* Re: [tpm2] tpm2 Digest, Vol 21, Issue 2
@ 2019-03-07 21:40 Fuchs, Andreas
0 siblings, 0 replies; 7+ messages in thread
From: Fuchs, Andreas @ 2019-03-07 21:40 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 7387 bytes --]
You could also use the tpm2-tss-engine.
See this test for an example:
https://github.com/tpm2-software/tpm2-tss-engine/blob/master/test/rsadecrypt.sh
Or if you cannot store a key-file on disk, use the above script and combine it with persistent keys from here:
https://github.com/tpm2-software/tpm2-tss-engine/blob/master/test/rsasign_persistent_emptyauth.sh
Cheers,
Andreas
________________________________
From: tpm2 [tpm2-bounces(a)lists.01.org] on behalf of arjun kashyap [arjun21k(a)gmail.com]
Sent: Thursday, March 07, 2019 20:41
To: Desai, Imran; william.c.roberts(a)intel.com; tpm2(a)lists.01.org
Subject: Re: [tpm2] tpm2 Digest, Vol 21, Issue 2
Thanks William and Imran for your inputs. My use case is that once my system boots up (with tpm) I should be able to send encrypted data to it over the network. I thought I could use the EK as each tpm has a unique and built-in one. My thought process was to try to use the EK public portion to encrypt the data and send it over the network to the tpm and then decrypt it using EK private portion. As both of you pointed out that I should set appropriate attributes while creating the key and prefer using tpm2_createprimary instead of tpm2_createek. But I have another concern with this approach. With tpm2_createek I could extract the public key portion of the EK which gets created. But if I use tpm2_createprimary I do not have that option. So could you suggest some workaround? Also, please feel free to suggest another approach for this use case. Kindly correct me if I am wrong as I am new to tpms.
Thanks again,
Arjun
On Tue, Mar 5, 2019 at 3:27 PM Desai, Imran <imran.desai(a)intel.com<mailto:imran.desai(a)intel.com>> wrote:
For what you want to do, try this.
tpm2_createprimary -a e -G rsa -A "fixedtpm|fixedparent|sensitivedataorigin|userwithauth|adminwithpolicy|decrypt" -o key.ctx
tpm2_evictcontrol -a o -c key.ctx -p 0x81010002
tpm2_rsaencrypt -c 0x81010002 -o enc.out plain.txt
tpm2_rsadecrypt -c 0x81010002 -o dec.out -I enc.out
PS: I would not use such a key if I cared about privacy.
On 3/5/19, 1:50 PM, "Desai, Imran" <imran.desai(a)intel.com<mailto:imran.desai(a)intel.com>> wrote:
+1 to what Bill said. If you must do this I'd suggest you use createprimary to create the key under endorsement hierarchy. I understand that is exactly what tpm2_createek does but there is a caveat. For what you intend to do it requires userwith attribute set to 1. The reason it is not set to 1 in createek tool is because it would create an endorsement key off a non standard template per TCK EK credential profile spec. The alternative is to satisfy policysecret of the endorsement hierarchy and that will require a change in the tool.
On 3/5/19, 1:00 PM, "tpm2 on behalf of tpm2-request(a)lists.01.org<mailto:tpm2-request(a)lists.01.org>" <tpm2-bounces(a)lists.01.org<mailto:tpm2-bounces(a)lists.01.org> on behalf of tpm2-request(a)lists.01.org<mailto:tpm2-request(a)lists.01.org>> wrote:
Send tpm2 mailing list submissions to
tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.01.org/mailman/listinfo/tpm2
or, via email, send a message with subject or body 'help' to
tpm2-request(a)lists.01.org<mailto:tpm2-request(a)lists.01.org>
You can reach the person managing the list at
tpm2-owner(a)lists.01.org<mailto:tpm2-owner(a)lists.01.org>
When replying, please edit your Subject line so it is more specific
than "Re: Contents of tpm2 digest..."
Today's Topics:
1. Re: Use endorsement key for encryption and decryption
(Roberts, William C)
----------------------------------------------------------------------
Message: 1
Date: Tue, 5 Mar 2019 17:29:10 +0000
From: "Roberts, William C" <william.c.roberts(a)intel.com<mailto:william.c.roberts(a)intel.com>>
To: arjun kashyap <arjun21k(a)gmail.com<mailto:arjun21k(a)gmail.com>>, "tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>"
<tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>>
Subject: Re: [tpm2] Use endorsement key for encryption and decryption
Message-ID:
<476DC76E7D1DF2438D32BFADF679FC5649CFA6CA(a)ORSMSX101.amr.corp.intel.com<mailto:476DC76E7D1DF2438D32BFADF679FC5649CFA6CA(a)ORSMSX101.amr.corp.intel.com>>
Content-Type: text/plain; charset="utf-8"
> -----Original Message-----
> From: tpm2 [mailto:tpm2-bounces(a)lists.01.org<mailto:tpm2-bounces(a)lists.01.org>] On Behalf Of arjun kashyap
> Sent: Sunday, March 3, 2019 12:58 PM
> To: tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>
> Subject: [tpm2] Use endorsement key for encryption and decryption
>
> Hello all,
>
> I am using the IBM tpm2.0 simulator. My use case is that I would like to encrypt
> data and send to tpm and then decrypt this at the tpm side. I would want to use
> the endorsement key (EK) for this purpose. Hence, I would like to encrypt data
> using EK's public key and decrypt using EK's private key. I tried creating EK using
> tpm2_createek -G rsa -f pem -c - -p ek.pem. Now, I have the ek.pem( public
> portion of EK) to encrypt the data. When I load this key into the tpm and invoke
> tpm2_rsadecrypt I get an error. I also tried using tpm2_createprimary to create
> an EK but failed in the above attempt. Could anyone please help me out so that I
> can use EK to encrypt/decrypt data.
