Offline dictionary attack on TCG TPM weak authorisation data, and solution
暂无分享,去创建一个
The Trusted Platform Module (TPM) is a hardware chip designed to enable PCs achieve greater security. Proof of possession of values known as authData is required by user processes in order to use TPM keys. We show that in certain circumstances dictionary attacks can be performed offline on authdata. In this way an attacker can circumvent some crucial operations of the TPM, and impersonate the TPM owner to the TPM, or the TPM to its owner. For example, he can unbind data or migrate keys without possessing the required authorisation data, or fake the creation of TPM keys. This means that any application that relies on the TPM may be vulnerable to attack.
[1] David P. Jablon. Strong password-only authenticated key exchange , 1996, CCRV.
[2] David P. Jablon. Extended password key exchange protocols immune to dictionary attack , 1997, Proceedings of IEEE 6th Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises.