TPM and ECDAA

293 views
Skip to first unread message

Capricorn

unread,
Jul 9, 2021, 4:33:38 AM7/9/21
to FIDO Dev (fido-dev)
Hi All

Has anyone been able to verify the signature for TPM attestation.
Which Signature algorithm was used, in Java specifically.

Does TPM use ECDAA, if which case is it currently possible to check the signature for TPM, again using Java. Is there a Java implementation for ECDAA that can be used with Fido ?

thanks in advance

Arshad Noor

unread,
Jul 9, 2021, 5:08:53 PM7/9/21
to Capricorn, FIDO Dev (fido-dev)
You can find an implementation here:

https://github.com/StrongKey/fido2/blob/master/server/fidoserverbeans/src/main/java/com/strongkey/skfs/fido2/TPMAttestationStatement.java

Both RSA and ECDSA algorithms are supported.

ECDAA was removed from FIDO2/WebAuthn Level-2 (for lack of
implementations when Level-1 was published) but there appears to be an
implementation here: https://github.com/ibm-research/ecdaa

Arshad
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev+u...@fidoalliance.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/828146f4-f813-4cbd-8da2-108a36b1759cn%40fidoalliance.org
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/828146f4-f813-4cbd-8da2-108a36b1759cn%40fidoalliance.org?utm_medium=email&utm_source=footer>.

Vincent Bezzina

unread,
Aug 10, 2021, 7:58:38 PM8/10/21
to Arshad Noor, FIDO Dev (fido-dev)
Hi Again

Where can we get sample TPM WebAuthn responses please for testing purposes?

thanks
VB

Arshad Noor

unread,
Aug 10, 2021, 8:23:01 PM8/10/21
to Vincent Bezzina, FIDO Dev (fido-dev)
Two options:

1) You can install your own FIDO server in a Linux VM or machine in
about 15 minutes based on the instructions at
https://github.com/StrongKey/fido2/blob/master/docs/Installation_Guide_Linux.md,
and when you test a registration with a Windows 10 PC with Windows Hello
enabled, you'll see the Authenticator responses in the server's log.

2) You can use a Windows 10 PC that has a TPM and Windows Hello enabled,
and navigate with any one of the browsers - except Firefox
(https://github.com/w3c/webauthn/issues/1620) - to
https://www.strongkey.com/demos, choose "Try FIDO2 Server", click on
Register and make sure the "FIDO2 Data" checkbox is ON. Register a
credential on that page and the display in the Textarea will show how
the browser responded - which will include the authenticatorData in there.

You're welcome to post additional questions on the Github forum for the
StrongKey FIDO server if your focus is on that specific implementation.

Hope that helps.

Arshad
> <mailto:fido-dev%2Bunsu...@fidoalliance.org>
> > <mailto:fido-dev+u...@fidoalliance.org
> <mailto:fido-dev%2Bunsu...@fidoalliance.org>>.
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/828146f4-f813-4cbd-8da2-108a36b1759cn%40fidoalliance.org?utm_medium=email&utm_source=footer
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/828146f4-f813-4cbd-8da2-108a36b1759cn%40fidoalliance.org?utm_medium=email&utm_source=footer>>.
>

Alex Seigler

unread,
Aug 10, 2021, 8:39:16 PM8/10/21
to Vincent Bezzina, Arshad Noor, FIDO Dev (fido-dev)

John Bradley

unread,
Aug 10, 2021, 8:47:38 PM8/10/21
to Vincent Bezzina, Arshad Noor, FIDO Dev (fido-dev)
Windows 10 will give you RSA signed TPM attestations, if a TPM is available.  Don't try from a VM.

I don't know of any Fido2 authenticator supporting ECDAA attestations.  

Regards
John B

To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CABbwe9iYTLEHkTvag%2BNrPCQqeQGu-2%3D%2BFNdepNT_9q76HEgo3w%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages