from SHA-1 to SHA 256 (or other more secure algorithms)
• Changing the algorithms in a TPM without revisiting the specification
- [1] NIST, “Recommendation for Key Management – Part 1: General (Revision 3),” Special Publication 800-57, csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_ general.pdf.