>
> Please let me know if more information is needed.
What's the error code? You probably can't perform an rsadecrypt,
Do to object attributes. I would bet sign would work. Endorsement
usually means signing.
>
> Thanks in advance.
>
> <https://www.avast.com/sig-
> email?utm_medium=email&utm_source=link&utm_campaign=sig-
> email&utm_content=webmail&utm_term=icon> Virus-free.
> www.avast.com<http://www.avast.com> <https://www.avast.com/sig-
> email?utm_medium=email&utm_source=link&utm_campaign=sig-
> email&utm_content=webmail&utm_term=link>
------------------------------
Subject: Digest Footer
_______________________________________________
tpm2 mailing list
tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>
https://lists.01.org/mailman/listinfo/tpm2
------------------------------
End of tpm2 Digest, Vol 21, Issue 2
***********************************
_______________________________________________
tpm2 mailing list
tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>
https://lists.01.org/mailman/listinfo/tpm2
[https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif]<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=icon> Virus-free. www.avast.com<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=link>
[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 12797 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [tpm2] tpm2 Digest, Vol 21, Issue 2
@ 2019-03-13 13:43 Roberts, William C
0 siblings, 0 replies; 7+ messages in thread
From: Roberts, William C @ 2019-03-13 13:43 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 7676 bytes --]
You should probably use a non-primary key for this, nor a restricted key for this.
Just create a key in the appropriate hierarchy under a primary object via tpm2_create
If you need the public portion of an object as a PEM output, tpm2_readpublic will do it.
> -----Original Message-----
> From: arjun kashyap [mailto:arjun21k(a)gmail.com]
> Sent: Thursday, March 7, 2019 11:42 AM
> To: Desai, Imran <imran.desai(a)intel.com>; Roberts, William C
> <william.c.roberts(a)intel.com>; tpm2(a)lists.01.org
> Subject: Re: [tpm2] tpm2 Digest, Vol 21, Issue 2
>
> Thanks William and Imran for your inputs. My use case is that once my system
> boots up (with tpm) I should be able to send encrypted data to it over the
> network. I thought I could use the EK as each tpm has a unique and built-in one.
> My thought process was to try to use the EK public portion to encrypt the data
> and send it over the network to the tpm and then decrypt it using EK private
> portion. As both of you pointed out that I should set appropriate attributes while
> creating the key and prefer using tpm2_createprimary instead of tpm2_createek.
> But I have another concern with this approach. With tpm2_createek I could
> extract the public key portion of the EK which gets created. But if I use
> tpm2_createprimary I do not have that option. So could you suggest some
> workaround? Also, please feel free to suggest another approach for this use
> case. Kindly correct me if I am wrong as I am new to tpms.
>
> Thanks again,
> Arjun
>
> On Tue, Mar 5, 2019 at 3:27 PM Desai, Imran <imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com> > wrote:
>
>
> For what you want to do, try this.
>
> tpm2_createprimary -a e -G rsa -A
> "fixedtpm|fixedparent|sensitivedataorigin|userwithauth|adminwithpolicy|decr
> ypt" -o key.ctx
> tpm2_evictcontrol -a o -c key.ctx -p 0x81010002
> tpm2_rsaencrypt -c 0x81010002 -o enc.out plain.txt
> tpm2_rsadecrypt -c 0x81010002 -o dec.out -I enc.out
>
> PS: I would not use such a key if I cared about privacy.
>
> On 3/5/19, 1:50 PM, "Desai, Imran" <imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com> > wrote:
>
> +1 to what Bill said. If you must do this I'd suggest you use
> createprimary to create the key under endorsement hierarchy. I understand that
> is exactly what tpm2_createek does but there is a caveat. For what you intend to
> do it requires userwith attribute set to 1. The reason it is not set to 1 in createek
> tool is because it would create an endorsement key off a non standard template
> per TCK EK credential profile spec. The alternative is to satisfy policysecret of the
> endorsement hierarchy and that will require a change in the tool.
