Secure chips which follow the Trusted Computing Platform Alliance (TCPA) protocols are well known in the art. In the TCPA specification, a “secure chip” is a Trusted Platform Module (TPM). Typically, the TPM resides in a client computer system in a computer network. Among other functions, the TPM generates encryption keys in the form of public/private key pairs for the client to be used on the network. When the keys are not in use, they are stored outside of the TPM in a secure manner in a “daisy chain” fashion.
FIG. 1 illustrates a conventional secure chip key chain. Assume that the secure chip 102 is a TPM. The TPM 102 has its own root key 104. The root key 104 is the mechanism which allows the storage of information by a TPM. The root key 104 comprises a public/private key pair for the TPM 102. The TPM 102 generates more keys, such as keys 106, for the network. At least one of these keys 106 is a migratable key. Each of these keys 106 comprise a public/private key pair. Each of these keys 106 is wrapped using the TPM's 102 public key. The TPM 102 can then generate children keys 108 and wrap them in the key's 106 public key. Other keys 110 may be generated and wrapped in the key's 108 public key. Thus, the chain comprises a child key 110, which is wrapped in the public key of the parent key 108; the parent key 108, which is wrapped in the public key of the grandparent key 106; and the grandparent key 106, which is wrapped in the public key of the TPM 102.
Keys can be of two types according to the TCPA specification: migratable and non-migratable. Migratable keys are particularly relevant to the present invention, and thus only they will be described here. The TCPA specification contains two commands for migrating keys from one TPM to another. The first command is a simple re-wrap command, where a user's key is loaded into a TPM, unwrapped with its parent's key and then re-wrapped with another parent's key. This command can be used for migrating the user's key from one computer system to another during a computer upgrade. The second command is used for storing the user's key with a third party in case of hardware failure. For the second command, it is not known what the parent key of the replacement system will be during the storage, so a third party's public key is used for wrapping.
For the second command, if the third party's key may not be trusted, additional safeguards are provided. Before the key is wrapped, an optimal asymmetric encryption padding (OAEP) is applied and a random number, R, XOR'ed with the result before the final wrapping. This provides protection against the third party using his private key to unwrap the user's key. When the user's key is recalled from the third party, the user provides a public key (associated with the new TPM) to the third party in which to re-wrap the user's key, and then inserts the user's key wrapped with the new TPM's key along with R. The TPM then unwraps the final wrapping, XOR's the result with R, reverses the OAEP and hence recovers the user's key. This key is then loaded into the new TPM. The new TPM re-wraps the key in a normal way, and the re-wrapped key is stored on the hard disk.
However, the private key of the root key 104 in the secure chip 102 may be read by peeling the TPM and examining the hardware. Once the root key 104 is obtained, it may be used to unwrap all of the grandparent keys 106 wrapped with the root key's public key. Having access to the grandparent keys 106 in turn allows the unwrapping of all of the parent keys 108, and then the child keys 110. This results in a serious security breach.
Accordingly, there exists a need for a method for providing improved security with a secure chip. The present invention addresses such a need.