[ssh_x509] ssh_x509 Digest, Vol 64, Issue 1

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Thu Jul 18 00:19:43 EEST 2019


Thanks for you reply, Roumen.

I think we're takling about two different things here. The keys I'm referring to are actually RSA keys that are encrypted by a TPM (Trusted Platform Module). The TPM is a hardware component that contains a root encryption key that encrypts other keys that are generated.

So, the use case I'm thinking of is a user has a TPM generated RSA private key and a certificate chain. To present it to the server from the SSH client, it will need to load the encrypted TPM key using the OpenSSL TPM Engine, which calls the TrouSerS stack to load the key into the TPM so that it can be used for the challenge.

The TrouSerS format for the TPM keys is a PEM-like format, so it may already work with pkix-ssh. The important part that would need to be added is OpenSSL TPM Engine support. The SSH Client would have to load the TPM engine, load the key (by a given filepath), and then internally use the key pointer returned by the Engine or authentication. The rest would be the RFC 6187 certificate auth provided by the pkix-ssh patch.

What do you think about this use case? My reason for writing is because I may start adding support for this soon and wanted to make sure it's not something you think impossible.

Here is an example OpenSSL TPM Engine: https://github.com/ThomasHabets/openssl-tpm-engine
Here is TrouSerS documentation: http://trousers.sourceforge.net/faq.html

Thanks,
Jon

________________________________
From: ssh_x509 <ssh_x509-bounces at roumenpetrov.info> on behalf of ssh_x509-request at roumenpetrov.info <ssh_x509-request at roumenpetrov.info>
Sent: Tuesday, July 16, 2019 2:00 AM
To: ssh_x509 at roumenpetrov.info
Subject: ssh_x509 Digest, Vol 64, Issue 1

Send ssh_x509 mailing list submissions to
        ssh_x509 at roumenpetrov.info

To subscribe or unsubscribe via the World Wide Web, visit
        http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info
or, via email, send a message with subject or body 'help' to
        ssh_x509-request at roumenpetrov.info

You can reach the person managing the list at
        ssh_x509-owner at roumenpetrov.info

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ssh_x509 digest..."


Today's Topics:

   1. SSH With TPM Keys (ssh_x509 at roumenpetrov.info)
   2. Re: SSH With TPM Keys (ssh_x509 at roumenpetrov.info)


----------------------------------------------------------------------

Message: 1
Date: Mon, 15 Jul 2019 16:35:17 +0000
From: ssh_x509 at roumenpetrov.info
To: "ssh_x509 at roumenpetrov.info" <ssh_x509 at roumenpetrov.info>
Subject: [ssh_x509] SSH With TPM Keys
Message-ID:
        <mailman.0.1563208522.2203.ssh_x509_roumenpetrov.info at roumenpetrov.info>

Content-Type: text/plain; charset="iso-8859-1"

Hi Roumen,

Have you ever considered adding support for TPM protected keys to this implementation?

Specifically, I am considering enhancing the implementation to support TPM keys using TrouSerS and an OpenSSL TPM Engine, but I first wanted to see if this is something that you've thought about in the context of your work. I know this has been done using a pkcs11 provider, but I'm most interested in utilizing the OpenSSL TPM Engine.

I think it could be a useful addition since I've seen a fair amount of users with certificates backed by TPM keys. Let me know your thoughts.

Thanks for your time,
Jon


------------------------------

Message: 2
Date: Mon, 15 Jul 2019 21:57:00 +0300
From: ssh_x509 at roumenpetrov.info
To: ssh_x509 at roumenpetrov.info
Subject: Re: [ssh_x509] SSH With TPM Keys
Message-ID:
        <mailman.1.1563217020.2203.ssh_x509_roumenpetrov.info at roumenpetrov.info>

Content-Type: text/plain; charset=UTF-8; format=flowed

Hi Jon,

ssh_x509 at roumenpetrov.info wrote:
> Hi Roumen,
>
> Have you ever considered adding support for TPM protected keys to this implementation?
I don't know enough for TPM keys.

> Specifically, I am considering enhancing the implementation to support TPM keys using TrouSerS and an OpenSSL TPM Engine, but I first wanted to see if this is something that you've thought about in the context of your work. I know this has been done using a pkcs11 provider, but I'm most interested in utilizing the OpenSSL TPM Engine.
It look like new key type.
Currently pkcs#11 supports only X.509 certificates for RSA and EC key
types and as of today "plain"(public key) for RSA and EC types. With
engine could be used DSA in addition.

If TPM is new key type it has to be defined in protocol.
Perhaps we could start with a protocol draft? and in the same time with
experimental implementation.


> I think it could be a useful addition since I've seen a fair amount of users with certificates backed by TPM keys. Let me know your thoughts.
>
> Thanks for your time,
> Jon
>

Roumen



------------------------------

Subject: Digest Footer

_______________________________________________
ssh_x509 mailing list
ssh_x509 at roumenpetrov.info
http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info


------------------------------

End of ssh_x509 Digest, Vol 64, Issue 1
***************************************


More information about the ssh_x509 mailing list