>
> On 3/5/19, 1:00 PM, "tpm2 on behalf of tpm2-request(a)lists.01.org
> <mailto:tpm2-request(a)lists.01.org> " <tpm2-bounces(a)lists.01.org
> <mailto:tpm2-bounces(a)lists.01.org> on behalf of tpm2-request(a)lists.01.org
> <mailto:tpm2-request(a)lists.01.org> > wrote:
>
> Send tpm2 mailing list submissions to
> tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.01.org/mailman/listinfo/tpm2
> or, via email, send a message with subject or body 'help' to
> tpm2-request(a)lists.01.org <mailto:tpm2-request(a)lists.01.org>
>
> You can reach the person managing the list at
> tpm2-owner(a)lists.01.org <mailto:tpm2-owner(a)lists.01.org>
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of tpm2 digest..."
>
>
> Today's Topics:
>
> 1. Re: Use endorsement key for encryption and decryption
> (Roberts, William C)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 5 Mar 2019 17:29:10 +0000
> From: "Roberts, William C" <william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> >
> To: arjun kashyap <arjun21k(a)gmail.com
> <mailto:arjun21k(a)gmail.com> >, "tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> "
> <tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> Subject: Re: [tpm2] Use endorsement key for encryption and
> decryption
> Message-ID:
>
> <476DC76E7D1DF2438D32BFADF679FC5649CFA6CA(a)ORSMSX101.amr.corp.intel.c
> om
> <mailto:476DC76E7D1DF2438D32BFADF679FC5649CFA6CA(a)ORSMSX101.amr.cor
> p.intel.com> >
>
> Content-Type: text/plain; charset="utf-8"
>
>
>
> > -----Original Message-----
> > From: tpm2 [mailto:tpm2-bounces(a)lists.01.org <mailto:tpm2-
> bounces(a)lists.01.org> ] On Behalf Of arjun kashyap
> > Sent: Sunday, March 3, 2019 12:58 PM
> > To: tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > Subject: [tpm2] Use endorsement key for encryption and
> decryption
> >
> > Hello all,
> >
> > I am using the IBM tpm2.0 simulator. My use case is that I would like
> to encrypt
> > data and send to tpm and then decrypt this at the tpm side. I would
> want to use
> > the endorsement key (EK) for this purpose. Hence, I would like to
> encrypt data
> > using EK's public key and decrypt using EK's private key. I tried
> creating EK using
> > tpm2_createek -G rsa -f pem -c - -p ek.pem. Now, I have the
> ek.pem( public
> > portion of EK) to encrypt the data. When I load this key into the tpm
> and invoke
> > tpm2_rsadecrypt I get an error. I also tried using
> tpm2_createprimary to create
> > an EK but failed in the above attempt. Could anyone please help me
> out so that I
> > can use EK to encrypt/decrypt data.
> >
> > Please let me know if more information is needed.
>
> What's the error code? You probably can't perform an rsadecrypt,
> Do to object attributes. I would bet sign would work. Endorsement
> usually means signing.
>
> >
> > Thanks in advance.
> >
> > <https://www.avast.com/sig-
> > email?utm_medium=email&utm_source=link&utm_campaign=sig-
> > email&utm_content=webmail&utm_term=icon> Virus-free.
> > www.avast.com <http://www.avast.com>
> <https://www.avast.com/sig-
> > email?utm_medium=email&utm_source=link&utm_campaign=sig-
> > email&utm_content=webmail&utm_term=link>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> tpm2 mailing list
> tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> https://lists.01.org/mailman/listinfo/tpm2
>
>
> ------------------------------
>
> End of tpm2 Digest, Vol 21, Issue 2
> ***********************************
>
>
>
>
> _______________________________________________
> tpm2 mailing list
> tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> https://lists.01.org/mailman/listinfo/tpm2
>
>
>
> <https://www.avast.com/sig-
> email?utm_medium=email&utm_source=link&utm_campaign=sig-
> email&utm_content=webmail&utm_term=icon> Virus-free.
> www.avast.com <https://www.avast.com/sig-
> email?utm_medium=email&utm_source=link&utm_campaign=sig-
> email&utm_content=webmail&utm_term=link>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [tpm2] tpm2 Digest, Vol 21, Issue 2
@ 2019-03-08 3:04 arjun kashyap
0 siblings, 0 replies; 7+ messages in thread
From: arjun kashyap @ 2019-03-08 3:04 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 7708 bytes --]
Thanks Andreas. I will check this out.
Best,
Arjun
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=icon>
Virus-free.
www.avast.com
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=link>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
On Thu, Mar 7, 2019 at 3:40 PM Fuchs, Andreas <
andreas.fuchs(a)sit.fraunhofer.de> wrote:
> You could also use the tpm2-tss-engine.
