• caglararli@hotmail.com
  • 05386281520

How to bind TPM2.0 AK to the "AK name" used in tpm2_makecredential, and how is trust established in AIK?

Çağlar Arlı      -    63 Views

How to bind TPM2.0 AK to the "AK name" used in tpm2_makecredential, and how is trust established in AIK?

During remote attestation, a device sends the server the EK certificate, AK public, AK name. By using tpm2_makecredential/tpm2_activatecredential, the attestation sever can confirm that:

  1. the EK is resident in the device TPM, and
  2. the AK that the "AK name" used in tpm2_makecredential referring to is resident in the device TPM. But how does the server know if the AK public and the AK name refer to the same key?

Here are more details:

I am trying to figure out a remote attestation algorithm/protocol to verify the PCR values on a device. I've read some examples on how to do this. It always involves using tpm2_makecredential / tpm2_activatecredential to validate the identity of a TPM. Below are the steps:

  1. Device sends Endorsement Key (EK) certificate, Attestation public key (AK public), AK name (i.e., digest of Ak public area incluidng Ak public key and other attributes) to attestation server.
  2. Server verifies EK certificate, extract EK public key.
  3. Server encrypts a secret along with AK name using EK public key and sends the resulting blob to the device.
  4. Device calls TPM to decrypt the blob to recover the secret. This operation will fail if TPM doesn't have a key with the "AK name". Device sends the secret back to the server.

If the device recovers the secret correctly, it approves the followings:

  1. The EK certificate is from a trusted TPM.
  2. The same TPM has an AK that the device has provided its name to the server.

The next steps are: 5. Device sends a PCR quote to the server. 6. Server verifies the quote to be genuine using the AK public key. 7. Server compares the PCR quote against a reference PCR quote.

My question is: how does the server trust the AK public key provided by the device? Unless the server can independently compute the NAME from AK public key and other attributes to match the provided "AK name", but how to compute? Or if device can provide more info to prove that the AK is genuine, but what other info?