Overcoming the potential downside of TCPA

Thu Aug 15 10:06:06 PDT 2002

[Repost]

Joe Ashwood writes:

> Actually that does nothing to stop it. Because of the construction of TCPA,
> the private keys are registered _after_ the owner receives the computer,
> this is the window of opportunity against that as well.

Actually, this is not true for the endoresement key, PUBEK/PRIVEK, which
is the "main" TPM key, the one which gets certified by the "TPM Entity".
That key is generated only once on a TPM, before ownership, and must
exist before anyone can take ownership.  For reference, see section 9.2,
"The first call to TPM_CreateEndorsementKeyPair generates the endorsement
key pair. After a successful completion of TPM_CreateEndorsementKeyPair
all subsequent calls return TCPA_FAIL."  Also section 9.2.1 shows that
no ownership proof is necessary for this step, which is because there is
no owner at that time.  Then look at section 5.11.1, on taking ownership:
"user must encrypt the values using the PUBEK."  So the PUBEK must exist
before anyone can take ownership.

> The worst case for
> cost of this is to purchase an additional motherboard (IIRC Fry's has them
> as low as $50), giving the ability to present a purchase. The
> virtual-private key is then created, and registered using the credentials
> borrowed from the second motherboard. Since TCPA doesn't allow for direct
> remote queries against the hardware, the virtual system will actually have
> first shot at the incoming data. That's the worst case.

I don't quite follow what you are proposing here, but by the time you
purchase a board with a TPM chip on it, it will have already generated
its PUBEK and had it certified.  So you should not be able to transfer
a credential of this type from one board to another one.

> The expected case;
> you pay a small registration fee claiming that you "accidentally" wiped your
> TCPA. The best case, you claim you "accidentally" wiped your TCPA, they
> charge you nothing to remove the record of your old TCPA, and replace it
> with your new (virtualized) TCPA. So at worst this will cost $50. Once
> you've got a virtual setup, that virtual setup (with all its associated
> purchased rights) can be replicated across an unlimited number of computers.
> 
> The important part for this, is that TCPA has no key until it has an owner,
> and the owner can wipe the TCPA at any time. From what I can tell this was
> designed for resale of components, but is perfectly suitable as a point of
> attack.

Actually I don't see a function that will let the owner wipe the PUBEK.
He can wipe the rest of the TPM but that field appears to be set once,
retained forever.

For example, section 8.10: "Clear is the process of returning the TPM to
factory defaults."  But a couple of paragraphs later: "All TPM volatile
and non-volatile data is set to default value except the endorsement
key pair."

So I don't think your fraud will work.  Users will not wipe their
endorsement keys, accidentally or otherwise.  If a chip is badly enough
damaged that the PUBEK is lost, you will need a hardware replacement,
as I read the spec.

Keep in mind that I only started learning this stuff a few weeks ago,
so I am not an expert, but this is how it looks to me.