David Van Arnem
2016-04-25 23:47:24 UTC
Hi all,
I've been trying to recalculate some HMACs for authenticated commands
using bytes-on-the-wire printed by TrouSerS debug mode during a
tpm_sealdata command from tpm-tools. I've been having trouble getting
the correct values out of my HMAC calculations, and I'm hoping I can get
some clarification on the construction of the HMAC equation.
According to page 21 of the TPM 1.2 Spec, Part 1 - Design Principles,
HMAC calculation for use with a TPM 1.2 should follow RFC 2104, where
HMAC = H(K XOR opad, H(K XOR ipad, text))
where
H - SHA1
K - key or AuthData
ipad - B bytes of 0x36, where B is the block length, 64
opad - B bytes of 0x5C
On page 75 of the same spec, an example using a TPM_OSAP authenticated
session is given. In the table, it states that
sharedSecret = HMAC(key.usageAuth, nonceEvenOSAP, nonceOddOSAP)
Does this mean that, using the RFC 2104 calculation method,
K = key.usageAuth and
text = nonceEvenOSAP || nonceOddOSAP (concatenated)
which would create the final HMAC equation of:
sharedSecret = SHA1(key.usageAuth XOR opad,
SHA1(key.usageAuth XOR ipad, nonceEvenOSAP || nonceOddOSAP))
Is that correct?
And also:
[key.usageAuth XOR opad] would be 64 bytes (XOR'd opad length)?
[key.usageAuth XOR ipad, nonceEvenOSAP || nonceOddOSAP] would be 104
bytes (64 bytes for XOR'd ipad, 20 bytes for nonceEvenOSAP, 20 bytes for
nonceOddOSAP)?
Thanks in advance for any insights on this.
I've been trying to recalculate some HMACs for authenticated commands
using bytes-on-the-wire printed by TrouSerS debug mode during a
tpm_sealdata command from tpm-tools. I've been having trouble getting
the correct values out of my HMAC calculations, and I'm hoping I can get
some clarification on the construction of the HMAC equation.
According to page 21 of the TPM 1.2 Spec, Part 1 - Design Principles,
HMAC calculation for use with a TPM 1.2 should follow RFC 2104, where
HMAC = H(K XOR opad, H(K XOR ipad, text))
where
H - SHA1
K - key or AuthData
ipad - B bytes of 0x36, where B is the block length, 64
opad - B bytes of 0x5C
On page 75 of the same spec, an example using a TPM_OSAP authenticated
session is given. In the table, it states that
sharedSecret = HMAC(key.usageAuth, nonceEvenOSAP, nonceOddOSAP)
Does this mean that, using the RFC 2104 calculation method,
K = key.usageAuth and
text = nonceEvenOSAP || nonceOddOSAP (concatenated)
which would create the final HMAC equation of:
sharedSecret = SHA1(key.usageAuth XOR opad,
SHA1(key.usageAuth XOR ipad, nonceEvenOSAP || nonceOddOSAP))
Is that correct?
And also:
[key.usageAuth XOR opad] would be 64 bytes (XOR'd opad length)?
[key.usageAuth XOR ipad, nonceEvenOSAP || nonceOddOSAP] would be 104
bytes (64 bytes for XOR'd ipad, 20 bytes for nonceEvenOSAP, 20 bytes for
nonceOddOSAP)?
Thanks in advance for any insights on this.
--
Thanks,
David
Thanks,
David