Authentication, in this context, refers to the verification of identity data in the form of a cryptographic key. Machine authentication is thus all about identifying a machine via its keys. This is particularly effective in a TPM context because the cryptographic keys are usable inside the TPM itself, and the TPM is attached to the motherboard; in some cases, the TPM is even a subset of the CPU. This means that if you can prove that a set of keys belonging to a given TPM was used, the machine that TPM is attached to must have been involved.1 Machine authentication is therefore a property we effectively get for free with many TPM applications. Any use case where a remote party is verifying a TPM key can be used for machine authentication.

Chapter Contents:

• 7.1 What is machine authentication?
• 7.1.1 Signing versus encryption
• 7.1.2 The limits of TPM-based machine authentication
• 7.1.3 What about user authentication?
• 7.2 Signing-based machine authentication
• 7.2.1 How it works
• 7.2.1.1 HMACs versus signatures
• 7.2.2 When to use it
• 7.2.3 The TPM and signing-based authentication
• 7.2.3.1 1.2 Techniques
• 7.2.3.2 2.0 Techniques
• 7.2.4 Nonces: why they matter and how to use them
• 7.2.5 Mitigating man-in-the-middle attacks
• 7.3 Encryption-based machine authentication
• 7.3.1 How it works
• 7.3.2 When to use it
• 7.4 User identification versus machine authentication
• 7.5 Machine authentication user stories
• 7.6 1.2 TSS machine authentication code examples
• 7.6.1 Setting a signature scheme
• 7.6.2 Signing and verifying hashed data
• 7.6.3 Encryption and decryption
• 7.7 TSS 2.0 machine authentication code examples
• 7.7.1 Signing
• 7.7.2 Verifying signatures
• 7.7.3 Encryption and decryption

Inspec keywords: authorisation; cryptography

Other keywords: identity data verification; machine authentication; TPM key verification; cryptographic key; TPM application

Subjects: Data security; Cryptography