Desktop version

Home arrow Computer Science arrow A Practical Guide to TPM 2.0

Starting HMAC and Policy Sessions

Both HMAC and policy sessions are started using the TPM2_StartAuthSession command. When a session is started, it must be one of the following session types: HMAC, policy,

or trial policy. Earlier I described HMAC and policy sessions at a high level, but those descriptions didn't mention trial policy sessions. Trial policy sessions are neutered policy sessions: they can't authorize any actions, but they can be used to generate policy digests before creating entities (more on that later). For the purposes of this section, policy and trial policy sessions are grouped together.

When a session is started, basic characteristics of the session are determined.

Specifically, whether the session is bound or unbound, whether the session is salted or unsalted, the strength of the session key, the strength of the anti-replay protections, the strength of parameter encryption and decryption, and the strength of the session HMACs are determined by the parameters used to call TPM2_StartAuthSession.

Some terms need to be understood before this section describes the process of starting HMAC and policy sessions:

KDFa: The key-derivation function used to create session keys. [1] An HMAC function is used as the pseudo-random function for generating the key. The inputs to the KDFa are a hash algorithm;

an HMAC key, K (described next); a 4-byte string used to identify the usage of the KDFa output; contextU and contextV (variablelength strings); and the number of bits in the output. These parameters are cryptographically combined by the KDFa function to create the session key, described below.

K: The key used as input to the KDFa function. For session-key creation, K is the concatenation of the authValue (of the entity corresponding to the bind handle) and the salt parameter passed to the TPM2_StartAuthSession command.

• sessionKey: A key created when an HMAC or policy session is started. [2] For session key creation, the KDFa function takes the following as inputs:

• sessionAlg (a hash algorithm)

• K (the HMAC key used as input to the KDFa's HMAC function)

• A unique 4 byte label, ATH (three characters plus the string terminator)

• Two nonces, nonceTPM and nonceCaller (corresponding to

contextU and contextV in the KDFa)

• The number of bits in the resulting key

• nonceCaller: The nonce sent by the caller to the

TPM2_StartAuthSession command.

• nonceTpm: The nonce generated by the TPM in response to the

TPM2_StartAuthSession command and returned to the caller.

  • [1] KDFa is used for many other things in the TPM, but this section only discusses its use in sessions.
  • [2] It is important to avoid confusing terms here; specifically, sessionKey should not be confused with hmacKey. The hmacKey isn't determined at session creation time, but it's partially determined by the parameters used to start the session.
< Prev   CONTENTS   Next >

Related topics