O
OOlahoop
Hello all,
Trying to have a good overview about the security of Virtual Smart Cards relying on TPMs, I read this very short article (the only I found) covering this topic (first part): Evaluate Virtual Smart Card Security (Windows 10).
My understanding
I well understand there is a key hierarchy :
- The Endorsement Key (EK) : potentially burned by the manufacturer (may be a ROM in the TPM), this is what could be referenced as the master key of the given TP (RSA key pair e.g.),
- The Storage Root Key (SRK) : generated when the TPM is initialized/owned, it is stored and used in the TPM only. It is obviously stored in non-volatile memory but can be replaced if the TPM is reinitialized. Don't know if the key is stored encrypted by the EK (given it is stored in the TPM and the TPM should provide tamper-resistance properties...),
- The SmartCard Key (SCK) : The public part of this key is used to encrypt the AK,
- The Authorization Key (AK) : The public part of this key is used to "authorize" the decryption of the UK,
- The User Key (UK) : This is a user key (may be a private RSA key linked to an authentication certificate E.g.).
The article says : "The TPM key hierarchy is designed to allow encryption of user data with the storage root key, but it authorizes decryption with the user PIN in such a way that changing the PIN doesn’t require re-encryption of the data."
This explictely means that the PIN is not used at any moment to encrypt/decrypt any user key.
Question
How does the authorization process work ? I'm not sure of that but I guess the PINs are not stored in the TPM since there may be a lot of VSC and since the TPM is not suited to store a lot of objects (limited memory). Is it false ?. So, taking the first step as an example, how is the SCK decrypted ? We can see ScKey = dsrkPriv(SCKeyBlob) | PIN : which makes me believe the SCK blob is only the SCK encrypted with the public part of the SRK. So what does mean "| PIN" ? And why would there be the sentence I quoted and such a key hierarchy if it was that simple ? That's all my topic is about.
So :
> PIN stored in the TPM ? Then the OS calls the TPM with a SCK identifier and a PIN. The TPM checks the stored PIN is the right one for the SCK identifier. Then, the SCK is deciphered and allows to decipher the AK.. Then, this AK is somewhat returned to the OS, which calls again the TPM with this key (as a PIN) to authorize the decryption of a user key (with the SRK)... Hm... It means a TPM stores a PIN and an AK in the TPM for each VSC.
>PIN not stored in the TPM ? The quoted sentence implies that the PIN is somewhere involved in an encryption process. Finally, does this formula "ScKey = dsrkPriv(SCKeyBlob) | PIN" mean that the PIN is used in the decryption process ? But how ? I can't get it. Of course, it cannot be as simple as "ScKeyBlob = EsrkPub(SCKey) | PIN", | meaning concatenation. It would mean you only have to take the last xx bytes of the file on your hard drive and test it as the PIN for the given VSC. In fact, what does mean "|" here ? Is it something like a XOR ? Is the PIN taken as a part of the data to encrypt ? If it is, how does the encryption/decryption process really work ?
Thanks a lot !
Arachnide
Continue reading...
Trying to have a good overview about the security of Virtual Smart Cards relying on TPMs, I read this very short article (the only I found) covering this topic (first part): Evaluate Virtual Smart Card Security (Windows 10).
My understanding
I well understand there is a key hierarchy :
- The Endorsement Key (EK) : potentially burned by the manufacturer (may be a ROM in the TPM), this is what could be referenced as the master key of the given TP (RSA key pair e.g.),
- The Storage Root Key (SRK) : generated when the TPM is initialized/owned, it is stored and used in the TPM only. It is obviously stored in non-volatile memory but can be replaced if the TPM is reinitialized. Don't know if the key is stored encrypted by the EK (given it is stored in the TPM and the TPM should provide tamper-resistance properties...),
- The SmartCard Key (SCK) : The public part of this key is used to encrypt the AK,
- The Authorization Key (AK) : The public part of this key is used to "authorize" the decryption of the UK,
- The User Key (UK) : This is a user key (may be a private RSA key linked to an authentication certificate E.g.).
The article says : "The TPM key hierarchy is designed to allow encryption of user data with the storage root key, but it authorizes decryption with the user PIN in such a way that changing the PIN doesn’t require re-encryption of the data."
This explictely means that the PIN is not used at any moment to encrypt/decrypt any user key.
Question
How does the authorization process work ? I'm not sure of that but I guess the PINs are not stored in the TPM since there may be a lot of VSC and since the TPM is not suited to store a lot of objects (limited memory). Is it false ?. So, taking the first step as an example, how is the SCK decrypted ? We can see ScKey = dsrkPriv(SCKeyBlob) | PIN : which makes me believe the SCK blob is only the SCK encrypted with the public part of the SRK. So what does mean "| PIN" ? And why would there be the sentence I quoted and such a key hierarchy if it was that simple ? That's all my topic is about.
So :
> PIN stored in the TPM ? Then the OS calls the TPM with a SCK identifier and a PIN. The TPM checks the stored PIN is the right one for the SCK identifier. Then, the SCK is deciphered and allows to decipher the AK.. Then, this AK is somewhat returned to the OS, which calls again the TPM with this key (as a PIN) to authorize the decryption of a user key (with the SRK)... Hm... It means a TPM stores a PIN and an AK in the TPM for each VSC.
>PIN not stored in the TPM ? The quoted sentence implies that the PIN is somewhere involved in an encryption process. Finally, does this formula "ScKey = dsrkPriv(SCKeyBlob) | PIN" mean that the PIN is used in the decryption process ? But how ? I can't get it. Of course, it cannot be as simple as "ScKeyBlob = EsrkPub(SCKey) | PIN", | meaning concatenation. It would mean you only have to take the last xx bytes of the file on your hard drive and test it as the PIN for the given VSC. In fact, what does mean "|" here ? Is it something like a XOR ? Is the PIN taken as a part of the data to encrypt ? If it is, how does the encryption/decryption process really work ?
Thanks a lot !
Arachnide
Continue reading...