> See this test for an example:
>
> https://github.com/tpm2-software/tpm2-tss-engine/blob/master/test/rsadecrypt.sh
>
> Or if you cannot store a key-file on disk, use the above script and
> combine it with persistent keys from here:
>
> https://github.com/tpm2-software/tpm2-tss-engine/blob/master/test/rsasign_persistent_emptyauth.sh
>
> Cheers,
> Andreas
>
> ------------------------------
> *From:* tpm2 [tpm2-bounces(a)lists.01.org] on behalf of arjun kashyap [
> arjun21k(a)gmail.com]
> *Sent:* Thursday, March 07, 2019 20:41
> *To:* Desai, Imran; william.c.roberts(a)intel.com; tpm2(a)lists.01.org
> *Subject:* Re: [tpm2] tpm2 Digest, Vol 21, Issue 2
>
> Thanks William and Imran for your inputs. My use case is that once my
> system boots up (with tpm) I should be able to send encrypted data to it
> over the network. I thought I could use the EK as each tpm has a unique and
> built-in one. My thought process was to try to use the EK public portion to
> encrypt the data and send it over the network to the tpm and then decrypt
> it using EK private portion. As both of you pointed out that I should set
> appropriate attributes while creating the key and prefer using
> tpm2_createprimary instead of tpm2_createek. But I have another concern
> with this approach. With tpm2_createek I could extract the public key
> portion of the EK which gets created. But if I use tpm2_createprimary I do
> not have that option. So could you suggest some workaround? Also, please
> feel free to suggest another approach for this use case. Kindly correct me
> if I am wrong as I am new to tpms.
>
> Thanks again,
> Arjun
>
> On Tue, Mar 5, 2019 at 3:27 PM Desai, Imran <imran.desai(a)intel.com> wrote:
>
>> For what you want to do, try this.
>>
>> tpm2_createprimary -a e -G rsa -A
>> "fixedtpm|fixedparent|sensitivedataorigin|userwithauth|adminwithpolicy|decrypt"
>> -o key.ctx
>> tpm2_evictcontrol -a o -c key.ctx -p 0x81010002
>> tpm2_rsaencrypt -c 0x81010002 -o enc.out plain.txt
>> tpm2_rsadecrypt -c 0x81010002 -o dec.out -I enc.out
>>
>> PS: I would not use such a key if I cared about privacy.
>>
>> On 3/5/19, 1:50 PM, "Desai, Imran" <imran.desai(a)intel.com> wrote:
>>
>> +1 to what Bill said. If you must do this I'd suggest you use
>> createprimary to create the key under endorsement hierarchy. I understand
>> that is exactly what tpm2_createek does but there is a caveat. For what you
>> intend to do it requires userwith attribute set to 1. The reason it is not
>> set to 1 in createek tool is because it would create an endorsement key off
>> a non standard template per TCK EK credential profile spec. The alternative
>> is to satisfy policysecret of the endorsement hierarchy and that will
>> require a change in the tool.
>>
>> On 3/5/19, 1:00 PM, "tpm2 on behalf of tpm2-request(a)lists.01.org" <
>> tpm2-bounces(a)lists.01.org on behalf of tpm2-request(a)lists.01.org> wrote:
>>
>> Send tpm2 mailing list submissions to
>> tpm2(a)lists.01.org
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> https://lists.01.org/mailman/listinfo/tpm2
>> or, via email, send a message with subject or body 'help' to
>> tpm2-request(a)lists.01.org
>>
>> You can reach the person managing the list at
>> tpm2-owner(a)lists.01.org
>>
>> When replying, please edit your Subject line so it is more
>> specific
>> than "Re: Contents of tpm2 digest..."
>>
>>
>> Today's Topics:
>>
>> 1. Re: Use endorsement key for encryption and decryption
>> (Roberts, William C)
>>
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Tue, 5 Mar 2019 17:29:10 +0000
>> From: "Roberts, William C" <william.c.roberts(a)intel.com>
>> To: arjun kashyap <arjun21k(a)gmail.com>, "tpm2(a)lists.01.org"
>> <tpm2(a)lists.01.org>
>> Subject: Re: [tpm2] Use endorsement key for encryption and
>> decryption
>> Message-ID:
>> <
>> 476DC76E7D1DF2438D32BFADF679FC5649CFA6CA(a)ORSMSX101.amr.corp.intel.com>
>>
>> Content-Type: text/plain; charset="utf-8"
>>
>>
>>
>> > -----Original Message-----
>> > From: tpm2 [mailto:tpm2-bounces(a)lists.01.org] On Behalf Of
>> arjun kashyap
>> > Sent: Sunday, March 3, 2019 12:58 PM
>> > To: tpm2(a)lists.01.org
>> > Subject: [tpm2] Use endorsement key for encryption and
>> decryption
>> >
>> > Hello all,
>> >
>> > I am using the IBM tpm2.0 simulator. My use case is that I
>> would like to encrypt
>> > data and send to tpm and then decrypt this at the tpm side. I
>> would want to use
>> > the endorsement key (EK) for this purpose. Hence, I would like
>> to encrypt data
>> > using EK's public key and decrypt using EK's private key. I
>> tried creating EK using
>> > tpm2_createek -G rsa -f pem -c - -p ek.pem. Now, I have the
>> ek.pem( public
>> > portion of EK) to encrypt the data. When I load this key into
>> the tpm and invoke
>> > tpm2_rsadecrypt I get an error. I also tried using
>> tpm2_createprimary to create
>> > an EK but failed in the above attempt. Could anyone please help
>> me out so that I
>> > can use EK to encrypt/decrypt data.
