This part is relative to the ninth class , The teacher's PPT Many more secret key Relevant part

• TPM One of the most powerful functions of is ： The application program can safely store the key in the hardware device .TPM You can generate keys , You can also import keys generated externally , It supports symmetric and asymmetric keys , because TPM The storage resources of the device are limited , Applications often need to securely swap keys in and out TPM, At this time TPM It can be considered as a key cache .
• The key can be regarded as TPM An entity in , It can also be regarded as specially defined TPM object . It usually appears as a core component of the organizational structure , Many times, we can also call the three organizational structures mentioned last time as keys ** Organizational structure .
• The organization structure containing the key will encounter the corresponding security control mode when accessing ： Including the password 、 Enhanced authorization policy 、 Key replication restrictions and key usage restrictions .

Key usage command

• TPM2_Create and TPM2_CreatePrimary You can create all types of keys through templates .
• TPM2_Load( Private key for encryption ) and TPM2_LoadExternal( Used for public key or plaintext private key ) You can load the key into TPM in .
• TPM2_ContextSave and TPM2_ContextLoad Used to exchange keys in and out TPM cache .- TPM2_FlushContext Used to delete TPM Key in .TPM2_EvictControl You can make a key persist with TPM Or delete a persistent key .
• TPM2_Unseal,TPM2_RSA_Encrypt, and TPM2_RSA_Decrypt Use the encryption key to complete relevant operations .
• TPM2_HMAC,TPM2_HMAC_Start,TPM2_SequenceUpdate, and TPM2_SequenceCompete Use symmetric signature keys and HMAC Algorithm completes relevant operations .
  TPM2_Sign Is a general signature command ,TPM2_VerifySignature Used to verify digital signatures .
• TPM2_Certify,TPM2_Quote,TPM2_GetSessionAuditDigest,TPM_GetTime Is a special command for signing authentication data . In particular ,TPM2_Certify One key can sign another key （ The name of the key ）. thus ,TPM It can be used as a certificate authority , Use your own key to authenticate the properties of the key related to the certificate .

Key generator

TPM The most powerful ability is , It can generate the key and safely store the relevant secret information in the hardware . The key generator is based on TPM Own random number generator , It does not rely on any external random sources . Therefore, it eliminates the weakness caused by weak software random number generators or insufficient entropy .

To protect the symmetric key ,TPM A natural hierarchical organizational structure will be formed inside , This too TPM The origin of organization structure name in Trusted Computing . In the organizational structure , There is a top-level parent key , Master key , They have no parent nodes .

Master key and seed

The master key creation command uses an easy to understand naming method TPM2_CreatePrimary.TPM1.2 There is one and TPM2.0 The key with the same master key ： Root storage key （SRK）, This key will always exist in TPM in .TPM2.0 The master seed controls the generation of the master key , It allows unlimited master keys , Although these master keys do not always exist TPM in . This is not because TPM The permanent storage space of is limited , But because as long as you control the seeds , You can regenerate the master key .

TPM1.2 There are two reasons why it can still work when there is only one key . First , It has only one key algorithm and one key size for encrypting keys , That's it RSA-2048. However TPM2.0 Multiple key algorithms and key sizes are supported in . secondly ,TPM1.2 There is only one key organization ： Storage organization structure .TPM2.0 There are three organizational structures , Each has at least one root node .

Master key seed

TPM utilize Master key seed Realize limited nonvolatile storage space and support an unlimited number of root keys .

Each of the three organizational structures is associated with a master key seed , Namely ： Endorsement master key seed , Platform master key seed , And storing master key seeds . These seeds have always existed TPM In the device . They are the secret information input by the key generation function . When TPM When creating a master key , It uses the master key seed and a public template to generate the key . The key template contains all the key configuration information ： Cryptographic algorithm and key length , Key's policy, Type of key （ Signature , Encryption and so on ）. Callers can also add their own unique data to the template . This unique data is added in the public key area of the template .

Key generation function KDF

The key generation function is fixed , The same input can produce the same output . For the same seed , The same key template will always produce the same key . The user changes the unique data in the key template , You can create an infinite number of master keys .

When TPM After creating a master key , The key is stored in TPM Of Volatile memory . At this time, users have two choices . adopt TPM2_EvictControl Transfer a limited number of master keys to non-volatile memory space . The remaining master keys continue to be stored in volatile memory .

