TCPA not virtualizable during ownership change (Re: Overcoming the potential downside of TCPA)

Thu Aug 15 12:08:12 PDT 2002

On Thu, 15 Aug 2002, Adam Back wrote:

> Summary: I think the endorsement key and it's hardware manufacturers
> certificate is generated at manufacture and is not allowed to be
> changed.  Changing ownership only means (typically) deleting old
> identities and creating new ones.

Are there 2 certificates?  One from the manufacturer and one from
the privacy CA?

> - endorsement key generation and certification - There is one
> endorsement key per TPM which is created and certified during
> manufacture.  The creation and certification process is 1) create
> endorsement key pair, 2) export public key endorsement key, 3)
> hardware manufacturer signs endorsement public key to create an
> endorsement certificate (to certify that that endorsement public key
> belongs to this TPM), 4) the certificate is stored in the TPM (for
> later use in communications with the privacy CA.)

So finding the manufacturers signature key breaks the whole system
right?  Once you have that key you can create as many "fake" TPM's
as you want.

> TPM can be reset back to a state with no current owner.  BUT _at no
> point_ does the TPM endorsement private key leave the TPM.  The
> TPM_CreateEndorsementKeyPair function is allowed to be called once
> (during manufacture) and is thereafter disabled.

But it's easier to manufacture it by burning fuse links so it
can't be read back - ala OTP.  so the manufacturer could have a
list of every private key (just because they aren't supposed to
doesn't prevent it.)  It still meets the spec - the key never leaves
the chip.

> - identity keys - Then there is the concept of identity keys.  The
> current owner can create and delete identities, which can be anonymous
> or pseudonymous.  Presumably the owner would delete all identity keys
> before giving the TPM to a new owner.  The identity public key is
> certified by the privacy CA.
>
> - privacy ca - The privacy CA accepts identity key certification
> requests which contain a) identity public key b) a proof of possession
> (PoP) of identity private key (signature on challenge), c) the
> hardware manufacturers endorsement certificate containing the TPM's
> endorsement public key.  The privacy CA checks whether the endorsement
> certificate is signed by a hardware manufacturer it trusts.  The
> privacy CA sends in response an identity certificate encrypted with
> the TPM's endorsement public key.  The TPM decrypts the encrypted
> identity certifate with the endorsement private key.

How does the CA check the endorsement certificate?  If it's by
checking the signature, then finding the manufacturer's private
key is very worthwhile - the entire TCPA for 100's of millions
of computers gets compromised.  If it's by matching with the
manufacturer's list then anonymity is impossible.

Thanks for the analysis Adam.  It seems like there are a couple of
obvious points to attack this system at.  I would think it's easy
to break for a large enough government.

Patience, persistence, truth,
Dr. mike