[PATCH] enhanced smartcard support
Fri May 23 13:21:23 PDT 2008
"LATZE Carolin" <carolin.latze at unifr.ch> writes:
> David is right, a third way to use the TPM for certification is to
> generate "normal" RSA keys and sign the public key as always. My ways
> make use of the full certificate infrastructure provides and allow to
> have a certification process, that does not need user intervention
> (well beside typing some password). Davids idea includes identifying
> the user at the CA as always (using the ID card or something less
> secure for less secure certificates). My idea was to do everything
> without the user since many users are not able to request their own
> certificate, but I did not want to have less security. That's why I
> use the TPM identities which identify the TPM and allow to request
> secure certificate without user intervention. A detailed description
> can be found here: http://diuf.unifr.ch/people/latzec/SoftCOM07.pdf
> I think, all those three ways are possible and suitable for their applications.
Carolin, your idea is pretty interesting and I'm going to look more into
it. The needs of my organization were to provide a secure storage for
the private key that could not be read into system memory even by the
user of the machine; i.e. even if there was an active root exploit on
the machine, the attacker would not be able to duplicate the private key
or any way remove it from the machine without deep physical tampering,
which in that case would alert the owner of the machine to contact our
security organization and thus revoke the certificate for the machine
before it can be used for evil. Since that's a mouthful, another way of
putting it is to say we wanted a cryptographic object storage on UNIX
that was superior to those available in Microsoft Windows and Mac
OS. But, we also needed the system to be compatible with the existing CA
system we have in place for those other operating systems. Additionally,
by using the TPM chip instead of an external smartcard, we don't have to
add additional hardware nor does the user have to be bothered.
That's just my reasoning for using the TPM chip like this. I think a lot
more people should be doing it for storing their own private keys,
whether they be for wpasupplicant or even GPG. I admit I'm a novice when
it comes to many of the advanced features available on the TPM. I'll
read your paper and maybe learn a few more advanced techniques.
> -----Original Message-----
> From: hostap-bounces at lists.shmoo.com on behalf of David Smith
> Sent: Fri 23.05.2008 21:32
> To: hostap at lists.shmoo.com
> Subject: Re: [PATCH] enhanced smartcard support
> OK, I'll try to provide a bit of a howto and answer a few things that
> are kind of strange at first.
> Jouni Malinen <j at w1.fi> writes:
>> On Fri, May 23, 2008 at 11:47:28AM +0300, Jouni Malinen wrote:
>>> My ThinkPad T43 should have TPM, but getting it working was not exactly
>>> trivial and I don't know whether the security chip is now more or less
>>> completely locked or what it is doing since it does not likely any
>> I finally found a way to clear the security chip state through BIOS
>> (after some odd magic to get the BIOS setup to show the option for doing
>> this) and I tried again.
> In order to get the BIOS to show the 'clear the TPM chip option' in the
> Security settings, you need to do a cold powerdown and then enter the
> BIOS on the first boot. A regular reboot will not suffice. This is
> because it is written in the TCG specification for the PC platform, in a
> normal computer doing a cold power-off and power-on is the only way to
> assert physical presence, and physical presence is required to clear the
> chip. If you think about it a bit, this makes sense, e.g. if the machine
> was on something like a cyclades hydra that allowed accessing the BIOS
> remotely after a normal reboot. Though, it is of course not perfect,
> because again the cyclades hydra case, some models allow you to control
> the power strip the machine is using and force a cold power-cycle
> operation remotely. But, in most cases, a cold power-cycle is a
> reasonably good approximation of physical access to the machine, and you
> want to make sure the TPM does not get reset without you physically
> doing it. In other words, it is completely impossible to clear the TPM
> chip after you boot your operating system, no matter what operating it
> is, because the last thing the BIOS does before starting the boot-loader
> in a TPM-based system is disable the assertion of physical presence.
>> This time, I just used a simple password/pin for every possible
>> location to avoid any possible issue and tpm_takeownership and
>> tpmtoken_init were able to complete their tasks.
> OK, but in order to use the TPM chip as a smart card, you must set the
> SRK password for tpm_takeownership to nothing, just hit enter at the
> password prompts for the SRK password. Set your owner password to
> whatever you like. You have to run tpm_takeownership once and *only*
> once after clearing your TPM chip in the BIOS but you can, after that,
> clear the token created on the thip as many times as you like from
> software. The token, as created with tpmtoken_init, is a
> software-emulated smartcard that is backed by a private key that lives
> inside the TPM. All of the keys used with that smartcard are wrapped
> with the private key inside of the TPM. Since they are wrapped
> (i.e. encrypted) with a private key that you can't get access to, they
> are safe to store on disk and in fact this is how it is done, in a
> relatively simple binary database in /var/lib/opencryptoki/tpm.