If the number of master keys required is more than TPM The number of keys that can be saved to persistent storage space and volatile storage space , The key can be selectively cleared from volatile memory , Or first move the key in the non-volatile storage space to the volatile storage space , Then clear . Because the key seed is permanent , So the key will never be lost .

If the caller knows the fully public key template ,TPM You can recreate exactly the same key when you need it . Further talk , If the re created key is RSA secret key , This process may take a long time . If the recreated key is an elliptic curve ,AES, perhaps HMAC secret key , The creation process will be very fast .

stay TPM1.2 in , There is an endorsement key and associated with this key TPM Certificate signed by the manufacturer . They are stored in nonvolatile memory , In the end user use include TPM The system of the device , They also have the certificate of the endorsement key , Certificates and keys are usually stored in TPM Of NVRAM in . stay TPM2.0 in , Users can have multiple keys / Certificate to . If you don't want to waste persistent storage space , What should I do then ？

One possibility is also TPM The solution expected by the manufacturer is ： Give Way TPM The manufacturer uses the endorsement key seed to generate several endorsement master keys and corresponding certificates , The key uses standard algorithm sets and well-known templates . One of the keys and its certificate , For example, popular RSA-2048 Stored in persistent memory . Manufacturers can clear the remaining keys , But save the corresponding certificate .

TCG The infrastructure working group of has defined some templates for endorsing master keys .RSA Templates use RSA-2048,SHA-256, and AES-128.ECC Templates use NIST-P256 curve ,SHA-256, and AES-128. Both templates use the same authorization policy , This authorization policy requires that you know the password of the endorsement organization .

The unique data part of the template is empty . Key properties fixedTPM and fixedParent It's all true , That is, the endorsement key is expected , Can't be copied .userWithAuth and adminWithPolicy Set a fixed value . The type of key is restricted decryptkey：

Suppose the user wants a different master key . He can put TPM Preset by the manufacturer TPM Key clearing in , Then choose your own algorithm to regenerate a master key . Because the seed of the key has not changed , And the template used when the user regenerates the key is the same as TPM The manufacturer uses the same , So the user gets the key and TPM The key generated by the manufacturer is the same . Users can regard the public key part of the key as TPM Index of vendor certificate list . This certificate can be stored on a public server . In this way, users can easily access the certificate and start using . This repeatable key generation method allows TPM The manufacturer is producing TPM Many keys and their certificates are generated in advance , But you don't have to store all the keys in nonvolatile memory . It can be regenerated when the end user needs .

Once the seed is modified , The master key can never be regenerated ,TPM All keys based on this seed in are considered invalid . The modification of the seed also means that all certificates generated by all manufacturers will be meaningless .TPM The manufacturer is a new TPM Endorsement key generation certificate is very difficult , Therefore, the seeds of modifying the endorsement organization structure will be controlled by the platform organization structure , The platform organization structure here usually refers to OEM manufacturer . This means that it is difficult for end users to modify the seed .

On the other hand , As long as the user enters some unique data casually in the key template , He can create and TPM Manufacturers have nothing to do with , Own independent endorsement key , This method can be used in specific scenarios .

The application case ： Multiple master keys

Users can have multiple master storage keys as the root node of the key organization . But these keys cannot all be stored in nonvolatile memory . If the user uses a well-known template to create a key , He can recreate these keys when needed .TPM The order is as follows ：

• TPM2_NV_Read： from TPM Of NV Read the key template in the area .TPM The manufacturer may configure several templates in advance （ for instance , One RSA And a ECC）, These templates match the certificate configured by the manufacturer . Users may also have company level templates .
• TPM2_CreatePrimary： You need to select a template .
• TPM2_EvictControl： The key can be optionally configured to persist in TPM in . Especially for RSA Key , This will save the time of regenerating the key （ Regenerating this key takes time ）. Of course, the key can also be left in volatile memory , Regenerate them after each power on .

Key persistence

The user can go through TPM2_EvictControl The command transfers a key from volatile memory to nonvolatile memory , The key can remain loaded between two power cycles . Usually , We only want a small number of master keys , It may be an organizational structure , Be turned into continuous , This saves the time to regenerate the key , To improve performance . Recite , Storage , And other keys other than the master key under the platform organizational structure can also be set to be persistent . A typical application case is , At the beginning of system startup, the hard disk is unavailable , But at this time, you need a key . Another application scenario is on resource constrained platforms , For example, embedded controller , It may not have external persistent nonvolatile storage space .NULL No key under the organizational structure can be set to be persistent . They are cleared after restart . Although only a limited number of keys can be set to be persistent , however TPM It can handle theoretically unlimited keys . Because the application will TPM Use it as a key cache .

