wolfSSH now supports TPM public key authentication with RSA. This feature enhances security for embedded and IoT applications by leveraging TPM 2.0 functionality for client side authentication. Below is a summary of the key changes that were made in PR# 754.
TPM Public Key Authentication with RSA
PR# 754 provides TPM-based RSA authentication for client-side public key operations to facilitate integration into non-TPM RSA workflows.
Benefits of Using TPM for Public Key Authentication
- Hardware-Backed Security
When using public key authentication, a TPM device provides the ability to safely secure and manage private keys and cryptographic algorithms inside the TPM. Since the private key is loaded securely inside the TPM and used only from within the TPM this allows for higher security. In this case the TPM device generates and supplies a secure keyblob that holds the private and public key data. wolfSSH reads and verifies this data and formats the key in a way that can be utilized in the SSH functionality. - Specialized Performance
While maintaining the lightweight, high-performance aspects of wolfSSH and implementing TPM-based features, wolfSSL has combined the security benefits of hardware-backed key storage and SSH functionality, ensuring robust authentication without compromising efficiency or security.
Testing
To test the SSH TPM-based public key authentication, we developed a comprehensive github CI workflow that tests with and without custom keyauth. The general steps we followed where:
- TPM Simulator:
Ran the TPM 2.0 server from a TPM simulator. - Key Generation:
Generated a keyblob with wolfTPM’s keygen tool, converting the public key to the SSH format using ssh-keygen. - Server & Client Setup:
Start the server and supply the base-64 encoded public key:`./examples/echoserver/echoserver -s key.ssh`
Run the client with the TPM 2.0 keyblob and user supplied password:`./examples/client/client -i ../wolfTPM/keyblob.bin -u hansel -K ThisIsMyKeyAuth`
- Testing Command with Debugging:
Used`--enable-debug`
to enable debug output and verified functionality through command line debug logs.
The CI test tpm-ssh.yml validates proper operation of TPM-based public key authentication by validating outputs and testing with a custom and default keyauth. This process ensures that wolfSSH functions correctly and securely with TPM-based keys.
Conclusion
With TPM public key authentication, wolfSSH combines the best of both worlds: secure private key handling and robust SSH functionality. These changes enhance security without compromising performance, making it an ideal choice for users seeking both ease of use and advanced cryptographic protection.
For more details and steps to get started you can refer to the TPM section in the wolfSSH README. For more information or questions, contact us at facts@wolfSSL.com or +1 425 245 8247.
Download wolfSSL Now