tpm2-tools icon indicating copy to clipboard operation
tpm2-tools copied to clipboard

Published 20 hours ago verified publisher icon tpm2-software

May I know how to encrypt using the key generated by tpm2_ecdhzgen

Open PunyHunter opened this issue 10 months ago • 7 comments

This is my process of ECDH key exchange, which generates a symmetric key(secret1. dat or secret2. dat)? TPMA tpm2_createprimary -C o -c primaryA.ctx tpm2_create -C primaryA.ctx -c keyA.ctx -u ecdhA.pub -G ecc256:ecdh -r ecdhA.pri tpm2_ecdhzgen -k ecdhB.pub -o secret1.dat -c keyA.ctx

TPMB tpm2_createprimary -C o -c primaryB.ctx tpm2_create -C primaryB.ctx -c keyB.ctx -u ecdhB.pub -G ecc256:ecdh -r ecdhB.pri tpm2_ecdhzgen -k ecdhA.pub -o secret2.dat -c keyB.ctx

How should I use secret1. dat or secret2. dat to encrypt?tpm2_encryptdecrypt and tpm2_load seem useless.

PunyHunter avatar Apr 09 '24 10:04 PunyHunter

Please check "Generate shared secret using ECDH keys": https://github.com/tpm2-software/tpm2-tools/issues/3202

JuergenReppSIT avatar Apr 15 '24 12:04 JuergenReppSIT

Please check "Generate shared secret using ECDH keys": #3202 Thank you!Now I learn about how to create shared secret. My problem is how to load it into the TPM to encrypt something, or how to use it to generate the key used by the TPM.

PunyHunter avatar Apr 15 '24 13:04 PunyHunter

请检查“使用 ECDH 密钥生成共享密钥”:#3202 谢谢!现在,我将学习如何创建共享密钥。我的问题是如何将其加载到 TPM 中以加密某些内容,或者如何使用它来生成 TPM 使用的密钥。 May be should I use tpm2_ecephemeral ,and then put it in KDF to generate a pem key.import the pem?

PunyHunter avatar Apr 15 '24 13:04 PunyHunter

If your TPM does not support TPM2_EncryptDecrypt you will get error 0x143 from tpm2_encryptdecrypt and you can use e.g. openssl for this purpose. If your TPM supports TPM2_EncryptDecrypt you can encrypt/decrypt data with a symmetric key as in the following example:

tpm2_createprimary -C o -c primary.ctx
echo secret > secret.dat
cat /dev/urandom | head -c 16 > symkey.bin
tpm2_import -C primary.ctx -r symkey.priv -u symkey.pub -Gaes128 -i symkey.bin
tpm2_load -C primary.ctx -u symkey.pub -r symkey.priv -c symkey.ctx
tpm2_encryptdecrypt -c symkey.ctx -o secret.enc secret.dat
tpm2_encryptdecrypt -d -c symkey.ctx -o secret.dec secret.enc
cat secret.dec

JuergenReppSIT avatar Apr 15 '24 14:04 JuergenReppSIT

If your TPM does not support TPM2_EncryptDecrypt you will get error 0x143 from tpm2_encryptdecrypt and you can use e.g. openssl for this purpose. If your TPM supports TPM2_EncryptDecrypt you can encrypt/decrypt data with a symmetric key as in the following example:

tpm2_createprimary -C o -c primary.ctx
echo secret > secret.dat
cat /dev/urandom | head -c 16 > symkey.bin
tpm2_import -C primary.ctx -r symkey.priv -u symkey.pub -Gaes128 -i symkey.bin
tpm2_load -C primary.ctx -u symkey.pub -r symkey.priv -c symkey.ctx
tpm2_encryptdecrypt -c symkey.ctx -o secret.enc secret.dat
tpm2_encryptdecrypt -d -c symkey.ctx -o secret.dec secret.enc
cat secret.dec

Thanks for your answer. I think what you mean is that tpm2_import the share secret as a symmetric key. tpm2_import(1) - Imports an external generated key as TPM managed key object. It requires that the parent key object be a RSA key. It means that the algorithm of the primary key in your instance must be RSA?

PunyHunter avatar Apr 16 '24 03:04 PunyHunter

I think what you mean is that tpm2_import the share secret as a symmetric key.

yes, you could use your shared secret instead of symkey.bin

It means that the algorithm of the primary key in your instance must be RSA?

No you can also use ECC keys (-G ecc)

JuergenReppSIT avatar Apr 16 '24 06:04 JuergenReppSIT

Thanks a lot.I know how to use the shared secret.

PunyHunter avatar Apr 16 '24 07:04 PunyHunter