> Regarding tpmtoken_init, I've only used it briefly and found it limiting
> in functionality and unreliable, though I've yet to find a really good
> generic pkcs11 swiss-army-chainsaw and intend to make one ... one of
> these days. Instead, I use pkcs11-tool from the OpenSC package and
> pkcsconf from the openCryptoki package together. Note that tpmtoken_init
> comes from the tpm-tools package, a part of the trousers suite.
> Below is a shell fragment that is based on a program I use for
> initializing the TPM chip. I've taken out a few bits of user-interface
> and integration with my CA environment for attaining a signed
> certificate from a CSR and just left the basics of the TPM
> initialization, assuming you have a certificate and private key ready to
> be imported. Specify the certificate and private key at the top of the
> script. I don't suggest running the script without reading it completely
> # CERTIFICATE MUST BE IN DER FORMAT, convert before running this script
> # PRIVATE KEY MUST BE IN DER FORMAT, convert before running this script.
> cat <<EOF
> You will be prompted for two passwords, one called the owner
> password and the next called the SRK password.
> For the owner password, use whatever you like. This password is
> yours for controlling the TPM chip.
> For the SRK password, please hit enter twice. This password
> must be empty in order for software to make use of the TPM
> sudo tpm_takeownership
> label="IBM PKCS#11 TPM Token"
> module="--module /usr/lib/opencryptoki/libopencryptoki.so.0"
> echo "Showing slot information"
> sudo pkcs11-tool $module --list-slots
> echo "You should see a TPM token listed as a possible slot above."
> echo "Continuing..."
> echo "Initializing token"
> sudo pkcs11-tool $module --init-token --label $label --so-pin 87654321
> echo "Setting SO PIN to 111111"
> sudo pkcsconf -c 0 -P -S 87654321 -n 111111
> echo "Setting User PIN to 000000"
> sudo pkcsconf -c 0 -p -U 12345678 -n 000000
> auth="--pin 000000 --so-pin 111111"
> echo "Installing certificate object"
> sudo pkcs11-tool $module $auth --write-object $cert --type cert --id 1 --label "certificate" --attr-from $cert
> echo "Installing key object"
> sudo pkcs11-tool $module $auth --write-object $key --type privkey --id 1 --label "priate key" --attr-from $cert
> echo "Showing object information"
> sudo pkcs11-tool $module $auth --list-objects
> echo "You should see a ceritifcate and private key listed as installed in the smartcard"
>> For the first test, I just imported couple of certificates and a private
>> key to the TPM token with pkcs11-tool. This does not sound like the best
>> way of using TPM since I would prefer not to see the private key ever
>> exit the security chip, but for the time being, importing existing keys
>> seemed simpler. Should probably try to generate a certificate request
>> with TPM engine to avoid the private key being exposed.
> Certificates are by definition public information so they can be
> exported again after importing with pkcs11-tool, but private keys
> cannot. Only the object information can be attained, but assuming RSA
> keys which is almost always the case, the modulii, exponents, or bases
> of the keys can not be recovered nor can any other actual private
> information. For added security, before importing with pkcs11-tool,
> create the certificate request, get it signed, and run pkcs11-tool on it
> all from a ramfs and add traps to delete the files from the ramfs and
> unmount it as traps in the shell script.
>> I tried configuring the private key, user certificate, and CA
>> certificate from the OpenSSL engine and that seemed to work and I was
>> able to complete EAP-TLS authentication successfully.
> That's very encouraging.
>> For some reason, this is painfully slow and I needed to increase the
>> authentication timeout in eapol_test from the default 30 to couple of
>> minutes to avoid timeouts.. I don't understand why it would need that
>> much time, but well, it did. Anyway, at least the mechanism of
>> fetching certificates from tpm/pkcs11 token seemed to work fine.
> I have not seen that behavior and, for now, doubt it is due to the TPM
> chip, because someone else was complaining about a very similar issue
> with a different model smartcard being used with OpenSC and an earlier
> version of wpa_supplicant. Additionally, I don't, for now, see a
> connection between that kind of behavior and the functionality added by
> this latest patch, which should only be for exporting certificates out
> of the smartcard and serving them from memory when requested by the
> authenticator. [/me searches his mail...] Ah, David Mattes, he even
> offered me one of his smartcards to test with to debug this
> problem. Unfortunately, I haven't found the time yet to invest in taking
> him up on the offer. I've added him to the CC on this mail and hopefully
> he can shed some light on this issue.
> <#secure method=pgpmime mode=sign>
> HostAP mailing list
> HostAP at lists.shmoo.com
<#secure method=pgpmime mode=sign>
More information about the Hostap