# A Comprehensive Formal Security Analysis and Revision of the Two-phase   Key Exchange Primitive of TPM 2.0

**Authors:** Qianying Zhang, Shijun Zhao

arXiv: 1906.06653 · 2020-07-07

## TL;DR

This paper provides a formal security analysis of TPM 2.0's two-phase key exchange primitive, identifies limitations, and proposes a revision that enhances its security for practical real-world applications.

## Contribution

It introduces the first formal security model for TPM 2.0's key exchange and proposes a revision to overcome practical limitations.

## Key findings

- Original key exchange primitive is secure under certain conditions.
- Proposed revision removes impractical limitations.
- Revised primitive achieves modern AKE security properties.

## Abstract

The Trusted Platform Module (TPM) version 2.0 provides a two-phase key exchange primitive which can be used to implement three widely-standardized authenticated key exchange protocols: the Full Unified Model, the Full MQV, and the SM2 key exchange protocols. However, vulnerabilities have been found in all of these protocols. Fortunately, it seems that the protections offered by TPM chips can mitigate these vulnerabilities. In this paper, we present a security model which captures TPM's protections on keys and protocols' computation environments and in which multiple protocols can be analyzed in a unified way. Based on the unified security model, we give the first formal security analysis of the key exchange primitive of TPM 2.0, and the analysis results show that, with the help of hardware protections of TPM chips, the key exchange primitive indeed satisfies the well-defined security property of our security model, but unfortunately under some impractical limiting conditions, which would prevent the application of the key exchange primitive in real-world networks. To make TPM 2.0 applicable to real-world networks, we present a revision of the key exchange primitive of TPM 2.0, which can be secure without the limiting conditions. We give a rigorous analysis of our revision, and the results show that our revision achieves not only the basic security property of modern AKE security models but also some further security properties.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1906.06653/full.md

## Figures

3 figures with captions in the complete paper: https://tomesphere.com/paper/1906.06653/full.md

## References

55 references — full list in the complete paper: https://tomesphere.com/paper/1906.06653/full.md

---
Source: https://tomesphere.com/paper/1906.06653