

TPM chip protecting SSH keys from being copied or stolen - adamnemecek
http://blog.habets.se/2013/11/TPM-chip-protecting-SSH-keys---properly

======
kyboren
Neat, if you disregard the (justified? unjustified?) widespread suspicion of
TPMs.

However, this only prevents an attacker copying the key to another machine. If
the attacker has access to that key, then they have access to your machine.
Not much stops them from installing malware and using your machine as a proxy
for the session they want to establish to the endpoint (with the additional
benefit of appearing to connect to that endpoint from your machine in any
connection logs).

It should be noted that ssh, gpg-agent, and OpenPGP smart cards already
provide the capability to store an SSH key on a removable smart card. Storing
your key on a smart card provides the additional barriers that such a proxying
setup would only work 1) while you have the card inserted, and 2) if you
authorize that access by entering the PIN (optionally through an un-observable
channel if you have a Class II or III reader). Of course such hypothetical
malware would still be able to inject commands into a session once you log on
to the endpoint, but it would be much harder to avoid your detection.

Of course, most modern machines come with a TPM (right? correct me if I'm
wrong), while very few people have an OpenPGP smart card.

~~~
MichaelGG
Suspicion of TPMs has, so far, been just wrong. Most machines don't have TPMs;
they're usually a feature on "business" laptops. Lenovo's ThinkPads have them,
IdeaPads don't.

But now Windows 8.1 apparently makes OEMs ship a TPM to provide transparent
device encryption for tablets - so it should become more commonplace. (It
might only be for ARM devices though.) I'd assume those TPMs provide the full
APIs and capabilities others do.

~~~
salient
Intel has a habit of trickling down features of "business chips" to the
consumer chips. If I'm not mistaken, they may even be the same chips, Intel
just disables those features for lower-end chips. So it's just a matter of
time.

I think it's right to be very suspicious of these chips, especially since
Intel has been awfully quiet despite all the accusations, and we do know that
NSA has been trying to get "encryption hardware vendors" to subvert the
encryption for them.

------
majke
Recently I wanted to find if Apple hardware ships with a TPM chip. This
article from 2006 suggests it doesn't:

[http://www.osxbook.com/book/bonus/chapter7/tpmdrmmyth/](http://www.osxbook.com/book/bonus/chapter7/tpmdrmmyth/)

BTW This site is fascinating, for example here's on Apple encryption of
binaries:

[http://osxbook.com/book/bonus/chapter7/binaryprotection/](http://osxbook.com/book/bonus/chapter7/binaryprotection/)

~~~
pudquick
Initial models did ship with a TPM, but current ones do not. Install Windows
Vista or later via Bootcamp and it'll gladly tell you about the lack of any
such chip.

~~~
csmuk
Are you sure? Just because the ACPI/BIOS doesn't present it to the kernel,
doesn't mean it's not there.

~~~
nathan_f77
No Apple computers have had a TPM chip since 2006. [1]

[1]
[http://www.pcworld.com/article/157966/laptop_security.html](http://www.pcworld.com/article/157966/laptop_security.html)

------
Spooky23
If you want a solution for secure ssh key storage that is based in hardware, I
would look at using a GPG Card or other smart card solution. Smart cards are
more portable, more standardized, and you're not dependent on physical
possession of a particular hardware component.

The big caveat being that if you need FIPS 140-2 validation, you'd need a
commercial smart card solution.

~~~
matthiasb
A single FIPS-certified smart card is under $30. Not much considered the value
they provided IMHO;-)

------
pdkl95
Note that the Trusted Computing Group has seen the controversy over Snowden's
leaks as useful tool for spreading propaganda about the TPM and their goal of
establishing a root of trust.

They acknowledge that almost nobody actually wants a TPM ("There has been no
market driver to incorporate TPMs"), and observe that post-Snowden there are
more people looking to improve their internet security.

Therefor, the plan is to repudiate the NSA, ("The manufacturers of TPMs must
demonstrate that there are no back doors in their products." \- at least not
an NSA back-door...) and push their usual word-games about the TPM such as
"secure end-to-end communication [...] made possible [...] with TPMS.

So it may be prudent to question the motives behind any of these new attempts
at justify the TPM.

