如何在不获得锁定响应的情况下继续使用TPM签名数据?

时间:2019-06-04 18:02:49

标签: c# tpm

我正在使用TSS.net对Microsoft TPM模拟器运行一些测试。我能够成功创建一个签名密钥,但是只能使用该密钥签名两次。在第三次尝试签名时,我收到Lockout响应。

如何继续用此密钥签名数据而没有得到Lockout响应?

Repro步骤

启动模拟器后,我运行一次此方法:

public void ReproStep1()
{
    Tpm2Device tpmDevice = new TcpTpmDevice("127.0.0.1", 2321);

    tpmDevice.Connect();

    var tpm = new Tpm2(tpmDevice);

    tpmDevice.PowerCycle();
    tpm.Startup(Su.Clear);

    var ownerAuth = new AuthValue();

    var keyTemplate = new TpmPublic(TpmAlgId.Sha1, // Name algorithm
        ObjectAttr.UserWithAuth | ObjectAttr.Sign | // Signing key
        ObjectAttr.FixedParent | ObjectAttr.FixedTPM | // Non-migratable 
        ObjectAttr.SensitiveDataOrigin,
        null, // No policy
        new RsaParms(new SymDefObject(),
            new SchemeRsassa(TpmAlgId.Sha256), 2048, 0),
        new Tpm2bPublicKeyRsa());

    var keyAuth = new byte[] {1, 2, 3};

    TpmPublic keyPublic;
    CreationData creationData;
    TkCreation creationTicket;
    byte[] creationHash;

    TpmHandle keyHandle = tpm[ownerAuth].CreatePrimary(
        TpmRh.Owner, // In the owner-hierarchy
        new SensitiveCreate(keyAuth, null), // With this auth-value
        keyTemplate, // Describes key
        null, // Extra data for creation ticket
        new PcrSelection[0], // Non-PCR-bound
        out keyPublic, // PubKey and attributes
        out creationData, out creationHash, out creationTicket); // Not used here

    Console.WriteLine("New public key\n" + keyPublic.ToString());

    TpmHandle persistentHandle = TpmHandle.Persistent(0x5000);

    //Get rid of the stored key (if there is one)
    tpm._AllowErrors().EvictControl(TpmRh.Owner, persistentHandle, persistentHandle);

    //Store the key in NV memory
    tpm.EvictControl(TpmRh.Owner, keyHandle, persistentHandle);
}

在从TPM模拟器获得Lockout响应之前,我只能运行两次以下方法:

public void ReproStep2()
{
    Tpm2Device tpmDevice = new TcpTpmDevice("127.0.0.1", 2321);

    tpmDevice.Connect();

    var tpm = new Tpm2(tpmDevice);

    var keyAuth = new byte[] {1, 2, 3};

    tpmDevice.PowerCycle();
    tpm.Startup(Su.Clear); //Is this appropriate?

    byte[] message = Encoding.Unicode.GetBytes("ABC");
    TpmHash digestToSign = TpmHash.FromData(TpmAlgId.Sha256, message);

    var persistentHandle = TpmHandle.Persistent(0x5000);

    var signature = tpm[keyAuth].Sign(persistentHandle, // Handle of signing key
        digestToSign, // Data to sign
        null, // Use key's scheme
        TpmHashCheck.Null()) as SignatureRsassa;

    Console.WriteLine("Signature: " + BitConverter.ToString(signature.sig));

    tpm.Dispose();
}

1 个答案:

答案 0 :(得分:0)

啊。事实证明,不完全关闭TPM会对词典攻击预防机制产生影响。通过在步骤2的末尾添加此代码,我可以多次致电tpm.Sign(...)

tpm.Shutdown(Su.Clear);
相关问题
最新问题