How does a cloud based application use a TPM to authenticate hardware devices?



  • I have heard about this, but not sure how it would work.

    I would imagine that when you register the device, the public RSA key burnt into the chip would be shared. That way, if the application sends a challenge, the TPM uses the private key to decrypt a message and send the correct response??

    I'm just guessing so any clarity would be most appreciated.

    I also wonder if this authentication form of authentication could be made to support mutual attestation?

    I managed to find this in 4edition CCSP 'Official Student Guide' p 261

    Cloud-based software applications can use a Trusted Platform Module (TPM) to authenticate hardware devices. Since each TPM chip has a unique and secret RSA key burned in as it is produced, it is capable of performing platform (computer system, phone, tablet) authentication. A TPM is a chip placed on the main board of the device such as a laptop. It may also be used to create and store keys as well as perform tasks as a cryptoprocessor



  • What creates the need for the challenge to be encrypted?

    Application sends plain text challenge over TLS (encrypted on a different layer) --> ``` receiver signs the challenge and encrypts it with the public key coming from the server --> ``` server verifies the signature

    The vendor authenticating 'his own' device would use a database of hardware IDs and public keys. The device would simply send the unique hardware ID signed with its private key. The app would simply verify the signature and compare the received ID with the one in its database.

    If the vendor authenticates a 3rd party device it would first register it in his database, it would ask for a unique hardware ID of the device (encrypted with vendor public key) and signed with the device private key. It would also inquire about the public key. This way he can register the device in the database. The next time someone is trying to impersonate the device he would need to send a hardware ID and sign a challenge. Based on the hardware ID vendor will be able to look up the correct public key to validate the challange signature and authenticate the device.

    The hardware ID is obtained as a form of fingerprint, someone stealing your laptop would not be able to swap the hard drive and impersonate the device.

    Challenge is most likely to be plain text because it is going to be signed and there is no real benefit of keeping it secret (it is authentication after all).

    Your quote has completely changed the dynamic of the question.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2