>> >
>> > Please let me know if more information is needed.
>>
>> What's the error code? You probably can't perform an rsadecrypt,
>> Do to object attributes. I would bet sign would work. Endorsement
>> usually means signing.
>>
>> >
>> > Thanks in advance.
>> >
>> > <https://www.avast.com/sig-
>> > email?utm_medium=email&utm_source=link&utm_campaign=sig-
>> > email&utm_content=webmail&utm_term=icon> Virus-free.
>> > www.avast.com <https://www.avast.com/sig-
>> > email?utm_medium=email&utm_source=link&utm_campaign=sig-
>> > email&utm_content=webmail&utm_term=link>
>>
>>
>> ------------------------------
>>
>> Subject: Digest Footer
>>
>> _______________________________________________
>> tpm2 mailing list
>> tpm2(a)lists.01.org
>> https://lists.01.org/mailman/listinfo/tpm2
>>
>>
>> ------------------------------
>>
>> End of tpm2 Digest, Vol 21, Issue 2
>> ***********************************
>>
>>
>>
>>
>> _______________________________________________
>> tpm2 mailing list
>> tpm2(a)lists.01.org
>> https://lists.01.org/mailman/listinfo/tpm2
>>
>
>
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=icon> Virus-free.
> www.avast.com
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=link>
> <#m_6257261603722230097_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>
[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 12983 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [tpm2] tpm2 Digest, Vol 21, Issue 2
@ 2019-03-07 19:41 arjun kashyap
0 siblings, 0 replies; 7+ messages in thread
From: arjun kashyap @ 2019-03-07 19:41 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 6304 bytes --]
Thanks William and Imran for your inputs. My use case is that once my
system boots up (with tpm) I should be able to send encrypted data to it
over the network. I thought I could use the EK as each tpm has a unique and
built-in one. My thought process was to try to use the EK public portion to
encrypt the data and send it over the network to the tpm and then decrypt
it using EK private portion. As both of you pointed out that I should set
appropriate attributes while creating the key and prefer using
tpm2_createprimary instead of tpm2_createek. But I have another concern
with this approach. With tpm2_createek I could extract the public key
portion of the EK which gets created. But if I use tpm2_createprimary I do
not have that option. So could you suggest some workaround? Also, please
feel free to suggest another approach for this use case. Kindly correct me
if I am wrong as I am new to tpms.
Thanks again,
Arjun
On Tue, Mar 5, 2019 at 3:27 PM Desai, Imran <imran.desai(a)intel.com> wrote:
> For what you want to do, try this.
>
> tpm2_createprimary -a e -G rsa -A
> "fixedtpm|fixedparent|sensitivedataorigin|userwithauth|adminwithpolicy|decrypt"
> -o key.ctx
> tpm2_evictcontrol -a o -c key.ctx -p 0x81010002
> tpm2_rsaencrypt -c 0x81010002 -o enc.out plain.txt
> tpm2_rsadecrypt -c 0x81010002 -o dec.out -I enc.out
>
> PS: I would not use such a key if I cared about privacy.
>
> On 3/5/19, 1:50 PM, "Desai, Imran" <imran.desai(a)intel.com> wrote:
>
> +1 to what Bill said. If you must do this I'd suggest you use
> createprimary to create the key under endorsement hierarchy. I understand
> that is exactly what tpm2_createek does but there is a caveat. For what you
> intend to do it requires userwith attribute set to 1. The reason it is not
> set to 1 in createek tool is because it would create an endorsement key off
> a non standard template per TCK EK credential profile spec. The alternative
> is to satisfy policysecret of the endorsement hierarchy and that will
> require a change in the tool.
>
> On 3/5/19, 1:00 PM, "tpm2 on behalf of tpm2-request(a)lists.01.org" <
> tpm2-bounces(a)lists.01.org on behalf of tpm2-request(a)lists.01.org> wrote:
>
> Send tpm2 mailing list submissions to
> tpm2(a)lists.01.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.01.org/mailman/listinfo/tpm2
> or, via email, send a message with subject or body 'help' to
> tpm2-request(a)lists.01.org
>
> You can reach the person managing the list at
> tpm2-owner(a)lists.01.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of tpm2 digest..."
