TPM 证明TPM attestation

IoT 中心设备预配服务是一项 IoT 中心帮助程序服务,该服务用于将零接触设备预配到指定 IoT 中心。IoT Hub Device Provisioning Service is a helper service for IoT Hub that you use to configure zero-touch device provisioning to a specified IoT hub. 使用设备预配服务,可以通过安全的方式预配数百万台设备。With the Device Provisioning Service, you can provision millions of devices in a secure manner.

本文介绍使用受信任的平台模块 (TPM) 时的标识证明过程。This article describes the identity attestation process when using a Trusted Platform Module (TPM). TPM 是一种硬件安全模块 (HSM)。A TPM is a type of hardware security module (HSM). 本文假定你使用单独的、固件式的或集成式的 TPM。This article assumes you are using a discrete, firmware, or integrated TPM. 软件模拟 TPM 适用于原型制作或测试,但其提供的安全级别不同于单独的、固件式的或集成式的 TPM。Software emulated TPMs are well-suited for prototyping or testing, but they do not provide the same level of security as discrete, firmware, or integrated TPMs do. 建议不要在生产中使用软件 TPM。We do not recommend using software TPMs in production. 有关 TPM 类型的详细信息,请参阅 TPM 简介For more information about types of TPMs, see A Brief Introduction to TPM.

本文仅适用于特定的设备,这些设备使用提供 HMAC 密钥支持的 TPM 2.0,同时使用认可密钥。This article is only relevant for devices using TPM 2.0 with HMAC key support and their endorsement keys. 本文不适用于使用 X.509 证书进行身份验证的设备。It is not for devices using X.509 certificates for authentication. TPM 是一种行业通用的 ISO 标准,由 Trusted Computing Group 提出。有关 TPM 的详细信息,可参阅完整的 TPM 2.0 规范ISO/IEC 11889 规范。本文还假定你熟悉公钥和私钥对以及如何将其用于加密。TPM is an industry-wide, ISO standard from the Trusted Computing Group, and you can read more about TPM at the complete TPM 2.0 spec or the ISO/IEC 11889 spec. This article also assumes you are familiar with public and private key pairs, and how they are used for encryption.

设备预配服务设备 SDK 处理本文中为你介绍的所有事项。The Device Provisioning Service device SDKs handle everything that is described in this article for you. 如果是在自己的设备上使用 SDK,则不需实现任何其他的项目。There is no need for you to implement anything additional if you are using the SDKs on your devices. 本文以概念的方式介绍设备预配时在 TPM 安全芯片上发生的情况,并说明了其安全性高的原因。This article helps you understand conceptually what’s going on with your TPM security chip when your device provisions and why it’s so secure.

概述Overview

TPM 使用名为认可密钥 (EK) 的方式作为信任的安全根本。TPMs use something called the endorsement key (EK) as the secure root of trust. EK 特定于 TPM,更改它相当于把设备变为新设备。The EK is unique to the TPM and changing it essentially changes the device into a new one.

TPM 还有另一类密钥,称为存储根密钥 (SRK)。There's another type of key that TPMs have, called the storage root key (SRK). SRK 可以由 TPM 的所有者在取得 TPM 的所有权后生成。An SRK may be generated by the TPM's owner after it takes ownership of the TPM. 获取 TPM 的所有权就是以 TPM 特有的方式表明“某人在 HSM 上设置密码”。Taking ownership of the TPM is the TPM-specific way of saying "someone sets a password on the HSM." 如果将 TPM 设备出售给新的所有者,新的所有者可以在获取 TPM 的所有权后生成新的 SRK。If a TPM device is sold to a new owner, the new owner can take ownership of the TPM to generate a new SRK. 重新生成 SRK 可确保以前的所有者无法使用 TPM。The new SRK generation ensures the previous owner can't use the TPM. 由于 SRK 特定于 TPM 的所有者,因此可以通过 SRK 将数据封装到该所有者的 TPM 本身中。Because the SRK is unique to the owner of the TPM, the SRK can be used to seal data into the TPM itself for that owner. SRK 为所有者提供存储密钥所需的沙盒,并允许在出售设备或 TPM 的情况下撤销访问权限。The SRK provides a sandbox for the owner to store their keys and provides access revocability if the device or TPM is sold. 这类似于搬进新屋中:获取所有权就是换门锁,扔掉上一位屋主留下的所有家具 (SRK),但不能更改新屋的地址 (EK)。It's like moving into a new house: taking ownership is changing the locks on the doors and destroying all furniture left by the previous owners (SRK), but you can't change the address of the house (EK).

设备在设置好并做好使用准备以后,就会有可供使用的 EK 和 SRK。Once a device has been set up and ready to use, it will have both an EK and an SRK available for use.

