Using a DAA key without a credential

Even without a credential the DAA key can be used, but the anonymity will be lost. Using a DAA key is a two stage process, we first use TPM2 Commit to get the TPM ready and then we can use TPM2 Sign or TPM2 Certify, to sign a message or certify a key.

TPM2 Commit This command is used to prepare the TPM for the DAA key to be used. There are a number of different options for the inputs to this command. Here were are setting the inputs to be empty and the command then does the following:

1. Generate a new counter value, cv and an associated random number, rcv∈ Zn, where n is the order of

the elliptic curve being used.

3. Return the counter value, cv and the point E to the caller.

Calculate the commitment value The commitment value, p is calculated as

p= H(P1k Q k E k str)

Where str is a user defined string.

TPM2 Sign To use TPM2 Sign the string, str, used to calculate the commitment value is the message itself. For a restricted key (which we are considering) the commitment value, p, must be hashed again by the TPM using TPM2 Hash. This hash operation checks the data being hashed to see that it does not begin with the TPM GENERATED VALUE (0xFF544347). Provided this is the case the hash function returns a ticket confirming this and the hash value, pt pm. The ticket and the hash value, can then be passed to

TPM2 Sign together with the cv value returned from the TPM2 Commit command. TPM2 Sign carries out the following operations:

1. Check the ticket.

2. Using the cv value it can to retrieve the nonce, rcv(also generated as part of the TPM2 Commit com-

mand). 3. Calculate: h1 = pt pm= H(p) nS ← {0, 1}t h2 = H(nS k h1) (mod n) s = rcv+ h2· f (mod n)

The signature is the pair of values (nS, s).

TPM2 Certify The TPM provides a call which certifies that a given key is loaded into the TPM, this call is TPM2 Certify. This call generates a data structure attesting that the key is a TPM key that can be loaded into the TPM. This data structure is then signed using one of the TPM’s signing keys. Confidence in this certification depends on the properties of the signing key that is used, so a signing key that is not restricted and not fixed to the TPM cannot be relied upon, while one that is restricted and fixed to the TPM provides much more confidence. In our case we are using a DAA key which by definition is a restricted signing key that is fixed to the TPM.

To certify a key, QK, we first load it into the TPM. We then call TPM2 Certify passing in the commitment

data, p, and the counter that was previously generated.

1. Generate the attestation data for the key, this data is described in Part 1 of the TPM 2.0 specifications (pg. 194) [Tru14]. For TPM2 Certify, this data structure has the following fields:

(a) magic – a 32 bit number that is used to tag structures that are generated by a TPM (referred to as the TPM GENERATED VALUE, 0xFF544347)

(b) type – the type of the attestation structure - in this case it is TPM ST ATTEST CERTIFY (0x8017).

(c) qualifiedSigner – the qualified name of the signing key. When using a DAA key this field is set to be an empty buffer.

(d) extraData – external information provided by the caller. This field is set to the commitment data, p.

(e) clockInfo – clock data.

(f) firmwareVersion – a 64 bit number identifying the firmware version. (g) name – the name of the key being certified.

(h) qualifiedName – the qualified name of the key being certified. When using a DAA key to certify a key this field is set to be an empty buffer.

Note:

The clockInfo and firmwareVersion fields are not important for the protocol that we are discussing here.

In what follows we refer to this attestation data as Att.

2. The TPM then uses the DAA key to sign this attestation data structure. To do this it uses the com- mitment data p and the counter value cv returned from the TPM2 Commit command. Using the cv value it can to retrieve the nonce, rcv(also generated as part of the TPM2 Commit command) and then

calculates:

h1 = H(p k H(Att))

nC ← {0, 1}t

h2 = H(nCk h1) (mod n)

s = rcv+ h2· f (mod n)

The certification consists of the attestation data Att, the value of s and the nonce nC. This can be used

together with the values generated when preparing the DAA key to verify the certificate.

While the important fields used here can be obtained using other TPM calls we can only use a restricted TPM key to sign data that is generated internally, or that has been hashed by the TPM and provided with a ’ticket’ guaranteeing that the hashed data did not begin with the ’magic’ string (using TPM2 Hash).

7.7

_{Security Proof}

Cearly, our protocol doesn’t satisfy full anonymity as the CA and the TPM engaged in a transcription can identify the credential on the corresponding public key. However, no third party can tell to which TPM an issued credential belongs since:

1. We assume that the DAA keys are selected from the same distribution.

2. The CA always creates a credential as follows: C= S IG(cskj, pk), without any interference of the

TPM’s identity or the long term endorsement key.

Proof. Assume thatA is an adversary against third-party anonymity of our protocol in the above exper- iment. We will show that Advanon_A (η) is a negligible function of η. The CHboracle assigns a public key

pkto TPM tlb after randomly selecting a bit b. CHboracle then activates CA and the assigned TPM tlb

oracles, and finally outputs ( ˆC, ˆs,CB). The CA oracle always runs make-credential command to return ( ˆC, ˆs,CB), where C is a signature on the TPM’s DAA public key, CB depends on pk and some randomnly generated keyK, and ˆs is the encypted random seed s under epklb. Clearly no third party can guss epklb

other than the TPM tlband CA as long as no one can share the seed s with CA and tlb(encryption scheme

is CCA secure). We argue that no third party can guss s as long as tlb and CA are not corrupt. This

is true by our assumption that the adversary can collude with any malicious CAs ot TPMs except the two challenged TPMs and the corresponding CA that creates credential for one of the challenged TPMs. Therefore the adversary always outputs the decision bit b by guessing and

Advanon_A (η)= |Pr[Expanon−0_A (η)= 1] − Pr[Expanon−1_A (η)= 1]|

is a negligible function in η. 

