Example 2: An Enterprise IT Organization with Windows TPM 2.0 Enabled Systems
In this case, the enterprise doesn't want to use EKs that are potentially known outside the organization. The enterprise wants to use its own EKs after the machines are provisioned, but use the OEM EK to prove to itself that the system is genuine. The organization provisions each system as it comes in, as follows:
1. Generate the OEM EK using TPM2_CreatePrimary and the TCG Infrastructure Workgroup's standard EK template. Compare it to the vendor EK certificate that came with the system. Check the certificate as well, using the vendor's public key.
2. Run TPM2_Clear to wipe the TPM's storage and EK hierarchies.
3. In a trusted location, evict the OEM EK, ask the TPM for a random number, repopulate the EK template with this entropy, and read out the EK public portion, making the enterprise's own certificate for this key.
4. Change the storage hierarchy, endorsement hierarchy, and dictionary-attack authorization values to random values, storing them in an LDAP server.
5. Create a restricted encryption key and make it persistent, for use as an SRK. This key has an authorization value of NULL and a policy of NULL. This allows anyone to use it who wishes to.
6. Create a restricted signing key and make it persistent, for use as an AIK. This key also has an authorization value of NULL and a policy of NULL, so that TNC software can use it.
7. Store a copy of the SRK's public key in the enterprise's LDAP associated with this machine.
8. Create a certificate of the AIK that associates it with this machine. This certificate is stored both on the LDAP and on the system itself.
9. Uses the AIK to quote the current PCR values, and check them against golden measurements that came with the system.
10. Change the software load and configuration of the system to match the enterprise's own policies.
11. Use the AIK to quote the current PCR values, and store them in the LDAP associated with this system. These are used as a new set of golden measurements.
12. Create virtual smartcards on the machine using the TPM, and set up the Windows VPN server to accept the certificate of this key.
13. Set up another virtual smartcard on the machine using the TPM, and set up a Radius server to accept it for connections to the enterprise's wireless network, using WPA2 inEnterprise mode.
14. Create a 32-byte NV index, and store a hash of the enterprise's IT organization public key there. The policy of the key only allows this same key to be used to write to the index. This key will be used later to check software updates before they're installed, to see if they're approved by IT.
15. Install Wave software to report the PCR measurements on each boot, sending an alert to the IT organization if they aren't correct. (Alternatively, a StrongSwan VPN can be used, which doesn't grant access to the network unless the PCRs pass muster.)
16. Create a policy for allowing duplication of a key to the IT backup server's TPM, and store it on the system. This policy is signed with the IT private key.
17. The user's boss provides a policy that allows the boss to use the keys in their employee's absence.
18. When the user gets the system, the user creates a duplicable restricted decryption (storage) key, under which the user stores all their enterprise keys. The policy the user gives it is the OR of the policies in steps 16 and step 17. Before doing this, the user checks the policy's signature using the hash of the public key stored in step 14.
19. The user duplicates their duplicable storage key to the IT organization's backup server and then its wrapped keys in their normal backup.
20. If the user quits or the machine is to be recycled, use the stored owner authorization to send the system a notice that it should execute TPM2_Clear, thus wiping all the keys stored on the system. The OEM EK is used to restart the process.
21. If the user is moved to a new system or their motherboard dies, re-duplicate their backed-up key (stored in step 18) to their new system, and copy their other key blobs from backup to the new system. The user can then continue working.
You've seen that the facilities of the TPM allow for very sophisticated or very simple key management, depending on the needs of the end user. These needs can range from those of a paranoid enterprise worried about industrial espionage, including theft of machines, to those of a non-paranoid home user, who merely wishes to keep their keys safe on their home system. By crafting the key hierarchies and setting up authorizations and policies correctly, you can keep keys safe and usable.