Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TPM Attestation Statement Format: Missing COSE Key algorithm Identifier and clarification. #689

Closed
akshayku opened this issue Nov 14, 2017 · 3 comments
Closed

TPM Attestation Statement Format: Missing COSE Key algorithm Identifier and clarification. #689

akshayku opened this issue Nov 14, 2017 · 3 comments
Assignees
@selfissued
Labels
priority:implementation
Milestone
WD-07

Comments

@akshayku
Copy link
Contributor

Many TPM attestations implementations ONLY supports RSASSA-PKCS1-v1_5 w/SHA1 and there is no COSE algorithm identifier defined currently. Here is the proposed addition to list of COSE algorithms.

  • Name: RS1
  • Value: -262 (This is the next value in this section.)
  • Description: RSASSA-PKCS1-v1_5 w/ SHA1. Applicable to some current implementations of TPM 2.0 attestation signatures.
  • Reference: Section 8.2 of [RFC8017]
  • Recommended: No

Clarification to attToBeSigned in https://w3c.github.io/webauthn/#tpm-attestation

Existing sentence:

  • Generate a signature using the procedure specified in [TPMv2-Part3] Section 18.2, using the attestation private key and setting the qualifyingData parameter to attToBeSigned.

This qualifyingData is also called extraData in the TPM Spec where it is has the following definition:

  • extraData : TPM2B_DATA external information supplied by caller. NOTE A TPM2B_DATA structure provides room for a digest and a method indicator to indicate the components of the digest. The definition of this method indicator is outside the scope of this specification.

Proposed change:

  • Generate a signature using the procedure specified in [TPMv2-Part3] Section 18.2, using the attestation private key and setting the extraData parameter to the digest of the attToBeSigned using the hash algorithm corresponding to the “alg” signature algorithm. For RS256 this would be a SHA256 digest.
@akshayku akshayku added this to the WD-07 milestone Nov 14, 2017
@selfissued
Copy link
Contributor

The corresponding validation procedure currently includes:
Verify that extraData is set to |attToBeSigned|.

Should this be changed to:
Verify that extraData is set to the hash of |attToBeSigned| using the hash algorithm employed in "alg".

It seems like this would be required to be consistent with the signing procedure.

@jyasskin
Copy link
Member

Double-checking: does the existence of SHA-1 collisions make these attestations fundamentally insecure? If so, it probably doesn't make sense to support RPs trusting them. If not, please ignore me. :)

@selfissued
Copy link
Contributor

I know of no effective means of creating or utilizing SHA-1 collisions in the RSASSA-PKCS1-v1_5 w/ SHA1 context.

@selfissued selfissued mentioned this issue Nov 15, 2017
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@selfissued selfissued

Labels
priority:implementation
Projects
None yet
Milestone
WD-07
Development

No branches or pull requests
3 participants
@jyasskin @selfissued @akshayku