Key cache

For other keys that are not master keys ,TPM It's like a key cache . say concretely ,TPM2_Create Command to create a key , Use the parent key of this key to encrypt , Then return the encrypted key to the caller . The user will store the key in TPM outside , It may be in the hard disk . When the user needs to use this key , He has to use TPM2_load The secret order loads the key under its parent key . After use , Users can use TPM2_FlushContext Command the key from TPM Clear in memory . This use process is different from the master key , The master key has no parent node , After it is created, it will remain temporarily TPM in . A typical hardware TPM There may be a 5-10 Key locations （ Slot ,key slots）： The key slot is where the key can be loaded TPM Memory space .TPM The management system is responsible for changing the key in and out of the key cache .

Handle and name of the key

TPM The authorization parameter does not contain a key handle , The authorization uses the name . The reason comes from the key cache and key in and key out operations . A platform may have a large number of application software related keys stored on disk , They may be identified by the user's handle . But this will cause the number of handles to far exceed TPM Number of key slots . When the management system reloads a key , It may get a different handle, This handle It could be and TPM The idle state of the key slot is related , Instead of user initiated handle. therefore , Middleware must replace users handle. If the authorization data contains handle Information , The middleware replacement handle Will cause authorization failure .

TPM2.0 Solve this problem by adding the name to the authorization data , The name is the digest value of the public key part of the key .TPM The management system can modify the key handle, But the name of the key cannot be changed .

Key authorization access control

TPM The key is hardware protected , Relative to the software generated key , The security has been greatly improved , But it still provides more powerful key access control function on this basis . A software generated key often protects the key by using a password as access control . for instance , A key may be encrypted with a password . The strength of this protection is the same as that of the password itself , So this key is very tolerant of offline violent attacks . in other words , Once the attacker gets the encrypted key , Decrypting this key becomes cracking the password used to encrypt it . The owner of the key cannot prevent an attack method of trying passwords with high frequency . And this attack can be parallelized , You can use different machines to use different passwords at the same time to crack . Cloud services have made this attack very easy .

Key access control

TPM The key generated by the software is improved in two aspects .

• When the key leaves TPM when , It will be encrypted by a strong parent key . At this time, the attacker needs to crack a strong key instead of a password .
• When the key is loaded into TPM In the middle of the day , It will also be protected by dictionary attack protection logic . Every time an attacker fails to authorize a key , This behavior will be recorded . When the number of failures reaches a certain preset value ,TPM Will prevent key authorization , And maintain a pre configured period of time . This is likely to significantly reduce the frequency of attacks by attackers . This frequency limiting mechanism can ensure that even cracking a weak password will take much longer than cracking the software key , Because the key of the software has no frequency limit .

Key destruction

• The destruction of the key is very difficult , Because the key generated by software may be copied too many , Stored in different places . however TPM The key in has a parent key or is itself the master key , By destroying the parent key or master key seed , You can ensure that these keys are completely destroyed .
• TPM There are three continuous organizational structures （ Recite , Storage , platform ） And a volatile organizational structure （ Empty organization structure ）. Each architecture has its own master key seed . After erasing the master key seed , You can prevent the re creation of the master key under the corresponding blocking architecture , Of course, this is an operation that has a great impact and is rarely done . Erasing the master key can prevent all its child keys from being loaded into TPM in . In this way, any attribute configuration must exist in TPM The keys in are also considered destroyed .

Key organization structure

An organizational structure can be imagined as consisting of a parent node key and a child key , Or the hierarchical structure composed of ancestors and descendants . All parent keys are storage keys , That is to say, these keys are used to encrypt their sub keys . Therefore, these storage keys are used to protect their sub keys , When the sub key is stored in TPM When outside the safe hardware boundary , The parent key can provide confidentiality and integrity . The use of these storage keys is therefore Limited , They cannot be used for general data decryption operations , This will leak the private information of the sub key .

The ultimate parent key at the top of the organizational structure is the master key . The sub key can be a storage key , In this case, it can have its own sub key . The sub key can also be a non storage key , In this case, they can only be leaf keys , You cannot have your own child key node .

