openssl-1.1.0b : Getting keys from TPM

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

openssl-1.1.0b : Getting keys from TPM

Zvi Vered
Hello,

I want to use openssl in order to send\receive encrypted messages to a
server.

My Target has TPM.

Can you please explain how to configure the openssl library to take
public+private keys from TPM ?

Should I use a specific TPM library ?

Thank you,
Z.V

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: openssl-1.1.0b : Getting keys from TPM

Ken Goldman-2
A few comments:

1 - Does "take ... keys" mean read then out of the TPM.

2 - Getting a public key from the TPM is easy.  Getting the private key
is harder.  In addition, some keys can be created so that the private
part never leaves the TPM.

3 - You have to specify whether this is TPM 1.2 or TPM 2.0.  Then I may
be able to point you to sample code.

On 11/2/2016 11:06 PM, Zvi Vered wrote:

>
> I want to use openssl in order to send\receive encrypted messages to a
> server.
>
> My Target has TPM.
>
> Can you please explain how to configure the openssl library to take
> public+private keys from TPM ?
>
> Should I use a specific TPM library ?
>


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: openssl-1.1.0b : Getting keys from TPM

Zvi Vered
Hi Ken,

1. I mean: read from TPM

2. In order to create an SSL session with the server, should I need also the private key ?
    
3. I want to use TPM 2.0

Thank you for your help,
Z.V

On Thu, Nov 3, 2016 at 5:21 PM, Ken Goldman <[hidden email]> wrote:
A few comments:

1 - Does "take ... keys" mean read then out of the TPM.

2 - Getting a public key from the TPM is easy.  Getting the private key is harder.  In addition, some keys can be created so that the private part never leaves the TPM.

3 - You have to specify whether this is TPM 1.2 or TPM 2.0.  Then I may be able to point you to sample code.


On 11/2/2016 11:06 PM, Zvi Vered wrote:

I want to use openssl in order to send\receive encrypted messages to a
server.

My Target has TPM.

Can you please explain how to configure the openssl library to take
public+private keys from TPM ?

Should I use a specific TPM library ?



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: openssl-1.1.0b : Getting keys from TPM

Ken Goldman-2
To read a public key, use the TPM2_ReadPublic command.  I have an open
source utility (tpm2pem) that converts that TPM format key to PEM.

If you need the private key, you will have to "duplicate" it to a key
you know and then use that key to decrypt it.  It's possible.  However,
it defeats the purpose of using the TPM as a hardware key store.  It
would be better to use the TPM to do the private key operations.

For a TSS, I offer this, which has an ever expanding set of utilities
and sample programs.  Let me know what you need for sample code.

https://sourceforge.net/projects/ibmtpm20tss/?source=navbar

I also suggest debugging with a SW TPM.

https://sourceforge.net/projects/ibmswtpm2/

The tpm2pem utility currently comes with the attestation client and server:

https://sourceforge.net/projects/ibmtpm20acs/

On 11/3/2016 12:02 PM, Zvi Vered wrote:

> Hi Ken,
>
> 1. I mean: read from TPM
>
> 2. In order to create an SSL session with the server, should I need also
> the private key ?
>
> 3. I want to use TPM 2.0
>
>
>     On 11/2/2016 11:06 PM, Zvi Vered wrote:
>
>
>         I want to use openssl in order to send\receive encrypted
>         messages to a
>         server.
>
>         My Target has TPM.
>
>         Can you please explain how to configure the openssl library to take
>         public+private keys from TPM ?
>
>         Should I use a specific TPM library ?


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users