>
>
> Today's Topics:
>
> 1. Re: Use endorsement key for encryption and decryption
> (Roberts, William C)
>
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 5 Mar 2019 17:29:10 +0000
> From: "Roberts, William C" <william.c.roberts(a)intel.com>
> To: arjun kashyap <arjun21k(a)gmail.com>, "tpm2(a)lists.01.org"
> <tpm2(a)lists.01.org>
> Subject: Re: [tpm2] Use endorsement key for encryption and
> decryption
> Message-ID:
> <
> 476DC76E7D1DF2438D32BFADF679FC5649CFA6CA(a)ORSMSX101.amr.corp.intel.com>
>
> Content-Type: text/plain; charset="utf-8"
>
>
>
> > -----Original Message-----
> > From: tpm2 [mailto:tpm2-bounces(a)lists.01.org] On Behalf Of
> arjun kashyap
> > Sent: Sunday, March 3, 2019 12:58 PM
> > To: tpm2(a)lists.01.org
> > Subject: [tpm2] Use endorsement key for encryption and decryption
> >
> > Hello all,
> >
> > I am using the IBM tpm2.0 simulator. My use case is that I would
> like to encrypt
> > data and send to tpm and then decrypt this at the tpm side. I
> would want to use
> > the endorsement key (EK) for this purpose. Hence, I would like
> to encrypt data
> > using EK's public key and decrypt using EK's private key. I
> tried creating EK using
> > tpm2_createek -G rsa -f pem -c - -p ek.pem. Now, I have the
> ek.pem( public
> > portion of EK) to encrypt the data. When I load this key into
> the tpm and invoke
> > tpm2_rsadecrypt I get an error. I also tried using
> tpm2_createprimary to create
> > an EK but failed in the above attempt. Could anyone please help
> me out so that I
> > can use EK to encrypt/decrypt data.
> >
> > Please let me know if more information is needed.
>
> What's the error code? You probably can't perform an rsadecrypt,
> Do to object attributes. I would bet sign would work. Endorsement
> usually means signing.
>
> >
> > Thanks in advance.
> >
> > <https://www.avast.com/sig-
> > email?utm_medium=email&utm_source=link&utm_campaign=sig-
> > email&utm_content=webmail&utm_term=icon> Virus-free.
> > www.avast.com <https://www.avast.com/sig-
> > email?utm_medium=email&utm_source=link&utm_campaign=sig-
> > email&utm_content=webmail&utm_term=link>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> tpm2 mailing list
> tpm2(a)lists.01.org
> https://lists.01.org/mailman/listinfo/tpm2
>
>
> ------------------------------
>
> End of tpm2 Digest, Vol 21, Issue 2
> ***********************************
>
>
>
>
> _______________________________________________
> tpm2 mailing list
> tpm2(a)lists.01.org
> https://lists.01.org/mailman/listinfo/tpm2
>
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=icon>
Virus-free.
www.avast.com
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=link>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 9256 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [tpm2] tpm2 Digest, Vol 21, Issue 2
@ 2019-03-05 21:27 Desai, Imran
0 siblings, 0 replies; 7+ messages in thread
From: Desai, Imran @ 2019-03-05 21:27 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 4738 bytes --]
For what you want to do, try this.
tpm2_createprimary -a e -G rsa -A "fixedtpm|fixedparent|sensitivedataorigin|userwithauth|adminwithpolicy|decrypt" -o key.ctx
tpm2_evictcontrol -a o -c key.ctx -p 0x81010002
tpm2_rsaencrypt -c 0x81010002 -o enc.out plain.txt
tpm2_rsadecrypt -c 0x81010002 -o dec.out -I enc.out
PS: I would not use such a key if I cared about privacy.
On 3/5/19, 1:50 PM, "Desai, Imran" <imran.desai(a)intel.com> wrote:
+1 to what Bill said. If you must do this I'd suggest you use createprimary to create the key under endorsement hierarchy. I understand that is exactly what tpm2_createek does but there is a caveat. For what you intend to do it requires userwith attribute set to 1. The reason it is not set to 1 in createek tool is because it would create an endorsement key off a non standard template per TCK EK credential profile spec. The alternative is to satisfy policysecret of the endorsement hierarchy and that will require a change in the tool.
On 3/5/19, 1:00 PM, "tpm2 on behalf of tpm2-request(a)lists.01.org" <tpm2-bounces(a)lists.01.org on behalf of tpm2-request(a)lists.01.org> wrote:
Send tpm2 mailing list submissions to
tpm2(a)lists.01.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.01.org/mailman/listinfo/tpm2
or, via email, send a message with subject or body 'help' to
tpm2-request(a)lists.01.org
You can reach the person managing the list at
tpm2-owner(a)lists.01.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of tpm2 digest..."
