Saturday, December 19, 2015

TPM authentication in OpenVPN and PuTTY SSH

With my new laptop I wanted to ensure my private keys would be safe. This is a brief summary of the steps I've taken to use a private key in my laptop's TPM to authenticate with OpenVPN and SSH.

UPDATE 2022-04-13:
I've switched to putty-pkix [6] because I had issues with newer OpenSSH only allowing SHA256 signatures and pagaent not providing valid responses.

agent key RSA SHA256:L1iUIhjfKejEONe0TFU3TaWkNwE2O0xWF/09K7P8WnA returned incorrect signature type

Create a virtual smart card

Ensure the TPM is activated.
Run:
tpm.msc

Start a Command Prompt as admin.
Create a Virtual Smart Card [1].
Run:
tpmvscmgr.exe create /name "[hostname] VSC" /pin prompt /adminkey random /generate

Enter PIN:
********
Confirm PIN:
********
Creating TPM Smart Card...
Initializing the Virtual Smart Card component...
Creating the Virtual Smart Card component...
Initializing the Virtual Smart Card Simulator...
Creating the Virtual Smart Card Simulator...
Initializing the Virtual Smart Card Reader...
Creating the Virtual Smart Card Reader...
Waiting for TPM Smart Card Device...
Authenticating to the TPM Smart Card...
Generating filesystem on the TPM Smart Card...
TPM Smart Card created.
Smart Card Reader Device Instance ID = ROOT\SMARTCARDREADER\0000

Generate a signing request and have the request signed to obtain a certificate.

Create a request template in Notepad and save this as TPM-cert-template.inf [2].
[NewRequest]
Subject = "CN=[hostname],O=[Organisation],L=[Location],ST=[State],C=[Country]"
Keylength = 2048
Exportable = FALSE
UserProtected = TRUE
MachineKeySet = FALSE
ProviderName = "Microsoft Base Smart Card Crypto Provider"
ProviderType = 1
RequestType = PKCS10
KeyUsage = 0x80

Then generate a Certificate Request (CSR):
certreq -new -f TPM-cert-template.inf TPM-cert.csr

Send the CSR to your CA and have it signed. You should get a certificate in return.

Install the certificate

Double click the received certificate file (most likely .crt or .cer).
Click on the "Install certificate" button and follow the wizard.

When it's done, obtain the fingerprint of the certificate from the Details tab.

Configure OpenVPN to use the cryptoapi and certificate

Edit the OpenVPN profile.
Instead of a "cert" and "key" configure "cryptoapicert" with your fingerprint:
cryptoapicert "THUMB:92 50 9d ea 52 f4 95 ee be a1 c0 4f ab f8 a2 2b 4d 91 0c 0a"

Save the profile and connect.

Enable SSH authentication with the Virtual SmartCard

Download and install puttywincrypt [3].
Configure putty to use the certificate under Connection -> SSH -> Auth by entering [4]:
cert://*

Update: WinSCP

WinSCP turned out to work with the certificate through pageant when using "SCP" as protocol and checking the checkbox in SSH, Authentication "Attempt authentication using Pageant".

Update: Listing
wmic path win32_PnPEntity where "DeviceID like '%smartcardreader%'" get Caption,DeviceID

Update: Dell XPS 13
After updating my XPS 13's TPM firware to 2.0 I was no longer able to use the TPM certificate for authentication. Trying to revert back to firmware 1.2,  that showed to be working before, failed with an error "Invalid source version". Contacting Dell did not help. They answerd my mails for support with links to online content that I had already found or was irrelevant and finally let me know "TPM is not supported by [Dell]. If the problem is not solved I advise you to contact Intel." Thanks to a post I've found on Reddit [5] I was finally able to revert back to version 1.2 and issue a new certificate.

Sources used
[1] https://technet.microsoft.com/en-us/library/dn579260.aspx
[2] http://beaukey.blogspot.nl/2014/12/openvpn-using-tpm-to-secure-identities.html
[3] http://sourceforge.net/projects/puttywincrypt/
[4] http://sourceforge.net/p/puttywincrypt/wiki/README/
[5] https://www.reddit.com/r/Dell/comments/56a3wn/cant_downgrade_bios_xps_13_9350/