[http://www.forbes.com/sites/richardstiennon/2013/11/16/trust...](http://www.forbes.com/sites/richardstiennon/2013/11/16/trusted-
computing-must-repudiate-the-nsa/)

Edit: It seems the author of this post appears to work at Google, a
contributor to the Trusted Computing Group.

~~~
DannyBee
"It seems the author of this post appears to work at Google, a contributor to
the Trusted Computing Group."

Yes, however, note this is a hobby project, written on his own time, with no
official affiliation to Google at all.

------
nivla
What is the general consensus on TPM? Is it trustable? Bitlocker is the only
encryption I know that makes use of it. Weirdly, Truecrypt is stern about
never ever using it.

Assuming no foul play, I think a combination of TPM (Hardware based Keys),
Secure boot and Open source encryption should be enough to keep your data safe
from any prying eyes.

~~~
dlitz
TPM chips are designed to enforce the rules of whoever controls the TPM chip
over the will of whoever is sitting at the computer.

This can be good or bad, depending on who those respective parties are.

~~~
MichaelGG
Are there any TPM implementations where the user doesn't control the TPM? And
by user, I mean the owner of the physical device (so a company over its
laptops, a person over their laptops).

I've not heard of any TPM that has some other owner, like the claims against
TPMs have said. TPMs aren't needed to provide a DRM scenario - UEFI Secure
Boot can do that by itself, right?

~~~
nocoment
> Are there any TPM implementations where the user doesn't control the TPM?

The design of the TPM prevents the user from ever fully controlling it, so
complete revocation of access is unnecessary. Anything in the system/bootup
can update a PCR, revoking some or all access to essential keys.

Take the chromebook I am using right now. The user can disable secureboot
(which isn't actually implemented with the TPM) and use an unsigned image, but
can not create an image signed by themselves.

With either boot, I nominally have control of the TPM, so far so good. But the
PCR values written by the boot process will be different so I can not use keys
from one boot in the other. For example, my encrypted filesystems from the
google boot are inaccessible.

This is great for the security of my data if my chromebook is stolen. But it
also means a web service like my companies' VPN or MPAA's movie server could
demand that I use attestment to show I am using a google configured
chromebook, if I did a custom boot the attestment will not have the right PCR
values, so I am incapable of using the service.

> TPMs aren't needed to provide a DRM scenario - UEFI Secure Boot can do that
> by itself, right?

AFAIK, UEFI secure boot limits the device based on a list of public keys, but
has no access to any form of secret key. So booting an insecure clone to
contact a DRM protected service (or otherwise emulate the secured device)
works perfectly fine.

~~~
MichaelGG
The scenario you outlined is exactly the point of a TPM. In the case of an
"MPAA movie server", exactly how would they verify the remote attestation? As
I understand, they'd need to have some way of verifying your key. You would
have had to opt-in to such a feature, right? The simple act of having a TPM
doesn't give arbitrary third parties the capability to verify remote
attestation. Unless I'm missing something critical.

On Secure Boot, you're right that a clone works. But if your device doesn't
have an open Secure Boot system, like WinRT, then that device is DRM'd up as
the OS can fully decide which programs to allow. An insecure clone means
another device, but point taken.

~~~
nocoment
Yep, to be clear I was pointing out that a TPM with remote attestation can't
avoid implementing DRM in the true sense of protecting specific content to the
extent possible on the device.

I think the permanently gimped system stuff like a key restricted secure boot
is really something else. It is in some sense an acknowledgment of the
impossibility of DRM actually preventing every single copier and gains more
from leveraging its play time monopoly to lower the value of all non-DRM
content which may or may not be pirated.

A system that denied all open content with a TPM would indeed be very broken
in terms of design and would only start to make sense if the hardware was much
more customized than a typical PC platform.

------
whatcd
Information on how Chrome OS uses TPM chips:

[http://www.chromium.org/developers/design-documents/tpm-
usag...](http://www.chromium.org/developers/design-documents/tpm-usage)

------
jlgaddis
The author could have saved himself some trouble if he would've investigated
GnuTLS (which can do everything on his requirements list).

~~~
thomashabets
GnuTLS can't be a PKCS#11 provider, so no.

------
matthiasb
I store my SSH keys in a smart card. The benefit over TPM is that it is
portable.

------
wmf
Does this allow the host key to be stored in the TPM?

~~~
makomk
I'd be worried about that leading to a denial-of-service attack on ssh; TPM
crypto operations are really slow.

