# What's the difference between the endorsement key and the attestation identity key within the TPM?

Information Security Asked by BetaInProgress on January 4, 2022

I’m trying to make notes about the TPM and what it does. More specifically I’m looking at the 3 RSA key pairs: the ‘endorsement key’, the ‘storage root key’ and the ‘attestation identity key’.

This is what I have written so far:

The ‘Endorsement Key’ is an RSA key pair where any data sent to another device is encrypted using the private key and the receiving device decrypts it with the public key, so it knows the data is trusted. This is created when the TPM is manufactured (not user-specific)

The ‘Storage Root Key’ is a pair of RSA keys within the TPM and is used to protect TPM protected keys created by applications and stored outside of the TPM, so that these keys cannot be used without the TPM. It’s created when you take ownership of the TPM (If user changes so does the key)

However, I am now trying to research the use of the attestation identity key but don’t understand how it is different from the endorsement key? If anyone could explain in simple terms because this is all new to me I would greatly appreciate it 🙂

Unfortunately there is not a single source of truth about attestation. I'll try to make it as clear as possible and cite when necessary.

TL;DR: The Endorsement Key is used to prove that you are talking to a real TPM. However, it cannot be used for signing. The AK can be used for signing and is associated with the EK.

# Endorsement Key

You can consider the Endorsement Key (EK) fixed per TPM. Actually, the EK is the primary key of the endorsement hierarchy. As such, it depends on the Endorsement Primary Seed (EPS) which is really fixed for the lifetime of the TPM and a so-called template which e.g. determines if the EK is a RSA or a ECC key.

              EPS (random, can never be changed)
|
+-----+
template  ->| KDF |
+-----+
|
V
EK


Assuming, you use the default template, the EK is unique and not changeable for the TPM. You cannot change it ever. This raises privacy concerns which I will cover later. Also note, that the EK private key will never be disclosed by the TPM.

Additionally, a TPM typically provides an Endorsement Certificate (chain) which is saved on the TPM storage (e.g. ECC EK certificate: NV index 0x01c0000a, see TCG EK Credential Profile). This EK certificate contains the EK public key and is signed by the manufacturer. With that certificate you can verify, that the EK public key is associated with a genuine hardware TPM produced by the manufacturer.

I mentioned earlier, that disclosing the EK public key would violate our privacy (since we can never change it). Therefore, the TPM will not allow us to use the EK for signing. That is the reason why we need an Attestation Key (AK), previously also called Attestation Identity Key (AIK).

# Storage Root Key

The Storage Root Key (SRK) is easy. It is the primary key of the owner hierarchy, that is the "father of all (normal) keys". All keys used by the owner of the TPM for signing and encryption are usually associated with the owner hierarchy and thus children (or grandchildren etc.) of the SRK. In fact, being a child of the SRK means internally being encrypted (= wrapped) by the SRK.

# Attestation Keys

Now comes the tricky part. The term Attestation Key (AK), previously Attestation Identity Key (AIK) is defined very loosely. Basically any (restricted) signing key can be an AK.

TPM Spec Part 1, 25.3.1

A restricted signing key is occasionally referred to in this specification as an Attesting or Attestation Key.

The purpose of AKs is to sign data (e.g. PCR values) to prove that they originate from a real TPM (without having been tampered with). Remember, we cannot use the EK for signing directly.

There are two types of AKs I know of.

### AK with AK Certfificate

First, the AK specified in the TPM Spec Part 1, 9.5.3.1. Basically, there is a trusted third party called Attestation CA with an own root key and a root certificate. The Attestation CA does a) verify the if a TPM is genuine via its EK Certificate and b) issue AK certificates if a TPM is genuine.

Now, different AKs and their corresponding AK Certificates can be used for attestation for different services (e.g. Google, Facebook). The service providers use the Attestation CA root certificate to verify if the TPM is genuine.

An external entity called an "Attestation CA" attests to an asymmetric key pair [AK] in a TPM in order to vouch that a key is protected by an unidentified but genuine TPM and has particular properties. This attestation takes the form of a credential [AK Certificate] that vouches for information including the public key of the key pair.

Usually, this type of AK is associated with the owner hierarchy and thus a child (or grandchild etc.) of the SRK.

I think this tutorial might be helpful.

### AK associated with the Endorsement Hierarchy

There is second approach to AKs. As I explained, the EK cannot be used for signing directly. However, it can be used to wrap (= encrypt) other keys. Therefore, you can create a signing key (AK) associated with the endorsement hierarchy.

Again, the service provider needs a mechanism to prove that a TPM is associated with a good EK / EK Certificate. In this case, the AK used is encrypted (= wrapped) by the EK. Only if a TPM can load (= decrypt) the AK under its unique EK and use it to sign data, it is a genuine TPM. In this case, the TPM loses its anonymity since the service provider needs to know its EK.

This approach is briefly described in this talk at LCA 2020 by Matthew Garrett.

Answered by MemAllox on January 4, 2022

## Related Questions

### How a risk assessment impacts information security policy?

4  Asked on December 6, 2020 by tjclk

### over 100 scanner requests 5 min after domain registration

1  Asked on December 2, 2020 by user182663

### Mysql Information schema column_privileges empty

1  Asked on December 1, 2020 by bob

### x509 restrict the intermediate CA to sign only end user certificates

2  Asked on December 1, 2020 by cpp_enthusiast

### why my Metasploit folder does not have wordlists folder (usr/share/)?

1  Asked on November 30, 2020

### Mitigation of Spectre and Meltdown affecting host OS from guest OS (Virtualbox)

1  Asked on November 29, 2020

### How effective is the ProxyGambit at allowing access to the internet without revealing true location and IP?

1  Asked on November 28, 2020 by piece0fshite

### NTRUEncrypt in TLS and GPG encryption

3  Asked on November 17, 2020 by rubo77

### XXE Injection in docx: entity not defined

1  Asked on November 5, 2020 by sorokine

### What are the concerns, or drawbacks, regarding Intel’s SGX when it comes to privacy?

1  Asked on November 4, 2020 by aventinus

### How to send cookie to API on seperate domain in safari

1  Asked on October 29, 2020 by harrison-lucas

### Pentesting Webserver Dead End (MySQL White Listing Bypass)

1  Asked on October 25, 2020 by cromwell-rosalin

### Proxying MetaSploit through BurpSuite

1  Asked on October 16, 2020 by python

### Brute-Forcing a Chrome Login Data file

1  Asked on October 12, 2020 by safwan

### Why does my digital bank need my phone date and hour to be correct?

8  Asked on September 10, 2020 by ra828

### Why would hackers attack a DNS server with a DoS?

1  Asked on September 1, 2020 by alexis-wilke

### OIDC Hybrid flow

1  Asked on August 21, 2020 by pdstat

### How to use DPAPI under load balance environment

2  Asked on August 18, 2020 by robin-xing

### Protecting a website from being kidnapped

1  Asked on August 10, 2020 by george

### Chance of guessing any valid credit card data

1  Asked on August 8, 2020 by reed