Using the Windows 8 Platform Crypto Provider and Associated TPM Functionality
Total Page:16
File Type:pdf, Size:1020Kb
Using the Windows 8 Platform Crypto Provider and Associated TPM Functionality Functionality, Usage Models, and Reference Implementation White Paper Stefan Thom, [email protected] Paul England, [email protected] Jork Loeser, [email protected] Rob Spiger, [email protected] Ron Aigner, [email protected] Jim Morgan, [email protected] Version 1.0 © Microsoft Corporation. All rights reserved. This document is provided "as-is." Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. Microsoft, Active Directory, BitLocker, Windows, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries and regions. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. Table of Contents Introduction to Attestation and PCP-Kit ....................................................................................................... 1 Scope ......................................................................................................................................................... 2 PCP-Kit and TPM Versions ......................................................................................................................... 2 Key Concepts Used in This Paper .............................................................................................................. 2 Acronyms and Abbreviations ........................................................................................................................ 6 TPM Provisioning and Management ............................................................................................................. 7 Pre-Windows 8 Architecture for TPM 1.2 Provisioning ............................................................................ 7 Auto-Provisioning ...................................................................................................................................... 7 Provisioning Through the UI ..................................................................................................................... 8 TPM State in the OS .................................................................................................................................. 8 Provisioning with WMI .............................................................................................................................. 8 Provisioning Differences Between TPM Versions 1.2 and 2.0 ................................................................ 12 Windows 8 Certified Hardware Requirements ....................................................................................... 12 Platform Crypto Provider in Windows 8 ..................................................................................................... 13 Certificate Enrollment with the Platform Crypto Provider ..................................................................... 13 Tracing Provider TPM Commands........................................................................................................... 14 BCrypt RNG Platform Crypto Provider .................................................................................................... 14 NCrypt RSA Platform Key Storage Provider ............................................................................................ 15 Executing Custom TPM Commands Through the TBS API .......................................................................... 23 TPM Resource Virtualization ................................................................................................................... 23 Command Filtering for 1.2 and 2.0 ......................................................................................................... 24 TBS API .................................................................................................................................................... 24 Creating TPM 1.2 and 2.0 Contexts ........................................................................................................ 24 Deleting TPM 1.2 and 2.0 Contexts......................................................................................................... 26 Obtaining the Windows Boot Configuration Log (WBCL) ....................................................................... 26 Invalidating the System Trust State ........................................................................................................ 26 Obtaining the TPM Version ..................................................................................................................... 27 Submitting a Custom TPM Command ..................................................................................................... 28 Windows Boot Configuration Log ............................................................................................................... 30 Windows Integrity Measurements ......................................................................................................... 30 Using the Windows 8 Platform Crypto Provider and Associated TPM Functionality iii Root of Trust Overview ........................................................................................................................... 33 Platform Trust Considerations across Hibernation and Resume ............................................................ 33 ELAM Driver Data Measurements .......................................................................................................... 35 Automatic Key Certification for Platform-Bound Keys ............................................................................... 36 Format of the Key Attestation Data ........................................................................................................ 36 Attestation API Reference Implementation................................................................................................ 38 Introduction ............................................................................................................................................ 38 Creating Attestation Identity Keys (AIKs) and Forming Remote Trust.................................................... 38 Obtaining and Parsing Platform Configuration and Measurements ...................................................... 41 Platform Attestation and Validation ....................................................................................................... 42 Key Attestation and Validation ............................................................................................................... 46 Key Hostage ............................................................................................................................................ 49 Overview of the PCP-Kit Package ................................................................................................................ 52 PCPTool ................................................................................................................................................... 52 Commands .............................................................................................................................................. 54 Scenario Scripts ....................................................................................................................................... 62 Certificate Enrollment Templates ........................................................................................................... 66 PFX Private Key and Certificate Import ................................................................................................... 70 Windows Attestation Scenarios .................................................................................................................. 71 Enterprise Asset Management with EK Certificates ............................................................................... 71 Retirement of User Names and Passwords for Web Authentication with Mutual SSL .......................... 72 Remote Platform Attestation for Malware Detection ............................................................................ 73 Platform Health Certificates ................................................................................................................... 74 Certificate Enrollment with Key Origination Proof ................................................................................. 77 Secure Key Roaming ................................................................................................................................ 78 Using the Windows 8 Platform Crypto Provider and Associated TPM Functionality iv Introduction to Attestation and PCP-Kit This paper describes how a software provider can use the Microsoft® Windows® operating system and the Trusted Platform Module (TPM) to provide more reliable reporting of the health or policy compliance of computer systems and strong attestation of key origin and key properties. It also describes core operating system (OS) features for creating and using TPM keys that are bound to the physical machine, and how provisioning and other actions are performed. Finally, this paper describes a package of sample code and utilities called the Platform Configuration Provider