fyi: ECDAA: Fixing TPM 2.0 for Provably Secure Anonymous Attestation from =JeffH on 2017-07-31 (public-webauthn@w3.org from July 2017)

From: =JeffH <Jeff.Hodges@KingsMountain.com>
Date: Mon, 31 Jul 2017 08:49:28 -0700
To: W3C Web Authn WG <public-webauthn@w3.org>
Message-ID: <7de5ec25-c628-6ac6-d53e-729626069025@KingsMountain.com>

Of possible interest...

One TPM to Bind Them All: Fixing TPM 2.0 for Provably Secure Anonymous
Attestation
Jan Camenisch, Liqun Chen, Manu Drijvers, Anja Lehmann, David Novick,
Rainer Urian
http://eprint.iacr.org/2017/639

The Trusted Platform Module (TPM) is an international standard for a
security chip that can be used for the management of cryptographic keys
and for remote attestation. The specification of the most recent TPM 2.0
interfaces for direct anonymous attestation unfortunately has a number
of severe shortcomings. First of all, they do not allow for security
proofs (indeed, the published proofs are incorrect). Second, they
provide a Diffie-Hellman oracle w.r.t. the secret key of the TPM,
weakening the security and preventing forward anonymity of attestations.
Fixes to these problems have been proposed, but they create new issues:
they enable a fraudulent TPM to encode information into an attestation
signature, which could be used to break anonymity or to leak the secret
key. Furthermore, all proposed ways to remove the Diffie-Hellman oracle
either strongly limit the functionality of the TPM or would require
significant changes to the TPM 2.0 interfaces. In this paper we provide
a better specification of the TPM 2.0 interfaces that addresses these
problems and requires only minimal changes to the current TPM 2.0
commands. We then show how to use the revised interfaces to build q-SDH-
and LRSW-based anonymous attestation schemes, and prove their security.
We finally discuss how to obtain other schemes addressing different use
cases such as key-binding for U-Prove and e-cash.

### from the introduction:
[...]
Some of the changes to the TPM 2.0 interfaces we propose have already
been adopted by the TCG and will appear in the forthcoming revision of
the TPM 2.0 specifications. The remaining changes are currently under
review by the TPM working group. Furthermore, the authors are in
discussion with the other bodies standardizing DAA protocols to adopt
our changes and schemes, in particular ISO w.r.t. to ISO/IEC 20008-2,
Intel for EPID, and with the FIDO alliance for their specification of
anonymous attestation [CDE+], so that all of these standards will define
provably secure protocols that are compatible with each other
[...]
[CDE+], Jan Camenisch, Manu Drijvers, Alec Edgington, Anja Lehmann,
Rolf Lindemann, and Rainer Urian.
FIDO ECDAA algorithm, implementation draft.
https://fidoalliance.org/specs/fido-uaf-v1.1-id-20170202/fido-ecdaa-algorithm-v1.1-id-20170202.html

Received on Monday, 31 July 2017 15:49:59 UTC