为什么 TPM 可以防重放

TPM 芯片使用过程中,涉及到类似身份认证的事情,例如:

  • TPM 命令使用口令/ Policy
  • TPM Hash 签名
  • TPM 身份证书 AK、EK、PK 等

在使用 TPM 相关功能的时候会考虑一个问题,如果攻击者拿着一个伪造的数据作为 TPM Command 的输入,是否能够绕过检查机制即怎么防止重放攻击。TCG 在设计 TPM spec 的时候就考虑了这问题,TCG 将 TPM 涉及到的数据分为两种类型:1. TPM 内部生成的数据;2. TPM 外部生成的数据,这篇文章会从数据类型的角度介绍 TPM 本身防重放攻击的原理。

内部数据防重放

TPM 内部数据主要是通过外部给定随机数 nonce 值的方式来抵御重放攻击,以 TPM2_Quote 命令为例,在引用 PCR 值作为Quote 数据结构体的时候需要指定 qualifyData。

外部数据防重访

TPM 对于外部数据主要是通过要求提供 TPM 生成的 HMAC 签名来确认,外部数据是经过 TPM 认证保护的,里 TPM2_Sign/TPM2_Hash 为例:

  • In order to determine whether external data mimics the TPM’s attestation structures, TPM2_Sign requires the caller to provide verification evidence, which is a TPMT_TK_HASHCHECK ticket (an HMAC signature) created by the command TPM2_Hash or TPM2_SequenceComplete. TPM2_Hash is quicker and easier than TPM2_SequenceComplete but can be used only when the external data fits in a single TPM buffer. TPM2_SequenceComplete can verify arbitrarily large amounts of external data.
  • A verification ticket comprises evidence that the digest described by the ticket doesn’t start with the TPM_GENERATED_VALUE = 0xFF'TCG (FF 54 43 47 16) header that appears in the TPM’s attestation structures. Tickets are succinctly described in TPM2 specification Part-1 section “Signature Opera- tions” subsection “Tickets”.
  • The verification ticket submitted with the TPM2_Sign command must be created by the same TPM that will execute the TPM2_Sign command. The reason is that a ticket is signed by a secret value that is never known outside the TPM.

References

  1. Trusted Computing Platforms | SpringerLink