Key type and its attributes

Each key will set its own properties when it is created . Key attributes include the following sections ：

• Key usage , Such as signature or encryption .
• Key type , Symmetrical or asymmetrical , And related algorithms .
• Restrictions related to key replication .
• Restrictions related to the use of keys .

Key replication properties

Key replication refers to copying a key from an organizational structure to another place （ Organizational structure ）. This key can become the child key of another parent key . The target organization structure or parent key can be in the same or different TPM in . The master key cannot be copied , They are for a TPM An organizational structure is fixed .

The initial function of key replication is key backup . If a key is permanently locked to a TPM in , But this TPM perhaps TPM The motherboard is damaged , This key will be lost forever .
The second application case is to share keys among multiple devices . A user's signature key can be found in his notebook , Copy before tablet and mobile phone .

TPM1.2 There is a process similar to key replication called Key migration . Literally , The implication of migration is that a key only exists for the purpose after migration , The original location has no such key . But it's not really like that . After the key migration , The key still exists in its original location . For this reason ,TPM2.0 Change the name to a more accurate copy .

TPM2.0 The key of has two properties that control replication . In extreme cases , A key can be locked to a TPM Under a parent key of , It can never be copied . The opposite extreme case is , A key can be copied to the same or different at will TPM Under another parent key of .

The control key replication attribute is defined as follows ：

• fixedTPM： If this attribute of the key is set , This key cannot be copied .
• fixedParent： If this attribute of the key is set , This key cannot be copied to different parent keys . This is equivalent to the key being locked under a parent key .

There are four combinations of these two Boolean attributes ：

• fixedTPM It's true ,fixedParent For false .TPM This configuration combination is not allowed . because fixedTPM It has been shown that the key cannot be copied in any form , such fixedParent by false It also implies that the key can be copied to different parent keys , This is a contradiction .
• fixedTPM and fixedParent It's all true , Indicates that this key cannot be copied explicitly or implicitly .
• fixedTPM For false ,fixedParent It's true , Indicates that a key cannot be explicitly copied . Because it is locked under a parent key . But if its parent key is copied , This key will be implicitly copied .
• fixedTPM and fixedParent It's all fake , Indicates that a key can be copied in the form of a copy group or a copy root . If it is a parent key , Then its sub key will also be copied with it .

Restricted key

Restricted signing key ： Restricted signing keys are mainly used for TPM Authentication data structure signature . These structures include platform configuration registers （PCR） quote , One is being certified TPM object , One for TPM Signature of time , Or the signature of an audit summary . Signatures are mainly used on abstracts , But the signature verifier wants to make sure that the abstract is not calculated from external forged data , And send it to TPM Come and sign . for instance , One “ quote ” One for one group PCR Worthy of signature , But the real signing process is actually for this group PCR Value summary . A user may be interested in any PCR Make a summary , Then sign the digest with a non restrictive key . Then the user can claim that the signature value is a “ quote ”. however , A trusted third party will find that this key is not a restrictive key , So I won't believe this statement . therefore , A restrictive key can guarantee that this is for a group of TPM Signature generated by self generated abstract .

The restricted decryption key is actually a storage key . This key Only used to decrypt data in a specific format , Including the integrity check value used to verify a data structure . Only such a key can be used as a parent key to create and load child key objects , Or deactivate a certificate . These operations add some restrictions to the decryption results . for instance , Loading the key does not return the result of decryption （ But a key handle）[ My own understanding is , Loaded the key , Returns a specific handle, So it can only have specific functions ].

An unrestricted key can be used for general decryption operations , Provide it with relevant encrypted data, and it will return the decrypted result （ As an encryption and decryption module ）. If this key is allowed to be used as a storage key , It can decrypt the private key of a subkey and return it to the caller . If this key can be used to hide data , It doesn't need to be checked unseal Authorization can return the hidden （sealed） data .

Context management and loading

To load the key, you need to send it to TPM Provide an encrypted key and a loaded parent key .TPM Decrypt the child key with the parent key and store the decrypted key in the volatile key slot .

Context management involves saving the context of a loaded key to TPM outside , Then load the saved context into TPM in . When a key is saved , It will be encrypted by a symmetric key derived from the secret information of the organization , This symmetric key is called organizational evidence . When the key is loaded ,TPM Use this symmetric key to decrypt .