TCM密钥迁移协议设计及形式化分析

为增强TCM芯片间密钥的互操作性,TCM提供了密钥迁移相关命令接口,允许用户设计密钥迁移协议以实现芯片间密钥的共享.通常,TCM密钥迁移协议以目标TCM上的新父密钥作为迁移保护密钥.研究发现,该协议存在两个问题:对称密钥不能作为被迁移密钥的新父密钥,违背了TCM的初始设计思想;缺少交互双方TCM的相互认证,导致源TCM的被迁移密钥可以被外部敌手获得,并且敌手可以将其控制的密钥迁移到目标TCM中.针对上述问题,提出两个新的密钥迁移协议:协议1遵循TCM目前的接口规范,以目标TCM的PEK(platform encryption key)作为迁移保护密钥,能够认证目标TCM,并允许对称密钥作为新父密钥;协议2简单改动了TCM接口,以源TCM和目标TCM进行SM2密钥协商,得到的会话密钥作为迁移保护密钥,解决了上述两个问题,并且获得了前向安全属性.最后,使用形式化分析方法对上述协议进行安全性分析,分析结果显示,协议满足正确性和预期的安全属性.

Design and Formal Analysis of TCM Key Migration Protocols

TCM provides key migration interfaces to enhance interoperability between different TCM chips, allowing users to share keys between TCMs by key migration protocols. This study finds that the conventional TCM key migration protocol, which uses the new parent key of the migrated key on the destination TCM as the migration protection key, has two weaknesses. First, keys cannot be migrated to symmetric keys, which violates the design principles of TCM. Second, the absence of authentication between the originating TCM and destination TCM allows attacker to recover the migrated key of the originating TCM and to import his key into the destination TCM. To solve these issues, the paper proposes two new TCM key migration protocols. The first protocol, compliant with the TCM specification, allows keys to be migrated to symmetric keys and provides authentication of the destination TCM. The second protocol, which requires a slight modification to TCM key migration interfaces, not only solves all the two weaknesses, but also provides prefect forward security. Finally, the study formally analyzes the two protocols and demonstrates that the proposed protocols satisfy the correctness and desired security properties.