Other uses of TCPA

Sun Aug 4 22:30:14 PDT 2002

Mike Rosing wrote:
> :Mike Rosing wrote:
> :> Who owns PRIVEK?  Who controls PRIVEK?  That's who own's TCPA.
> :
> :PRIVEK, the TPM's private key, is generated on-chip.  It never leaves
> :the chip.  No one ever learns its value.  Given this fact, who would
> :you say owns and controls it?
>
> OK, so why can't any joe hacker create their own PRIVEK?  _nobody_ knows
> it's value?  Then how can anyone know if a chip is "real" or "imitation".
> What happens when the motherboard dies again?  PRIVEK was copied out of
> the chip to some "fob" right?  I thought you said the manufacturer put
> the keys in at the factory.

Maybe I wasn't too clear in my explanation.  I assume you know how public
key cryptography works.  The TPM chip generates an RSA key pair.  This key
pair is called the Endorsement Key.  The private key is called PRIVEK
and never leaves the chip.  The public key is called PUBEK and although
it is "sensitive", it does leave the chip under some circumstances.
One of those circumstances is when the chip is manufactured and comes off
the line.  It is powered up, generates the key pair, and exports PUBEK.
At that point the chip manufacturer creates an X.509 certificate that
signs PUBEK.

It is this cert which proves that the PUBEK is a legitimate Endorsement
Key.  While the cert is not widely shown (for privacy reasons), it is
used in a TCPA protocol, and this is ultimately what makes it impossible
for Joe Hacker to create a fake TCPA key.

Now, the part about recovering from a dead chip refers to a different
key.  It's called the "root of trust for storage" key, RTS.  This is used
for encrypting data on the disk.  The PUBEK was used for communicating
with third parties to prove that you had a legitimate TPM.  So there are
two different keys used for two different purposes.  Both of them are
generated on-chip, and no one ever learns either private key.

If your chip dies, you lose the PUBEK but that doesn't matter, nothing
is really locked to it.  You can just get a new motherboard and start
using the new PUBEK from that one's TPM chip.  It's the RTS key that
is a problem, because if you can't retrieve that, all the data on your
disk that was sealed (encrypted) using the TCPA mechanisms could be lost.
So they have a system to transfer the RTS key from one machine to another.

I've been thinking about writing a few pages summarizing TCPA and how the
crypto works, but then I think, why bother?  Everyone is already convinced
that the system is the spawn of Satan.  Nobody cares about the facts.

BTW I found a post by Ross Anderson,
http://www.chiark.greenend.org.uk/pipermail/ukcrypto/2002-June/019463.html,
in which he says that one of the worst claimed feaures from his TCPA FAQ
(http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html), censoring objectionable
programs/data off people's computers against their will, actually doesn't
rely on TCPA at all.  In fact he says they could do it with existing
Windows OS's just as well.

It's such an obviously nasty feature that I can't see them ever actually
trying this, but in any case it really doesn't have anything to do
with TCPA.  Maybe someone could ask Ross why his FAQ blames TCPA for a
feature that he admits isn't really related!  But no, that would be crazy.
Better to believe comfortable falsehoods than to seek the truth.