Intro -- A Practical Guide to TPM 2.0 -- Contents at a Glance -- About ApressOpen -- Contents -- About the Authors -- About the Technical Reviewers -- Acknowledgments -- Introduction -- Chapter 1: History of the TPM -- Why a TPM? -- History of Development of the TPM Specification from 1.1b to 1.2 -- How TPM 2.0 Developed from TPM 1.2 -- History of TPM 2.0 Specification Development -- Summary -- Chapter 2: Basic Security Concepts -- Cryptographic Attacks -- Brute Force -- Calculating the Strength of Algorithms by Type -- Attacks on the Algorithm Itself -- Security Definitions -- Cryptographic Families -- Secure Hash (or Digest) -- Hash Extend -- HMAC: Message Authentication Code -- KDF: Key Derivation Function -- Authentication or Authorization Ticket -- Symmetric-Encryption Key -- Symmetric-Key Modes -- Nonce -- Asymmetric Keys -- RSA Asymmetric-Key Algorithm -- RSA for Key Encryption -- RSA for Digital Signatures -- ECC Asymmetric-Key Algorithm -- ECDH Asymmetric-Key Algorithm to Use Elliptic Curves to Pass Keys -- ECDSA Asymmetric-Key Algorithm to Use Elliptic Curves for Signatures -- Public Key Certification -- Summary -- Chapter 3: Quick Tutorial on TPM 2.0 -- Scenarios for Using TPM 1.2 -- Identification -- Encryption -- Key Storage -- Random Number Generator -- NVRAM Storage -- Platform Configuration Registers -- Privacy Enablement -- Scenarios for Using Additional TPM 2.0 Capabilities -- Algorithm Agility (New in 2.0) -- Enhanced Authorization (New in 2.0) -- Quick Key Loading (new in 2.0) -- Non-Brittle PCRs (New in 2.0) -- Flexible Management (New in 2.0) -- Identifying Resources by Name (New in 2.0) -- Summary -- Chapter 4: Existing Applications That Use TPMs -- Application Interfaces Used to Talk to TPMs -- TPM Administration and WMI -- The Platform Crypto Provider -- Virtual Smart Card -- Applications That Use TPMs.

Applications That Should Use the TPM but Don't -- Building Applications for TPM 1.2 -- TSS.Net and TSS.C++ -- Wave System s Embassy Suite -- Rocks to Avoid When Developing TPM Applications -- Microsoft BitLocker -- IBM File and Folder Encryption -- New Manageability Solutions in TPM 2.0 -- Summary -- Chapter 5: Navigating the Specification -- TPM 2.0 Library Specification: The Parts -- Some Definitions -- General Definitions -- Definitions of the Major Fields of the Command Byte Stream -- Definitions of the Major Fields of the Response Byte Stream -- Getting Started in Part 3: the Commands -- Data Details -- Common Structure Constructs -- TPM2B_XXX Structures -- Structure with Union -- Canonicalization -- Endianness -- Part 2: Notation Syntax -- Part 3: Table Decorations -- Commonly Used Sections of the Specification -- How to Find Information in the Specification -- Strategies for Ramping Up on TPM 2.0 -- Will -- Ken -- Dave -- Other TPM 2.0 Specifications -- Summary -- Chapter 6: Execution Environment -- Setting Up the TPM -- Microsoft Simulator -- Building the Simulator from Source Code -- Setting Up a Binary Version of the Simulator -- Running the Simulator -- Testing the Simulator -- Python Script -- TSS.net -- System API Test Code -- Setting Up the Software Stack -- TSS 2.0 -- TSS.net -- Summary -- Chapter 7: TPM Software Stack -- The Stack: a High-Level View -- Feature API -- System API -- Command Context Allocation Functions -- Command Preparation Functions -- Command Execution Functions -- Command Completion Functions -- Simple Code Example -- System API Test Code -- TCTI -- TPM Access Broker ( TAB) -- Resource Manager -- Device Driver -- Summary -- Chapter 8: TPM Entities -- Permanent Entities -- Persistent Hierarchies -- Ephemeral Hierarchy -- Dictionary Attack Lockout Reset -- Platform Configuration Registers ( PCR s) -- Reserved Handles.