Theorem 11. Our protocol is unforgeable if the signature scheme used in SIG is EU-CMA secure.

Proof. The adversaryA that works for the Expun f orge_A wins the unforgeability game ifA can produce a valid credential C∗ on some public pk∗ that has not been involved in an execution with the issuer, i.e the adversary can output a valid tuple (cpkj∗, pk∗,C∗) that doesn’t belong to the existing Registration

List (RegList). We assume that all the CA and TPM keys are obtained by running the key generation algorithms (cskj,cpkj) ← KG ∀ 1 ≤ j , j0≤ p(η) for some j0selected uniformly from 1, 2, 3, · · · p(η) and

(eski,epki) ← AKG ∀ 1 ≤ i ≤ p(η) respectively. The public key for CAj0 is set to be the public key pk

that corresponds to some TPM, pk is an input from an adversaryB that works for the Expeucma

B . We

assume that an adversaryB has access to CorrTPMs, CorrCAs except for cj0. For any CAjwith j , j0,

the adversaryB runs the CA oracles defined in Figure 7.8. For CAj0, theB provides the signature using

some signing oracle (the TPM with key pair (sk, pk) in our case). An adversaryA produces a forgery (cpk∗, pk∗,C∗),B aborts if cpk∗, pk, otherwise B outputs his forgery (pk∗,C∗) with a probability _p(η)1 . Also if the tuple (pk, pk∗,C∗) doesn’t appear in RegList, hence (pk∗,C∗) is a successful forgery. Thus the advantage ofA to output a successful forgery is

Advun f orge_A (η) ≤ 1 p(η)Adv

eucma

B (η)

T PM∗_S(epkl, pk)

(pk, sk) ← KG(η)

scer= T PM − 2S ign(sk;epkl)

send scer

Figure 7.10:The simulated T PM_S∗oracle

S(eeepk,cccpk,cccsk, ValidTPM)

runA and answer A’s queries according to figure 7.10 τ_S←AT PMS∗(eeepk,cccpk,cccsk,ValidT PM)

τ1←τS

output τ1

Figure 7.11:The simulator game for deniability

Theorem 12. Our protocol satisfies strong deniability.

Proof. We let the simulatorS runs A and simulates the T PM_S∗ oracle. WhenA queries T PM∗ oracle, the simulator answersA by generating a new DAA key pair (pk, sk), and creates a signature, using TPM-2Sign algorithm instead of using the TPM-2Certify command, to create a signature on epk under sk. FinallyS outputs scer. From A point of view, the outputs of the simulated T PM_S∗ and the original oracle T PM∗ are indistinguishable since we assume thatA doesn’t have access to ValidKey. Once A outputs a transcript τS, the simulatorS uses it as its output τ1. Since we have perfect simulation, τ1is

indistinguishable fromA output τ0in interaction with a real T PM∗ oracle. Therefore, Advdeni_A (η) is a

negligible function of η for all polynomial time distinguishersD. 

Theorem 13. Our protocol satisfies the key binding property if the signature scheme used in TPM2- Certify is EU-CMA secure .

Proof. The adversary queries TPM, CA, CorrTPM and Bond oracles. The adversary then runs the bond, TPM and CA (with verification keys (cskj,cpkj) ← KG) oracles, and wins the experiment if it can out-

put a valid self certificate that is issued by the TPM oracle with DAA key pair (pk, sk) on a corrupted TPM’s endorsement key epkl, with ValidKey(epkl, pk) = 0. We let the TPM oracle to runTPM-2Certify

command instead of TPM-2Sign command to create a signature on epklunder its siging key sk. Running

TPM-2Certify command ensures that the TPM checks that it is signing its own endorsement key before creating scer, this check is a part of TPM-2 Certify discussed in section7.6.1. Therefore, the TPM or- acle with signing key sk will abort when requested to sign an endorsement key epklthat is not its own

endorsement key, and hence the TPM oracle cannot output a valid self certificate on the corrupt endorse- ment key epkl. ThusA cannot get such tuple (epkl, pk, scer,cpkj) by querying the TPM oracle. The only

way to win the game is to letA produce a valid self certificate that is accepted by the CA oracle, hence A has to forge a signature on epklunder sk corresponding to pk and ValidKey(epkl, pk) = 0, this contradicts

our assumption that signature scheme used in TPM2-Certify is EU-CMA secure. Therefore AdvBond

A (η)

Operations Proposed Channel TPM2 CreatePrimary (2048-bit RSA key [Int06]) 18900

TPM2 Create (256-bit ECDAA key [CPS10a]) 215

TPM2 Load 38.2 TPM2 Commit 91 TPM2 Certify 59.5 TPM2 ActivateCredential 220 Compute a pairing 171 Calculate an AK credential 47.2

Table 7.1:Timings in Experiment (Each number is in milliseconds)