[tpm2] Re: How to decrypt a symmetric key in the TPM that was wrapped by an asymmetric key generated by that TPM

[tpm2] Re: How to decrypt a symmetric key in the TPM that was wrapped by an asymmetric key generated by that TPM

[snambakam]

[-- Attachment #1: Type: text/plain, Size: 277 bytes --]

I read a reference online that indicated having to do a tpm2_import using the parent key in the TPM whose public part was used (by the server) to encrypt the symmetric key. Subsequently, I have to use a tpm2_load to get a handle that can be used for encrypt/decrypt operations.

[tpm2] Re: How to decrypt a symmetric key in the TPM that was wrapped by an asymmetric key generated by that TPM

[Roberts, William C]

[-- Attachment #1: Type: text/plain, Size: 2663 bytes --]

# On client, create a key pair
tpm2_createprimary -c primary.ctx
# note that -f pem and -o key.pem are since 5.2, their are other ways to do this for older versions
# by using readpublic but this is better since it's atomic.
tpm2_create -C primary.ctx -u key.pub -r key.priv -f pem -o key.pem
# enroll/send key.pem to server

# On server
openssl rand -out sym.key 16
openssl rsautl -encrypt -inkey key.pem -pubin -in sym.key -oaep -out sym.key.enc
openssl pkeyutl -encrypt -inkey key.pem -pubin -in sym.key -out sym.key.enc
# send encrypted key to client.

# on client, retrieve symmetric key
# load the RSA key for use
tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctx
tpm2_rsadecrypt -c key.ctx -o key2.sym sym.key.enc

# keys match
4fbda51b99bb0b1d9523f0a8c350c064065cebe8094488cd7411780affcbe02d  sym.key
4fbda51b99bb0b1d9523f0a8c350c064065cebe8094488cd7411780affcbe02d  key2.sym

This uses RSAES-PKCS1-v1_5 as the RSA encryption scheme.

Once you load your RSA key with tpm2_load, that key stays in the TPM until you unload it or reboot. You can then
just load it back up on next boot by repeating the tpm2_createprimary and tpm2_load commands.

The AES key you should probably not sent to the TPM as most TPMs don't support the AES interface as well as the TPM
is pretty slow, so you would want to use that like a session key.

If you need to make the key persistent, you can use tpm2_evictcontrol, but I highly diiscourage the use of persistent keys
as they consume memory and could conflict with default locations defined by TPM vendors and TCG, so always
be careful where you persist things. This table of reserved locations should help with that:
https://trustedcomputinggroup.org/wp-content/uploads/RegistryOfReservedTPM2HandlesAndLocalities_v1p1_pub.pdf




From: snambakam(a)gmail.com <snambakam(a)gmail.com>
Sent: Friday, October 1, 2021 5:25 PM
To: tpm2(a)lists.01.org <tpm2(a)lists.01.org>
Subject: [tpm2] How to decrypt a symmetric key in the TPM that was wrapped by an asymmetric key generated by that TPM 
 
My client host that has the TPM generates a key pair and sends the public key to the server. The server generates a symmetric key that is encrypted by the public key it received and sends the result to the client.

I can do decrypt operation to retrieve the symmetric key. How to decrypt the key but keep it in the TPM for a subsequent encrypt/decrypt operation?

Thanks!
_______________________________________________
tpm2 mailing list -- tpm2(a)lists.01.org
To unsubscribe send an email to tpm2-leave(a)lists.01.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s