Sealing Data using TPM In Windows [closed]

Asked 10/6, 2014 at 16:7 Answered 18/6, 2014 at 21:17

I'd like to perform a TPM Seal operation in windows. I'm familiar with C++ programming but have no idea what libraries I'd even use.

I'm currently stuck with the following two questions:

Can I perform this action using e.g. WMI and a powershell script? This http://msdn.microsoft.com/en-us/library/windows/desktop/aa446799(v=vs.85).aspx indicates that I can use TBS To Submit a Command, but I don't have the faintest how I would set up the parameters in e.g. WMI.

Can I use the tbs.h/tbs.lib from the Windows 7 SDK to perform a TPM_Seal operation?

Is there a TSS API Like http://trousers.sourceforge.net/ where I can call this from some C++ Code?

The method through which I do this is not a big deal, but I am using TPM 1.2 on windows, and all of my clients are windows.

Armure answered 10/6, 2014 at 16:7 Comment(3)

This msdn.microsoft.com/en-us/library/windows/desktop/… looks like what I would call, but I have no idea what my "command buffer" would look like. – Armure 11/6, 2014 at 22:8

Wow, your question is completely different now.... – Hardin 13/6, 2014 at 10:19

I was really a bit lost when I initially asked. I vaguely knew what I must do, but had little implementation details. You've been helpful. I was able to do some basic TBS commands last week and feel like im a LOT closer to the goal now. – Armure 16/6, 2014 at 13:0

Update 2023-05: This answer covers TPM 1.2 and might be outdated

You can use TPM Base Sevices for sending commands to the TPM. So you need to assemble the commands yourself.

The TPM commands, structures and flows are defined in 3 documents:

First you need to figure out which command you want to send. Then you have to lookup the command's reference in Part 3 and assembled the needed structures as described in Part 2.

The TPM_seal command for example is defined in section 10.1 on page 72 of Part 3. Line 1331 shows you how the command has to look like. After issuing the command you can evaluate the returned structure according to line 1332. (All numbers apply to revision 116.)

This can be really tricky. However, you can have a look at other implementations. If you just need a few commands it's not that hard, especially when you can be sure that some cornercases don't happen.

I would suggest you start looking at IBM's software TPM. This project also provides libtpm and some utilities. This is one of the lighter implementations I know.

You can also try whether TrouSerS for Windows is stable enough to fit your needs. There you would have a highlevel TSS API.

If Java is an option, have a look at jTSS. It supports Windows.

Hardin answered 11/6, 2014 at 9:59 Comment(4)

Hi. I loaded a Windows 8 box and was browsing the list of commands for TPM Base Services. I do indeed only need to protect a symmetric key. I can see that I can do this, and I really don't even need to use C#. If I can accomplish this in powershell,etc, that is really all I need. I'm going to reword my question to cut out the fat and try to get to the core of the issue – Armure 11/6, 2014 at 16:37

Thanks for the heads up on the software TPM. My main development machine does not in fact have a TPM so I've been using an aux box. – Armure 16/6, 2014 at 13:8

Links are dead. – Schmaltzy 11/5, 2023 at 22:47

@AndrewHenle links updated – Hardin 14/5, 2023 at 11:10

I was able to do this without much issue with JTSS. There is an example @ https://security.stackexchange.com/questions/60841/encrypting-a-symmetric-key-or-small-file-using-tpm-and-windows-tbs

Armure answered 18/6, 2014 at 21:17 Comment(0)

Recommended topics

Hot tags