WolfSSL
/
wolfTPM
mirror of https://github.com/wolfSSL/wolfTPM.git
1
0
Fork 0
Code Issues Releases Wiki Activity
wolfTPM/examples/attestation
History
David Garske 4e351b16a9 Add support for `--with-wolfcrypt=/dir/`. Fix for build error with `--disable-wolfcrypt`. Fix for unused `auth` in store example. ZD 12204 2021-05-13 09:49:08 -07:00
..
README.md Fix a couple minor spelling errors. 2021-05-03 15:55:43 -07:00
activate_credential.c Add support for `--with-wolfcrypt=/dir/`. Fix for build error with `--disable-wolfcrypt`. Fix for unused `auth` in store example. ZD 12204 2021-05-13 09:49:08 -07:00
credential.h Added examples to create a remote attestation credential 2021-04-29 23:26:24 +03:00
include.am Added examples to create a remote attestation credential 2021-04-29 23:26:24 +03:00
make_credential.c Add support for `--with-wolfcrypt=/dir/`. Fix for build error with `--disable-wolfcrypt`. Fix for unused `auth` in store example. ZD 12204 2021-05-13 09:49:08 -07:00

README.md

Remote Attestation Examples

This folder contains examples for performing remote attestation. You will learn how to perform a challenge-response between an end node and attestation server.

List of examples

The ./examples/attestation/ folder contains examples related specifically to remote attestation. However, the demonstration requires the creation of TPM 2.0 keys using the keygen example also included in wolfTPM's source code.

Complete list of the required examples is shown below:

  • ./examples/attestation/make_credential: Used by a server to create a remote attestation challenge
  • ./examples/attestation/activate_credential: Used by a client to decrypt the challenge and respond
  • ./examples/keygen/keygen: Used to create a primary key(PK) and attestation key(AK)

Technology introduction

Remote Attestation is the process of a client providing an evidence to an attestation server that verifies if the client is in a known state.

For this process to take place, the client and server must establish initial trust. This is achieved using the standard TPM 2.0 commands MakeCredential and ActivateCredential.

  1. The client transfers the public parts of a TPM 2.0 Primary Attestation Key(PAK) and quote signing Attestation Key(AK).

  2. MakeCredential uses the public part of the PAK to encrypt a challenge(secret). Typically, the challenge is a digest of the public part of an Attestation Key(AK).

This way the challenge can only be decrypted by the TPM that can load the private part of the PAK and AK. Because the PAK and AK are bound to the TPM using a fixedTPM key attribute, the only TPM that can load these keys is the TPM where they were originally created.

  1. After the challenge is created, it is transferred from the server to the client.

  2. ActivateCredential uses the TPM 2.0 loaded PAK and AK to decrypt the challenge and retrieve the secret. Once retrieved, the client can respond to the server challenge.

This way the client confirms to the server it possesses the expected TPM 2.0 System Identity and Attestation Key.

Note:

  • The transport protocol to exchange the challenge and response are up to the developer to choose, because this is implementation specific. One approach could be the use of TLS1.3 client-server connection using wolfSSL.

Example usage

Creating TPM 2.0 keys for Remote Attestation

Using the keygen example we can create the necessary TPM 2.0 Attestation Key and TPM 2.0 Primary Storage Key that will be used as a Primary Attestation Key(PAK).


$ ./examples/keygen/keygen -rsa
TPM2.0 Key generation example
	Key Blob: keyblob.bin
	Algorithm: RSA
	Template: AIK
	Use Parameter Encryption: NULL
Loading SRK: Storage 0x81000200 (282 bytes)
RSA AIK template
Creating new RSA key...
Created new key (pub 280, priv 222 bytes)
Wrote 508 bytes to keyblob.bin

Make Credential Example Usage

Using the make_credential example an attestation server can generate remote attestation challenge. The secret is 32 bytes of randomly generated seed that could be used for a symmetric key in some remote attestation schemes.


$ ./examples/attestation/make_credential
Using default values
Demo how to create a credential blob for remote attestation
wolfTPM2_Init: success
Credential will be stored in cred.blob
Reading 508 bytes from keyblob.bin
Reading the private part of the key
AK loaded at 0x80000001
TPM2_MakeCredential success
Wrote credential blob and secret to cred.blob, 514 bytes

The transfer of the PAK and AK public parts between the client and attestation server is not part of the make_credential example, because the exchange is implementation specific.

Activate Credential Example Usage

Using the activate_credential example a client can decrypt the remote attestation challenge. The secret will be exposed in plain and can be exchanged with the attestation server.


$ ./examples/attestation/activate_credential
Using default values
Demo how to create a credential blob for remote attestation
wolfTPM2_Init: success
Credential will be read from cred.blob
Loading SRK: Storage 0x81000200 (282 bytes)
SRK loaded
Reading 508 bytes from keyblob.bin
Reading the private part of the key
AK loaded at 0x80000001
TPM2_StartAuthSession: sessionHandle 0x3000000
TPM2_policyCommandCode success
Read credential blob and secret from cred.blob, 514 bytes
TPM2_ActivateCredential success

The transfer of the challenge response containing the secret in plain (or used as a symmetric key seed) is not part of the activate_credential example, because the exchange is also implementation specific.

More information

Please contact us at facts@wolfssl.com if you are interested in more information about Remote Attestation using wolfTPM.