How to encrypt bytes using the TPM (Trusted Platform Module)

by

Primer

All that follows is about TPM 1.2. Keep in mind that Microsoft requires a TPM 2.0 for all future Windows versions. The 2.0 generation is fundamentally different to the 1.2

There is no one-line solution because of TPM design principles. Think of the TPM as a microcontroller with limited resources. It main design goal was to be cheap, while still secure. So the TPM was ripped of all logic which was not necessary for a secure operation. Thus a TPM is only working when you have at least some more or less fat software, issuing a lot of commands in the correct order. And those sequences of commands may get very complex. That’s why TCG specified the TSS with a well defined API. If you would like to go the Java way, there is even an high level Java API. I’m not aware of an similar project for C# / .net

Development

In your case I’d suggest you look at IBM’s software TPM.

  • Project page
  • Donwload the whole package

In the package you will find 3 very usefull components:

  • a software TPM emulator
  • a lightweight tpm lib
  • some basic command line utilities

You don’t necessarily need the software TPM emulator, you can also connect to the machine’s HW TPM. However, you can intercept the issued commands and look at the responses, thus learning how they are assembled and how they correspond to the command specification.

High level

Prerequisites:

  1. TPM is activated
  2. TPM driver is loaded
  3. you have taken ownership of the TPM

In order to seal a blob, you need to do the following:

  1. create a key
  2. store the key-blob somewhere
  3. ensure that the key is loaded in the TPM
  4. seal the blob

To unseal you need to:

  1. obtain the key-blob
  2. load the key to the TPM
  3. unseal the sealed blob

You can store the key-blob in your data structure you use to store the protected bytes.

Most of the TPM commands you need are authorized ones. Therefore you need to establish authorization sessions where needed. AFAIR those are mostly OSAP sessions.

TPM commands

Currently I can’t run a debug version, so I can’t provide you with the exact sequence. So consider this an unordered list of commands you will have to use:

  • TPM_OSAP
  • TPM_CreateWrapKey
  • TPM_LoadKey2
  • TPM_Seal

If you want to read the current PCR values, too:

  • TPM_PCRRead

Leave a Comment

Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)