Verifying Device Identity with TPMs
There are many cases where you'd like to know exactly which computer you're talking to. Sometimes it's because you're SSHing to a remote machine and you'd like to verify your connection isn't being in …
| Talk Title | Verifying Device Identity with TPMs |
| Speakers | Matthew Garrett (Security developer, Google), Brandon Weeks (Security Engineer, Google) |
| Conference | Open Source Summit + ELC Europe |
| Conf Tag | |
| Location | Lyon, France |
| Date | Oct 27-Nov 1, 2019 |
| URL | Talk Page |
| Slides | Talk Slides |
| Video | |
There are many cases where you’d like to know exactly which computer you’re talking to. Sometimes it’s because you’re SSHing to a remote machine and you’d like to verify your connection isn’t being intercepted. Sometimes it’s because you’re a VPN server and you’d like to ensure that the client is actually one of your computers, not just pretending to be one.But what defines machine identity? You could just issue each machine with a key when it’s initially enrolled, but what stops an attacker from copying it off the machine and creating as many fake computers as they want?Most modern systems include a Trusted Platform Module, a small cryptographic device that has its own unique cryptographic identity and securely stores encryption keys. In this presentation we will demonstrate how the TPM can be used to solve the machine identity problem, making SSH trust on first use a thing of the past and ensuring that only trusted machines are able to gain access to your network infrastructure.
