Desktop version

Home arrow Computer Science arrow A Practical Guide to TPM 2.0

Keys Unraveled

TPM keys have many layers of nested structures. For reference, here are several structures unrolled down to primitive types.

The following is a typical RSA key:

TPM2B_PUBLIC

size UINT16

publicArea TPMT_PUBLIC

type TPMI_ALG_PUBLIC = TPM_ALG_RSA

nameAlg TPMI_ALG_HASH = TPM_ALG_SHA256

objectAttributes TPMA_OBJECT

authPolicy TPM2B_DIGEST

size UINT16

buffer BYTE

parameters TPMU_PUBLIC_PARMS

rsaDetail TPMS_RSA_PARMS = TPM_ALG_RSA

symmetric TPMT_SYM_DEF_OBJECT For AES example

Algorithm TPMI_ALG_SYM_OBJECT

keyBits TPMU_SYM_KEY_BITS->TPMI_AES_KEY_BITS

mode TPMU_SYM_MODE->TPMI_ALG_SYM_MODE

details TPMU_SYM_DETAILS

scheme TPMT_RSA_SCHEME

scheme TPMI_ALG_RSA_SCHEME = e.g., TPM_ALG_OAEP details TPMU_ASYM_SCHEME = e.g., TPMS_SCHEME_OAEP

keyBits TPMI_RSA_KEY_BITS = e.g. 2048

exponent UINT32 = default 2^16 + 1

unique TPMU_PUBLIC_ID->TPM2B_PUBLIC_KEY_RSA

size UINT16

buffer BYTE

TPMT_SENSITIVE

sensitiveType TPMI_ALG_PUBLIC = TPM_ALG_RSA authValue TPM2B_AUTH (TPM2B_DIGEST)

seedValue TPM2B_DIGEST

sensitive TPMU_SENSITIVE_COMPOSITE,TPM2B_PRIVATE_KEY_RSA

size UINT16

buffer BYTE

This is a typical HMAC key:

TPM2B_PUBLIC

size UINT16

publicArea TPMT_PUBLIC

type TPMI_ALG_PUBLIC = TPM_ALG_KEYEDHASH

nameAlg TPMI_ALG_HASH = TPM_ALG_SHA256

objectAttributes TPMA_OBJECT -> UINT32 authPolicy TPM2B_DIGEST

size UINT16

buffer BYTE

parameters TPMU_PUBLIC_PARMS keyedHashDetail TPMS_KEYEDHASH_PARMS scheme TPMT_KEYEDHASH_SCHEME

scheme TPM_ALG_HMAC

details TPMU_SCHEME_KEYEDHASH

hmac TPMS_SCHEME_HMAC

hashAlg TPMI_ALG_HASH = TPM_ALG_SHA256

unique TPMU_PUBLIC_ID

keyedHash TPM2B_DIGEST

size UINT16

buffer BYTE

TPMT_SENSITIVE

sensitiveType TPMI_ALG_PUBLIC = TPM_ALG_KEYEDHASH authValue TPM2B_AUTH

size UINT16

buffer BYTE

seedValue TPM2B_DIGEST

size UINT16

buffer BYTE

sensitive TPMU_SENSITIVE_COMPOSITE

bits TPM2B_SENSITIVE_DATA

size UINT16

buffer BYTE

And this is a typical ECC key:

TPM2B_PUBLIC

size UINT16

publicArea TPMT_PUBLIC

type TPMI_ALG_PUBLIC = TPM_ALG_ECC

nameAlg TPMI_ALG_HASH = TPM_ALG_SHA256

objectAttributes TPMA_OBJECT

authPolicy TPM2B_DIGEST

size UINT16

buffer BYTE

parameters TPMU_PUBLIC_PARMS

eccDetail TPMS_ECC_PARMS

symmetric TPMT_SYM_DEF_OBJECT For AES example

Algorithm TPMI_ALG_SYM_OBJECT = TPM_ALG_AES keyBits TPMU_SYM_KEY_BITS->TPMI_AES_KEY_BITS

mode TPMU_SYM_MODE->TPMI_ALG_SYM_MODE = TPM_ALG_CBC

details TPMU_SYM_DETAILS

scheme TPMT_ECC_SCHEME

scheme TPMI_ALG_ECC_SCHEME = TPM_ALG_ECDSA

details TPMU_SIG_SCHEME

ecdsa TPMS_SCHEME_ECDSA TPMS_SCHEME_SIGHASH

hashAlg TPMI_ALG_HASH = TPM_ALG_SHA256 curveID TPMI_ECC_CURVE = TPM_ECC_NIST_P256

kdf TPMT_KDF_SCHEME

scheme TPMI_ALG_KDF = TPM_ALG_NULL

details TPMU_KDF_SCHEME unique TPMU_PUBLIC_ID

ecc TPMS_ECC_POINT

x TPM2B_ECC_PARAMETER

size UINT16

buffer BYTE

y TPM2B_ECC_PARAMETER

size UINT16

buffer BYTE

TPMT_SENSITIVE

sensitiveType TPMI_ALG_PUBLIC = TPM_ALG_ECC

authValue TPM2B_AUTH TPM2B_DIGEST

Size UINT16

Buffer BYTE

seedValue TPM2B_DIGEST

size UINT16

buffer BYTE

sensitive TPMU_SENSITIVE_COMPOSITE

ecc TPM2B_ECC_PARAMETER

size UINT16

buffer BYTE

Summary

A primary use of a TPM is as a hardware security module to safely store keys. The TPM stores keys on one of four hierarchies. Each hierarchy has primary (root) parent keys and trees of child keys. A parent is an encryption key, and a parent key wraps (encrypts) child keys before they leave the TPM secure boundary.

Keys can be duplicated (wrapped with a different parent), and all children are duplicated when the parent is duplicated. Duplication is subject to restrictions. Some keys are fixed to the TPM; they can't be duplicated. Some are fixed to their parent and so can only be duplicated when the parent is duplicated.

Keys can have use restrictions as well. They can be specified as only signing or only decryption keys, and they can be restricted to only signing or decrypting certain data. Finally, keys can be certified by other TPM keys, and a relying party can validate the public key, the key's attributes, and even its policy.

 
< Prev   CONTENTS   Next >

Related topics