Today's Topics:
1. Re: Use endorsement key for encryption and decryption
(Roberts, William C)
----------------------------------------------------------------------
Message: 1
Date: Tue, 5 Mar 2019 17:29:10 +0000
From: "Roberts, William C" <william.c.roberts(a)intel.com>
To: arjun kashyap <arjun21k(a)gmail.com>, "tpm2(a)lists.01.org"
<tpm2(a)lists.01.org>
Subject: Re: [tpm2] Use endorsement key for encryption and decryption
Message-ID:
<476DC76E7D1DF2438D32BFADF679FC5649CFA6CA(a)ORSMSX101.amr.corp.intel.com>
Content-Type: text/plain; charset="utf-8"
> -----Original Message-----
> From: tpm2 [mailto:tpm2-bounces(a)lists.01.org] On Behalf Of arjun kashyap
> Sent: Sunday, March 3, 2019 12:58 PM
> To: tpm2(a)lists.01.org
> Subject: [tpm2] Use endorsement key for encryption and decryption
>
> Hello all,
>
> I am using the IBM tpm2.0 simulator. My use case is that I would like to encrypt
> data and send to tpm and then decrypt this at the tpm side. I would want to use
> the endorsement key (EK) for this purpose. Hence, I would like to encrypt data
> using EK's public key and decrypt using EK's private key. I tried creating EK using
> tpm2_createek -G rsa -f pem -c - -p ek.pem. Now, I have the ek.pem( public
> portion of EK) to encrypt the data. When I load this key into the tpm and invoke
> tpm2_rsadecrypt I get an error. I also tried using tpm2_createprimary to create
> an EK but failed in the above attempt. Could anyone please help me out so that I
> can use EK to encrypt/decrypt data.
>
> Please let me know if more information is needed.
What's the error code? You probably can't perform an rsadecrypt,
Do to object attributes. I would bet sign would work. Endorsement
usually means signing.
>
> Thanks in advance.
>
> <https://www.avast.com/sig-
> email?utm_medium=email&utm_source=link&utm_campaign=sig-
> email&utm_content=webmail&utm_term=icon> Virus-free.
> www.avast.com <https://www.avast.com/sig-
> email?utm_medium=email&utm_source=link&utm_campaign=sig-
> email&utm_content=webmail&utm_term=link>
------------------------------
Subject: Digest Footer
_______________________________________________
tpm2 mailing list
tpm2(a)lists.01.org
https://lists.01.org/mailman/listinfo/tpm2
------------------------------
End of tpm2 Digest, Vol 21, Issue 2
***********************************
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [tpm2] tpm2 Digest, Vol 21, Issue 2
@ 2019-03-05 21:12 Desai, Imran
0 siblings, 0 replies; 7+ messages in thread
From: Desai, Imran @ 2019-03-05 21:12 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 3444 bytes --]
Additionally it will also have to be non restricted decryption key.
On 3/5/19, 1:00 PM, "tpm2 on behalf of tpm2-request(a)lists.01.org" <tpm2-bounces(a)lists.01.org on behalf of tpm2-request(a)lists.01.org> wrote:
Send tpm2 mailing list submissions to
tpm2(a)lists.01.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.01.org/mailman/listinfo/tpm2
or, via email, send a message with subject or body 'help' to
tpm2-request(a)lists.01.org
You can reach the person managing the list at
tpm2-owner(a)lists.01.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of tpm2 digest..."
Today's Topics:
1. Re: Use endorsement key for encryption and decryption
(Roberts, William C)
----------------------------------------------------------------------
Message: 1
Date: Tue, 5 Mar 2019 17:29:10 +0000
From: "Roberts, William C" <william.c.roberts(a)intel.com>
To: arjun kashyap <arjun21k(a)gmail.com>, "tpm2(a)lists.01.org"
<tpm2(a)lists.01.org>
Subject: Re: [tpm2] Use endorsement key for encryption and decryption
Message-ID:
<476DC76E7D1DF2438D32BFADF679FC5649CFA6CA(a)ORSMSX101.amr.corp.intel.com>
Content-Type: text/plain; charset="utf-8"
> -----Original Message-----
> From: tpm2 [mailto:tpm2-bounces(a)lists.01.org] On Behalf Of arjun kashyap
> Sent: Sunday, March 3, 2019 12:58 PM
> To: tpm2(a)lists.01.org
> Subject: [tpm2] Use endorsement key for encryption and decryption
>
> Hello all,
>
> I am using the IBM tpm2.0 simulator. My use case is that I would like to encrypt
> data and send to tpm and then decrypt this at the tpm side. I would want to use
> the endorsement key (EK) for this purpose. Hence, I would like to encrypt data
> using EK's public key and decrypt using EK's private key. I tried creating EK using
> tpm2_createek -G rsa -f pem -c - -p ek.pem. Now, I have the ek.pem( public
> portion of EK) to encrypt the data. When I load this key into the tpm and invoke
> tpm2_rsadecrypt I get an error. I also tried using tpm2_createprimary to create
> an EK but failed in the above attempt. Could anyone please help me out so that I
> can use EK to encrypt/decrypt data.
>
> Please let me know if more information is needed.
What's the error code? You probably can't perform an rsadecrypt,
Do to object attributes. I would bet sign would work. Endorsement
usually means signing.