获取 TPM 的所有权

关于获取 TPM 所有权的一点说明:获取 TPM 的所有权取决于许多因素,包括 TPM 制造商、所使用的 TPM 工具集以及设备 OS。One note on taking ownership of the TPM: Taking ownership of a TPM depends on many things, including TPM manufacturer, the set of TPM tools being used, and the device OS. 请按与系统相关的说明获取所有权。Follow the instructions relevant to your system to take ownership.

设备预配服务使用 EK 的公共部分 (EK_pub) 来标识和注册设备。The Device Provisioning Service uses the public part of the EK (EK_pub) to identify and enroll devices. 设备供应商可以在制造或最终测试过程中读取 EK_pub 并将 EK_pub 上传到预配服务,这样就可以在设备通过连接进行预配时识别该设备。The device vendor can read the EK_pub during manufacture or final testing and upload the EK_pub to the provisioning service so that the device will be recognized when it connects to provision. 设备预配服务不检查 SRK 或所有者,因此“清除”TPM 会擦除客户数据,但 EK(和其他供应商数据)会保留下来,因此设备在通过连接进行预配时仍会被设备预配服务识别。The Device Provisioning Service does not check the SRK or owner, so “clearing” the TPM erases customer data, but the EK (and other vendor data) is preserved and the device will still be recognized by the Device Provisioning Service when it connects to provision.

详细证明过程Detailed attestation process

带 TPM 的设备在第一次连接到设备预配服务时,该服务会首先根据存储在注册列表中的 EK_pub 来核对提供的 EK_pub。When a device with a TPM first connects to the Device Provisioning Service, the service first checks the provided EK_pub against the EK_pub stored in the enrollment list. 如果 EK_pub 不符,则不允许设备预配。If the EK_pubs do not match, the device is not allowed to provision. 如果 EK_pub 相符,服务就会要求设备通过 nonce 质询证明 EK 专用部分的所有权,该质询是一种用来证明身份的安全质询。If the EK_pubs do match, the service then requires the device to prove ownership of the private portion of the EK via a nonce challenge, which is a secure challenge used to prove identity. 设备预配服务生成一个 nonce,然后使用 SRK 和 EK_pub 先后对其加密。SRK 和 EK_pub 均由设备在初始注册调用过程中提供。The Device Provisioning Service generates a nonce and then encrypts it with the SRK and then the EK_pub, both of which are provided by the device during the initial registration call. TPM 始终会确保 EK 专用部分的安全。The TPM always keeps the private portion of the EK secure. 这样可以防止伪造,确保安全地为获得授权的设备预配 SAS 令牌。This prevents counterfeiting and ensures SAS tokens are securely provisioned to authorized devices.

让我们详细探讨证明过程。Let’s walk through the attestation process in detail.

设备请求 IoT 中心分配Device requests an IoT Hub assignment

首先,设备连接到设备预配服务并请求预配。First the device connects to the Device Provisioning Service and requests to provision. 为此,设备向服务提供其注册 ID、ID 作用域,以及 TPM 的 EK_pub 和 SRK_pub。In doing so, the device provides the service with its registration ID, an ID scope, and the EK_pub and SRK_pub from the TPM. 服务将加密的 nonce 传回给设备,要求设备解密该 nonce,然后使用它为 SAS 令牌签名,以便再次进行连接并完成预配。The service passes the encrypted nonce back to the device and asks the device to decrypt the nonce and use that to sign a SAS token to connect again and finish provisioning.

设备请求预配

Nonce 质询Nonce challenge

设备获得 nonce 后,会使用 EK 和 SRK 的专用部分将 nonce 解密到 TPM 中;nonce 加密的顺序是将 EK 的信任(不可变)委托给 SRK(在新的所有者获取 TPM 所有权后可以更改)。The device takes the nonce and uses the private portions of the EK and SRK to decrypt the nonce into the TPM; the order of nonce encryption delegates trust from the EK, which is immutable, to the SRK, which can change if a new owner takes ownership of the TPM.

解密 nonce

验证 nonce 并接收凭据Validate the nonce and receive credentials

然后,设备可以使用解密的 nonce 给 SAS 令牌签名,并使用签名的 SAS 令牌重新建立到设备预配服务的连接。The device can then sign a SAS token using the decrypted nonce and reestablish a connection to the Device Provisioning Service using the signed SAS token. 完成 Nonce 质询以后,服务就会允许设备进行预配。With the Nonce challenge completed, the service allows the device to provision.

设备重新建立与设备预配服务的连接,以便验证 EK 所有权

后续步骤Next steps

设备连接到 IoT 中心以后,你就可以确信设备的密钥已安全地存储。Now the device connects to IoT Hub, and you rest secure in the knowledge that your devices’ keys are securely stored. 了解设备预配服务如何使用 TPM 安全地验证设备的标识以后,若要学习更多内容,请查看以下文章:Now that you know how the Device Provisioning Service securely verifies a device’s identity using TPM, check out the following articles to learn more: