Understanding Key Certification in TPM
In this article, we explore the concept of key certification in the context of TPM (Trusted Platform Module). We clarify what it means to ‘certify a key’, explain the different hierarchies in TPM, and discuss the role of certification in ensuring the authenticity and integrity of keys.
What does it mean to ‘certify a key’ in this context?
First of all, (primary) keys do not need to be certified. The ‘seed’ is secret random data. The seed and a ‘template’ (some more data, usually the default template is used) will be thrown at a key derivation function. The output is the ‘primary key’, an asymmetric key (e.g. RSA or EC).
The primary key can only ‘wrap’ (i.e. encrypt) other keys. That is to protect their confidentiality. It cannot sign arbitrary data.
Not really. In general, a key is not certified. However, a key is always wrapped by its parent key. The only exceptions are primary keys, where there is no parent.
You can do ‘attestation’. That is, you can create certificates with specific guarantees. But you have to do that ‘manually’ after key creation. Note however, that not only you can do attestation for your TPM, but also your TPM manufacturer and your platform manufacturer.
Exploring Different Hierarchies in TPM
Hierarchies in TPM differ by when their seeds are created and by who certifies their primary keys. The ‘endorsement hierarchy’ is used for manufacturer guarantees. The manufacturer generates an ‘endorsement certificate’ for you which you can find in your TPM’s NV memory. This endorsement certificate certifies that your TPM is a genuine hardware TPM by that specific manufacturer.
The platform manufacturer can also attest to platform properties in a ‘platform certificate’, related to the ‘platform hierarchy’.
Lastly, there is the ‘owner hierarchy’ (previously ‘storage hierarchy’), where you can even set up your own off-TPM CA and certify your own keys, if needed.
Conclusion
Key certification plays a crucial role in ensuring the authenticity and integrity of keys in TPM. While keys themselves do not need to be certified, the concept of attestation allows for the creation of certificates with specific guarantees. Understanding the different hierarchies in TPM, such as the endorsement hierarchy, platform hierarchy, and owner hierarchy, helps in comprehending the various levels of certification and their significance in different contexts.