At the core of the TPM's functionality are its keys. All of the TPM's ability to provide authentication, attestation, and data protection services are built around its secure keys. Before you can use the TPM for the vast majority of applications, you'll need to know how to work with its keys. In this section, I'll discuss just what we mean by `secure' in more detail, and why TPM keys are both tremendously powerful and sometimes tremendously inconvenient. I'll also discuss the various types of key, how to create them, and how to use them. (I'll go into much more detail about which keys to use when, in later chapters, we discuss various use cases.) You may be thinking, `In the provisioning chapter, I just created my root/primary keys; aren't those going to be enough?' The short answer for 1.2 TPMs is: only for a very limited set of applications, mostly having to do with local data storage: the root keys are specialized in order to be maximally secure. For 2.0 TPMs, primary keys can be more flexible, but owing to the limitations of the TPM's internal space, if you're using the TPM for a variety of applications you'll almost certainly want non-primary keys as well. And regardless, you'll still need to know something about how to use TPM keys even if you just use the root or primary keys.

Chapter Contents:

• 6.1 TPM keys
• 6.1.1 Advantages and disadvantages of TPM keys
• 6.2 The basic types of TPM keys
• 6.2.1 TPM 1.2 key types
• 6.2.2 TPM 2.0 key attributes
• 6.3 Authorization options for TPM keys
• 6.4 Creating TPM keys
• 6.4.1 Parent keys
• 6.4.2 Key creation commands
• 6.4.2.1 TPM 1.2
• 6.4.2.2 TPM 2.0: non-primary keys and objects
• 6.4.2.3 Object templates
• 6.4.2.4 Creation data
• 6.5 Key creation user stories
• 6.6 Migratable and duplicatable keys
• 6.6.1 1.2 Normal migratable keys
• 6.6.1.1 How basic key migration works
• 6.6.1.2 Rewrapping migratable keys
• 6.6.2 1.2 Certifiable Migration Keys
• 6.6.3 2.0 Duplicatable keys
• 6.6.4 When to use migratable or duplicatable keys
• 6.7 Migratable key user stories
• 6.8 Loading TPM keys
• 6.8.1 Additional loading features in 2.0
• 6.9 Handles, names, and authorization: using TPM keys in other commands
• 6.9.1 Key handles and security
• 6.9.2 Pre-defined handles
• 6.10 Authorization sessions
• 6.11 Certifying TPM keys
• 6.11.1 TPM 1.2: certifying identity keys
• 6.11.1.1 The AIK certification protocol
• 6.11.2 Certifying other TPM keys (1.2 and 2.0)
• 6.11.3 Retrieving public portions of TPM keys
• 6.12 Using keys created outside the TPM
• 6.13 The TPM's access control models
• 6.13.1 Physical presence
• 6.13.2 TPM 1.2: user authentication, PCRs, and localities
• 6.13.3 TPM 2.0' s Enhanced Authorization
• 6.13.3.1 Enhanced Authorization use cases
• 6.14 Key access control user stories
• 6.15 TSS 1.2 key management code examples
• 6.15.1 Background: using the SRK
• 6.15.2 Key creation
• 6.15.3 Creating identity keys
• 6.15.4 Key loading
• 6.15.5 Using public keys
• 6.16 TSS 2.0 key management code examples
• 6.16.1 Key creation
• 6.16.2 Key loading
• 6.16.3 Using public keys
• 6.16.4 Enhanced Authorization policies

Inspec keywords: data protection; message authentication; trusted computing; cryptography

Other keywords: attestation; primary keys; trusted platform module; secure keys; TPM keys; data protection services; authentication; TPM functionality

Subjects: Cryptography; Data security