Session Key and HMAC Key Details
Table 13-2 describes the variations of sessions and how the sessionKey and HMAC key are created for each case. Having all this information in a single table can be very helpful, which is why it's included here.
Table 13-2. Variations of Sessions and Session Key Creation
Guidelines for TPM2_StartAuthSession Handles and Parameters
From the details in Table 13-2, we can deduce some guidelines for choosing the TPM2_ StartAuthSession parameters. The strength of the session key is determined by the combination of the bind and tpmKey handles, encryptedSalt, nonceCaller, and the hash algorithm used for the session.
The strongest possible session key is provided with the bind handle pointing to a TPM entity (bound session), the tpmKey handle pointing to a loaded key (salted session), and nonceCaller's size set to the size of the hash algorithm's output.
With bind and tpmKey set to TPM_RH_NULL, the result is a zero-length session key—a very weak session key. However, as long as the entity's authValue is strong, the HMAC key is still strong. As will be detailed in Chapter 17, the strength of the session key directly affects the strength of the encryption and decryption of the command and response parameters.
The length of the nonceCaller parameter determines the length of the nonceTPMs used in the session. The bigger the nonce, the better the protection against replay attacks.
The session key and the entity's authorization value are used in generating session HMACs, so again, a stronger session key and stronger authorization value result in greater security.
Programmers making calls to TPM2_StartAuthSession should consider carefully which properties are desired when selecting the parameters to use.
Now let's examine the meaning of bound vs. unbound sessions and salted vs. unsalted sessions in detail. I will also describe some use cases for them.
Salted vs. Unsalted
Both HMAC and policy sessions can be salted or unsalted. A salted session adds more entropy to the session key creation. Whether a session is salted or not is determined by the tpmKey parameter to the TPM2_StartAuthSession command. This decrypted salt is added into the session key creation process. If the authValue is weak, salting the session helps to prevent offline hammering attacks. An offline hammering attack consists of trying different values of authValue to see if the correct HMAC can be generated. If successful, the authValue has been discovered. Salting of sessions raises the bar for this type of attack.