Password Authorization Session -- Platform NV Enable -- Nonvolatile Indexes -- Objects -- Nonpersistent Entities -- Persistent Entities -- Entity Names -- Summary -- Chapter 9: Hierarchies -- Three Persistent Hierarchies -- Platform Hierarchy -- Storage Hierarchy -- Endorsement Hierarchy -- Privacy -- Activating a Credential -- Other Privacy Considerations -- NULL Hierarchy -- Cryptographic Primitives -- Random Number Generator -- Digest Primitives -- HMAC Primitives -- RSA Primitives -- Symmetric Key Primitives -- Summary -- Chapter 10: Keys -- Key Commands -- Key Generator -- Primary Keys and Seeds -- Persistence of Keys -- Key Cache -- Key Authorization -- Key Destruction -- Key Hierarchy -- Key Types and Attributes -- Symmetric and Asymmetric Keys Attributes -- Duplication Attributes -- Restricted Signing Key -- Restricted Decryption Key -- Context Management vs. Loading -- NULL Hierarchy -- Certification -- Keys Unraveled -- Summary -- Chapter 11: NV Indexes -- NV Ordinary Index -- NV Counter Index -- NV Bit Field Index -- NV Extend Index -- Hybrid Index -- NV Access Controls -- NV Written -- NV Index Handle Values -- NV Names -- NV Password -- Separate Commands -- Summary -- Chapter 12: Platform Configuration Registers -- PCR Value -- Number of PCRs -- PCR Commands -- PCRs for Authorization -- PCRs for Attestation -- PCR Quote in Detail -- PCR Attributes -- PCR Authorization and Policy -- PCR Algorithms -- Summary -- Chapter 13: Authorizations and Sessions -- Session-Related Definitions -- Password, HMAC, and Policy Sessions: What Are They? -- Session and Authorization: Compared and Contrasted -- Authorization Roles -- Command and Response Authorization Area Details -- Command Authorization Area -- Command Authorization Structures -- Response Authorization Structures -- Password Authorization: The Simplest Authorization.

Password Authorization Lifecycle -- Creating a Password Authorized Entity -- Changing a Password Authorization for an Already Created Entity -- Using a Password Authorization -- Code Example: Password Session -- Starting HMAC and Policy Sessions -- TPM2_StartAuthSession Command -- Session Key and HMAC Key Details -- Guidelines for TPM2_StartAuthSession Handles and Parameters -- Session Variations -- Salted vs. Unsalted -- Bound vs. Unbound -- Use Cases for Session Variations -- HMAC and Policy Sessions: Differences -- HMAC Authorization -- HMAC Authorization Lifecycle -- Altering or Creating an Entity That Requires HMAC Authorization -- Creating an HMAC Session -- Using an HMAC Session to Authorize a Single Command -- HMAC and Policy Session Code Example -- Using an HMAC Session to Send Multiple Commands (Rolling Nonces) -- HMAC Session Security -- HMAC Session Data Structure -- Policy Authorization -- How Does EA Work? -- Policy Authorization Time Intervals -- Policy Authorization Lifecycle -- Building the Entity's Policy Digest -- Creating the Entity to Use the Policy Digest -- Starting the Real Policy Session -- Sending Policy Commands to Fulfill the Policy -- Performing the Action That Requires Authorization -- Combined Authorization Lifecycle -- Summary -- Chapter 14: Extended Authorization (EA) Policies -- Policies and Passwords -- Why Extended Authorization? -- Multiple Varieties of Authentication -- Multifactor Authentication -- How Extended Authorization Works -- Creating Policies -- Simple Assertion Policies -- Passwords (Plaintext and HMAC) of the Object -- Passwords of a Different Object -- Digital Signatures (such as Smart Cards) -- PCRs: State of the Machine -- Locality of Command -- Internal State of the TPM (Boot Counter and Timers) -- Internal Value of an NV RAM Location.

State of the External Device (GPS, Fingerprint Reader, and So On) -- Flexible (Wild Card) Policy -- Example 1: Smart card and Password -- Example 2: A Policy for a Key Used Only for Signing with a Password -- Example 3: A PC state, a Password, and a Fingerprint -- Example 4: A Policy Good for One Boot Cycle -- Example 5: A Policy for Flexible PCRs -- Example 6: A Policy for Group Admission -- Example 7: A Policy for NV RAM between 1 and 100 -- Command-Based Assertions -- Multifactor Authentication -- Compound Policies: Using Logical OR in a Policy -- Making a Compound Policy -- Example: A Policy for Work or Home Computers -- Considerations in Creating Policies -- End User Role -- Administrator Role -- Understudy Role -- Office Role -- Home Role -- Using a Policy to Authorize a Command -- Starting the Policy -- Satisfying a Policy -- Simple Assertions and Multifactor Assertions -- If the Policy Is Compound -- If the Policy Is Flexible (Uses a Wild Card) -- Satisfying the Approved Policy -- Transforming the Approved Policy in the Flexible Policy -- Certified Policies -- Summary -- Chapter 15: Key Management -- Key Generation -- Templates -- Key Trees: Keeping Keys in a Tree with the Same Algorithm Set -- Duplication -- Key Distribution -- Key Activation -- Key Destruction -- Putting It All Together -- Example 1: Simple Key Management -- Example 2: An Enterprise IT Organization with Windows TPM 2.0 Enabled Systems -- Summary -- Chapter 16: Auditing TPM Commands -- Why Audit -- Audit Commands -- Audit Types -- Command Audit -- Session Audit -- Audit Log -- Audit Data -- Exclusive Audit -- Summary -- Chapter 17: Decrypt/Encrypt Sessions -- What Do Encrypt/Decrypt Sessions Do? -- Practical Use Cases -- Decrypt/Encrypt Limitations -- Decrypt/Encrypt Setup -- Pseudocode Flow -- Sample Code -- Summary -- Chapter 18: Context Management.

TAB and the Resource Manager: A High-Level Description.

Description based on publisher supplied metadata and other sources.

Electronic reproduction. Ann Arbor, Michigan : ProQuest Ebook Central, 2023. Available via World Wide Web. Access may be limited to ProQuest Ebook Central affiliated libraries.