COMP3217 Lab1 – Trusted Platform Module
Part-1: Cryptography Basics
1. Download dummy.txt, hash it using sha256 and extend the hash to PCR-10. What are the values of
the PCRs before and after? Explain the result of PCR-10 following extending the hash value.
2. Create a new EK and perform signing followed by verifying operations. How do you guarantee that
only an admin can use the EK?
3. Create a new SRK, specify the authorization “value = 9854” to prevent another user from using the
new generated SRK. Attempt to perform a bruteforce attack starting from 0000 to 9999. Are you
able to launch a successful attack? Explain the result you get from the TPM.
4. Create a new symmetric key (AES-128) with a policy of your choice. What is the advantage of using
a TPM to generate the key vs generating a symmetric key with OpenSSL?
Part-2 – Policy
In this part you are going to work with policy and use specific operations only when this policy is satisfied.
In Part-1 we have worked without taking ownership. To take ownership we need to execute the following:
The command we used above wont work anymore without the right authorization, this will guarantee that
no other user can generate primary keys. We will need to add “-P password” .
In this part you are going to work with Quote. tpm2_quote provide quote and signature for given list of
PCRs in given algorithm/banks. PCRs are used to store the identity and configuration of the platform and
tpm2_quote use a primary key from the endorsement hierarchy.
In this task we will help your bank in using the TPM to :
• Can we use the SRK to produce a quote? Why is the endorsement hierarchy used for quote?
• You want your bank to provide a quote of the PCRs before you start sharing private information.
Assume that the public key to verify a quote can be shared with you in a secure manner. Your
task is to provide the requirements of what needed to be included in the PCR before sending a
quote. Implement the sequence of operations using tpm2_pcrextend and assume that you know
all measurements that need to be extended in the PCR. You will need to list what data should be
• Describe the algorithm between you and your bank. How can you verify that your bank server has
the “right” identity/binaries/configurations?
Note: If we think the bank server is compromised and some kind of an attacker is sending the same
(old) quote all over again to you, in order to make you believe nothing is wrong with the server. Can you
provide an algorithm/method to prevent this kind of attack from happening again?
Your task is to move data securely from server A to server B using keys stored within the TPM. As learned
in class, TPMs provide identity of the device and can verify/attest of the software that is running on the
system. In this question, assume that Server A and Server B has exchanged the keys needed to allow
identifying each other. In this question you are asked to:
• Define the protocol between server A and Server B and use TPM commands to help you implement
secure communication. You will need to:
1. Define and implement the key migration of the symmetric key from server A to server B
2. Define and implement the key migration of the asymmetric key from server A to server B
3. Decrypt Symmetric key
4. Verify using the signatures needed from (1) and (2)