>
> Thanks in advance.
>
> <https://www.avast.com/sig-
> email?utm_medium=email&utm_source=link&utm_campaign=sig-
> email&utm_content=webmail&utm_term=icon> Virus-free.
> www.avast.com <https://www.avast.com/sig-
> email?utm_medium=email&utm_source=link&utm_campaign=sig-
> email&utm_content=webmail&utm_term=link>
------------------------------
Subject: Digest Footer
_______________________________________________
tpm2 mailing list
tpm2(a)lists.01.org
https://lists.01.org/mailman/listinfo/tpm2
------------------------------
End of tpm2 Digest, Vol 21, Issue 2
***********************************
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [tpm2] tpm2 Digest, Vol 21, Issue 2
@ 2019-03-05 20:50 Desai, Imran
0 siblings, 0 replies; 7+ messages in thread
From: Desai, Imran @ 2019-03-05 20:50 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 3915 bytes --]
+1 to what Bill said. If you must do this I'd suggest you use createprimary to create the key under endorsement hierarchy. I understand that is exactly what tpm2_createek does but there is a caveat. For what you intend to do it requires userwith attribute set to 1. The reason it is not set to 1 in createek tool is because it would create an endorsement key off a non standard template per TCK EK credential profile spec. The alternative is to satisfy policysecret of the endorsement hierarchy and that will require a change in the tool.
On 3/5/19, 1:00 PM, "tpm2 on behalf of tpm2-request(a)lists.01.org" <tpm2-bounces(a)lists.01.org on behalf of tpm2-request(a)lists.01.org> wrote:
Send tpm2 mailing list submissions to
tpm2(a)lists.01.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.01.org/mailman/listinfo/tpm2
or, via email, send a message with subject or body 'help' to
tpm2-request(a)lists.01.org
You can reach the person managing the list at
tpm2-owner(a)lists.01.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of tpm2 digest..."
Today's Topics:
1. Re: Use endorsement key for encryption and decryption
(Roberts, William C)
----------------------------------------------------------------------
Message: 1
Date: Tue, 5 Mar 2019 17:29:10 +0000
From: "Roberts, William C" <william.c.roberts(a)intel.com>
To: arjun kashyap <arjun21k(a)gmail.com>, "tpm2(a)lists.01.org"
<tpm2(a)lists.01.org>
Subject: Re: [tpm2] Use endorsement key for encryption and decryption
Message-ID:
<476DC76E7D1DF2438D32BFADF679FC5649CFA6CA(a)ORSMSX101.amr.corp.intel.com>
Content-Type: text/plain; charset="utf-8"
> -----Original Message-----
> From: tpm2 [mailto:tpm2-bounces(a)lists.01.org] On Behalf Of arjun kashyap
> Sent: Sunday, March 3, 2019 12:58 PM
> To: tpm2(a)lists.01.org
> Subject: [tpm2] Use endorsement key for encryption and decryption
>
> Hello all,
>
> I am using the IBM tpm2.0 simulator. My use case is that I would like to encrypt
> data and send to tpm and then decrypt this at the tpm side. I would want to use
> the endorsement key (EK) for this purpose. Hence, I would like to encrypt data
> using EK's public key and decrypt using EK's private key. I tried creating EK using
> tpm2_createek -G rsa -f pem -c - -p ek.pem. Now, I have the ek.pem( public
> portion of EK) to encrypt the data. When I load this key into the tpm and invoke
> tpm2_rsadecrypt I get an error. I also tried using tpm2_createprimary to create
> an EK but failed in the above attempt. Could anyone please help me out so that I
> can use EK to encrypt/decrypt data.
>
> Please let me know if more information is needed.
What's the error code? You probably can't perform an rsadecrypt,
Do to object attributes. I would bet sign would work. Endorsement
usually means signing.
>
> Thanks in advance.
>
> <https://www.avast.com/sig-
> email?utm_medium=email&utm_source=link&utm_campaign=sig-
> email&utm_content=webmail&utm_term=icon> Virus-free.
> www.avast.com <https://www.avast.com/sig-
> email?utm_medium=email&utm_source=link&utm_campaign=sig-
> email&utm_content=webmail&utm_term=link>
------------------------------
Subject: Digest Footer
_______________________________________________
tpm2 mailing list
tpm2(a)lists.01.org
https://lists.01.org/mailman/listinfo/tpm2
------------------------------
End of tpm2 Digest, Vol 21, Issue 2
***********************************
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2019-03-13 13:43 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-07 21:40 [tpm2] tpm2 Digest, Vol 21, Issue 2 Fuchs, Andreas
-- strict thread matches above, loose matches on Subject: below --
2019-03-13 13:43 Roberts, William C
2019-03-08 3:04 arjun kashyap
2019-03-07 19:41 arjun kashyap
2019-03-05 21:27 Desai, Imran
2019-03-05 21:12 Desai, Imran
2019-03-05 20:50 Desai, Imran
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.