Desktop version

Home arrow Computer Science arrow A Practical Guide to TPM 2.0

Using an HMAC Session to Send Multiple Commands (Rolling Nonces)

The nonceTPM changes after every successful TPM command executed within a session. nonceCaller can be changed if the caller so desires. Because the nonces figure into the HMAC calculation, replay attacks are prevented. The HMAC calculation is as follows:

authHMAC :HMAC

((sessionKey || authValue), (pHash || nonceNewer || nonceOlder

{ || nonceTPMdecrypt } { || nonceTPMencrypt }

|| sessionAttributes))

In this equation, notice the nonceNewer and nonceOlder parameters. On a command, nonceNewer is the nonceCaller, and nonceOlder is the last nonceTPM. For a response, nonceNewer is the current nonceTPM, and nonceOlder is the nonceCaller from the command. For now, ignore the decrypt and encrypt nonces because they're only used for decrypt and encrypt sessions. [1] This section describes the mechanics of how the nonces are used in multiple commands in an HMAC session. A sequence of multiple commands in an HMAC session works like this (refer to Figure 13-13 and Listing 13-2):

1. When an HMAC session is started, nonceCaller1 is sent to the TPM and nonceTPM1 is received from the TPM. This happens in the StartAuthSessionWithParams call, lines 72–75 in Listing 13-2.

2. Every time a command is successfully authorized, a new nonceTPM is generated. This is called “rolling” the nonce. The caller can also change the nonceCaller before each command that is sent using the session, if desired. Look at the calls to RollNonces in Listing 13-2 on lines 198, 217, 245, and 269.

3. On the next session command:

a. For the command HMAC, nonceTPM1 is used as the nonceOlder parameter. nonceCaller2, sent with this command in the authorization area for the session, is used as nonceNewer.

b. For the response HMAC, nonceCaller2 is used as nonceOlder. nonceTPM2, sent with the response in the authorization area for the session, is used as nonceNewer.

4. For subsequent commands, this pattern repeats, with nonceCaller and nonceTPM flip-flopping between nonceNewer and nonceOlder in the HMAC calculation depending on whether the HMAC is being calculated on the command or response.

5. This pattern repeats until the session is closed. The nonces changing and the fact that they're used in command and response HMAC calculations prevent replay attacks.

Figure 13-13. Nonces used in an HMAC session to prevent replay attacks

HMAC Session Security

What makes HMAC sessions secure? Basically, three aspects of HMAC sessions are used to secure commands:

Session key: The bind authValue and salt are secrets that should be known only to the caller and the TPM. Both of these values are used in calculating the session key. An attacker who doesn't know these values can't calculate the session key. Because the session key is used to create the HMAC key, this means the attacker can't successfully send commands to or receive responses from the TPM. This this prevents man-in-the-middle attacks.

HMAC: The session key and the entity's authValue are used to generate the HMAC key. The authValue of the entity being

accessed is a secret that should only be known to the caller and the TPM. Again, this means the attacker can't successfully mount man-in-the-middle attacks.

Nonces: The nonces are used to prevent replay attacks. The nonces figure into the HMAC calculation, which can't be properly performed without using the correct nonces. Since the nonces keep changing, a command byte stream can't be replayed.

As long as the secrecy of the bind authValue, salt, and entity authValue are maintained, attackers can't authorize actions on the entity, and the rolling nonces prevent replay of commands.

To use an HMAC authorization, the caller fills in the command authorization block as shown in Figure 13-14.

Figure 13-14. Command HMAC authorization area

The code that fills in the command authorization blocks is in Listing 13-2 on lines 19–21, 150, 189–195, 198 (sets the tpmNonce), and 202–205 (sets the HMAC in the authorization area).

The response authorization area looks like Figure 13-15.

Figure 13-15. Response HMAC authorization area

The code that sets up the response authorization blocks is in Listing 13-2 on

lines 24–26. The call to the one-call function returns the authorization area from the TPM in nvRspAuths, and the call to CheckResponseHMACs on lines 224–226 verifies that the HMAC in the response authorization is correct.

This concludes the deep dive into HMAC sessions. Now the water gets even deeper with a discussion of the most feature-rich and complicated authorizations: policy or extended authorization.

  • [1] Because the nonceTPM figures into both the command and response HMACs, the obvious question is, what's the purpose of the nonceCaller? The answer (from the TPM specification writer) is that if the caller didn't trust the TPM to generate nonceTpm values with enough randomness, the caller could specify sufficiently random nonceCaller values to overcome this deficiency.
< Prev   CONTENTS   Next >

Related topics