I’m trying to figure out what ciphers can be implemented on a TPM2 to enable TLS1.3 with non-repudiable transcripts (via attested TPM2 audit logs).
It looks like GCM is not going to be possible because:
- There is no complete GCM implementation available on the TPM2, so to get it to work, I’d need to implement it on top of a primitive such as AES in ECB mode.
- However, to do that, I’d need to encrypt a zero vector with the key, and the IV, IV + 1, and so on up to the length of the message needed (for the IV in both directions - to verify messages from the server, and to send valid messages from the client).
- Once I have that information, however, I could use it to create an authentication tag for any message (up to the length I have encrypted IVs for) I wanted, without creating any further records in the TPM2 audit log.
- This means that the attested audit logs from the TPM2 are worthless since they won’t stop anyone forging a message.
I’m continuing to look through other ciphersuites to see what is viable under this approach.
You must log in or register to comment.