Prevent fake Attestation Key

[ernesto418]

It is important that the server validates the attributes of the Attestation Key when it receives the AKpub to verify that if it is loaded in the TPM, it is a genuine attestation key.

If not, the client could load an externally generated key with a well-known private key in the TPM and use it to sign externally a fake quote. Then, because it is loaded in the TPM, it would pass the Make/Activate_credential.

I was reading the Attestation Protocols and I didn't find anything related to it in the Readme.

[nicowilliams]

Correct. The attestation server MUST compute the cryptographic name of the client's AK using only a) the AKpub presented by the client, b) the attributes the server wants the AK to have. In particular the server should insist on fixedTPM and fixedParent, and probably also stClear, and any authPolicy. And if it wants an authPolicy, then the server must also add adminWithPolicy to the key's attributes before computing its name.

EDIT: And as you noted elsewhere, the AK also must be restricted, otherwise an attacker with access to the client's TPM can fake a quote.

[tomoveu]

Great response @nicowilliams

The TCG requirement for AK as I know it is for the AK to be:

• restricted key
  • (to work only with TPM generated data)
• fixedTPM
  • (can be loaded only on this particular TPM)
• fixedParent
  • (AK is wrapper using specific TPM Primary Key)

stClear is a nice addition that @osresearch clarifies in his FAQ as

" ... the TPM will not allow it to be persisted and will refuse to reload it when the reboot counter increments."

[tomoveu]

@ernesto418 please see if the latest changes merged into master for the tutorials address your question

If yes, confirm, so we could close this ticket as resolved. Thanks

[ernesto418]

I think you refer to:

d0cbddf#diff-e52a82c98b3ab3495218220dd008585165b7edfb9e2541aaacf1c3d8cd6f3d85

I didn't find in all the commit the words:
restricted, fixedTPM and fixedParent

That are the mandatory attributes to be asserted when generating the AK name to be used in TPM_makecredential.

Maybe it is explained in a different way, but I didn't find it. Therefore, I think it doesn't address the Issue