[ltp] using fingerprint reader for encryption or ssh login?

Henrique de Moraes Holschuh linux-thinkpad@linux-thinkpad.org
Tue, 20 Nov 2007 09:44:49 -0200


On Tue, 20 Nov 2007, Jiang Qian wrote:
> on my thinkpad T43. I'll trust them alright. How to do hardware crypto 
> using tpm under linux? I looked at the thinkwiki website but can't seem 

You are in for a lot of pain and learning.  Look for the trusted platform
stacks, and start studying them.  You will probably need to study all the
material and standards available about the TPM chip and its interface, to be
able to understand how it is supposed to be used. There is, AFAIK, no
user-friendly (or even developer-friendly IMO) documentation for this crap,
which is one of the reasons why my ssh keys are not sealed inside my T43's
TPM yet.

And no, *I* don't know how to use it, or I would have written some
friendlier documentation already.

> to find a lot of info about it. Specifically, what applications use it?

None. You will have to do some hard work.

> And what is the advantage of a TPM chip over the following method I'm 
> considering: I have a usb key with encrypted key files. Only when I need 

One would have to steal the T43 to get the data.  And depending on how you
used the TPM, they would not get the keys, so they would not be able to
duplicate them and would have to keep using that T43.

You likely want to use two keys: one in an USB storage device, and the other
inside the TPM.  That way, you need both the T43 and the USB device to do
anything.  But be sure to know what you are doing when chaining crypto.

> binary in my system. How is TPM different? Why can't he replace the 
> binary of whatever program I use to decrypt what's on the TPM chip?

You don't use the TPM to store and *retrieve* keys.  You use it to do crypto
operations on your behalf with the keys stored inside, as a one-way vault
(with "store" and "delete" data management only, never "retrieve").

Obviously, you are restricted to whatever the TPM knows how to do, which
might well mean you can't use it for ssh or gpg or <insert application
here>.  It probably knows enough to do standard PKCS, though.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh