[ubuntu-hardened] gnome-keyring utilizing a tpm?

Peter Moody ubuntu at hda3.com
Wed Apr 13 19:45:15 UTC 2011

On Wed, Apr 13, 2011 at 11:53 AM, Kees Cook <kees at ubuntu.com> wrote:

> On Wed, Apr 13, 2011 at 11:23:51AM -0700, Peter Moody wrote:
> > I'm no tcg expert, but think you're thinking of sealing secrets on the
> tpm
> > and I'm just looking to be able to bind data. I think the former would
> > require the full trusted boot while the latter does not.
> In this case, does it really have a benefit? Currently anything on the
> D-Bus session bus can ask for a given clear-text password from the keyring.
> Storing them in the TPM doesn't really make a difference in this case --
> anything can still read the contents by just asking gnome-keyring for it.

I think I got the binding/sealing backwards, but the point is that the tpm
never actually releases the private key material (so it doesn't actually
make sense for storing things like passwords).

My somewhat fuzzy understanding of the operation of a tpm is that when you
seal private keys or certificates "in" the tpm, they're stored on disk
(location depends on the pkcs11 library used, I think. on my system data is
stored in /var/lib/opencryptoki/tpm/${USER}/) encrypted with the the tpm
endorsement key. when you later want to use one of the keys for
authentication (eg in a challenge-response auth scheme), you load the
encrypted key into the tpm along with the challenge provided by the server,
the tpm then decrypts the key, generates the response and hands that back to
you. The private key material is never in system ram and can never actually
be retrieved, but it can be used to authenticate a user.

Anyway, this seemed like it could be beneficial security-wise for ssh keys
or 802.1x certificates (I know network manager supports accessing keys
stored in a tpm).  Those are definitely enterprise wins, though I admit that
they're of dubious personal use.


> --
> Kees Cook
> Ubuntu Security Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20110413/a3287288/attachment.html>

More information about the ubuntu-hardened mailing list