1 (edited by Grizzy Kret 2021-05-03 03:13:00)

Topic: Identity attestation

I am discovering the TPM and I am trying to implement some basic uses.
In my context, the PC hosting the TPM is a "client" discussing with a "server".
The server must be sure that the client actually the good one.
My actual way to perform this is by using an obfuscated crypto lib :
- at the very beginning of the client life, the client generates (& buries) a RSA key pair, and sends its public part to the server.
- during the client life time, when it's identity is to be proven:
    - the server sends some random data to the client
    - the client signs it using its buried private RSA key, and sends the signature to the server
    - the server verifies the signature using the public RSA key it received earlier
    ---> nothing really original...

My question is : how to do the same thing using your TPM lib ?

I read some documentation here : https://trustedcomputinggroup.org/resou … ification/
and I must admit I don't understand all the subtleties...
I download and compile your lib + examples, but I don't figure out how to proceed for my need.

Maybe it's not a good approach to reproduce what I do with my old school obfuscated crypto lib...
Then what is the proper way, for the client, to prove its own identity ?
Maybe using PCR, but I don't see how to use them...

Thanks in advance


Re: Identity attestation

Hi Hadrien,

Have you seen our recent PR adding attestation support?

We are also working on another example that uses TLS v1.3 between peers that should be posted in a few weeks.

If you are not familiar with it the tpm.dev website has some great discussions on this topic.

David Garske, wolfSSL


Re: Identity attestation

Thank you David,
I will have a look on your pull...
But before that, I have another blocking point that I'll describe in another post.
(I'm afraid I have many more questions about the lib...)