* [tpm2] Protecting symmetric keys / symmetric algorithms
@ 2020-04-04 21:44 John S
0 siblings, 0 replies; only message in thread
From: John S @ 2020-04-04 21:44 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 2756 bytes --]
Other questions for which I am hopeful folks here can give some guidance on.
A little background on context/use cases. My Linux device which has the TPM2.0 on it, will be participating in communication protocols with other devices on the network. Think user-less, embedded devices and protocols. The different devices will be performing key agreement and then authenticating their communication messages.
We expect to involve CMAC for both key derivation and also MACing the messages, which is using AES128 keys. We are familiar with CMAC and other devices have support for this already.
In general too, having AES encypt/decrypt is useful for a wide variety of use cases.
The problem:
It appears my TPM2.0 device does not have support for symmetric operations. Reading other threads here indicates only a minority of TPM2.0 devices do have symmetric support.
I can see how I can involve the TPM to share secrets between devices on the network in a trusted and secure way. But once the TPM decrypts the secret (using asymmetric), what are my options for hardware protection of my AES keys? I guess they can be encrypted at rest / until time of use by a TPM key. But when they're actually in use it seems I'm stuck with them in software.
Any other ideas I'm not thinking of?
-----Behavior on my specific TPM----
--I concluded my tpm does not support symmetric because these sequences have failed:
tpm2_getcap commands : output has nothing to do with 'sym' or 'aes'
tpm2_createprimary -Grsa2048:aes128cfb -C o -c parent.ctx
dd if=/dev/urandom of=sym.key bs=1 count=16
tpm2_import -C parent.ctx -i sym.key -u key.pub -r key.priv -G aes
WARNING:esys:src/tss2-esys/api/Esys_Import.c:323:Esys_Import_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_Import.c:110:Esys_Import() Esys Finish ErrorCode (0x000002c9)
ERROR: Esys_HMAC(0x2C9) - tpm:parameter(2):mode of operation not supported
ERROR: Unable to run tpm2_import
tpm2_createprimary -o primary.ctx
tpm2_create -C primary.ctx -Ghmac -c hmac.key
WARNING:esys:src/tss2-esys/api/Esys_CreateLoaded.c:355:Esys_CreateLoaded_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_CreateLoaded.c:129:Esys_CreateLoaded() Esys Finish ErrorCode (0x000b0143)
ERROR: Esys_CreateLoaded(0xB0143) - rmt:error(2.0): command code not supported
--From tpm2_getcap algorithms, I see I have:
aes, hmac, and cfb which all indicate they are symmetric.
But I have no way to use them? (They are just for tpm sessions?)
--From tpm2_getcap algorithms, I see 2 of my algorithms are:
kdf1_sp800_56a
kdf1_sp800_108
Both are noted as type 'hash'.
Would I use tpm2_hash to use these? If so, how would the key for the kdf be provided?
Thanks much in advance,
-John
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2020-04-04 21:44 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-04 21:44 [tpm2] Protecting symmetric keys / symmetric algorithms John S
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.