Skip to content
/ TpmForIOT Public

This project uses TPM for strong IoT device identity and secure messaging.

License

MIT license
4 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

hdracer/TpmForIOT

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
.github/workflows
.github/workflows
 
 
TSS.MSR.CPP
TSS.MSR.CPP
 
 
TpmForIotTst
TpmForIotTst
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
TpmForIot.sln
TpmForIot.sln
 
 

Repository files navigation

TpmForIoT

This project uses the TPM (Trusted Platform Module) for strong IoT (Internet of Things) device identity, firmware anti-tampering, and secure messaging.

Written in C++, TpmForIoT compiles and runs on both Linux and Windows. Although the demonstration currently is single-threaded, it is structured to show how an IoT device can interact with a trusted server. The device-to-server interaction is a cryptographic challenge-response protocol that accomplishes several useful things:

  • Device identity based on manufacturer Endorsement Key whitelist (or based on certificate trust)
  • Firmware thumbprinting
  • Distribution of a per-device secret (for example, a cloud API key)
  • Creation of a non-exportable general purpose assymetric key usable for message signing (or any PKI scenario).

TpmForIoT uses the TSS.CPP library from Microsoft Research. On Linux, the Intel TPM2.0-TSS resource manager is assumed to be running (as root; using default ports) and the host TPM hierarchy auth values are all assumed to be "1234".

Please see below for sample output from the command-line program.

>TpmForIotTst.exe
Client: open a handle to the TPM Endorsement Key (EK)...
Client: open a handle to the TPM Storage Root Key (SRK)...
Client: create a restricted key: 000403ff 81bd4e76 dfd32d1e 6432e41a fc1a6b67 a1ad
Server: assume Endorsement Key is trusted: 00040dda 694b64b9 3a49286d ef6be3f6 04ffdc9b 52ed
Server: secret is: 85dc1f20 2dce70dc 8fa32d60 59ebdad2
Server: creating activation challenge for this key: 000403ff 81bd4e76 dfd32d1e 6432e41a fc1a6b67 a1ad
Client: decrypted secret: 85dc1f20 2dce70dc 8fa32d60 59ebdad2
Client: create a general purpose signing key on the TPM...
Server: assume quoted PCR is correct: 0b34fb38 e564ae46 d2dd635f 40cca6ba a6cf00dc
Server: assume restricted key matches previous activation: 000403ff 81bd4e76 dfd32d1e 6432e41a fc1a6b67 a1ad
Server: PCR quote is valid
Server: PCR digest for new key is correct
Server: quote is valid for this key: 00046e5b d94732b6 26ba345d 0991ba6c a23cdcfc 97f0
Client: message hash: c93ee7a5 2c78653c c5836f5b 5db1fe53 b9f3219e
Server: assume previous registration of this key: 00046e5b d94732b6 26ba345d 0991ba6c a23cdcfc 97f0
Server: message received and verified

About

This project uses TPM for strong IoT device identity and secure messaging.

Resources

Readme

License

MIT license
Activity

Stars

4 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages