HP-UX Trusted Computing Services A.02.00 Administrator's Guide

The TSPI library also includes routines that encrypt, decrypt, or sign data using a key protected

by the RK, such as a TCS application key. When these routines are used to decrypt data, the

following events occur (Figure 1-5):

1. The data is loaded into the TPM with the TCS application key blob and the RK key blob.

2. The TPM uses its internal SRK private key to extract and decrypt the RK private key from

the RK key blob.

3. The TPM uses the RK private key to extract the TCS private key from the TCS application

key blob.

4. The TPM encrypts, decrypts, or signs the data using the TCS private application key.

5. The TPM returns the decrypted data to the calling application.

Figure 1-5 TCS Application Key Processing

Data

Application Key Blob

RK Key Blob

TPM

2. Use the internal SRK private key to extract

the RK private key from the RK key blob.

3. Use the RK private key to extract the

application private key from the application

key blob.

4. Encrypt, decrypt, or sign the data with the

application private key.

SRK

5. Return the decrypted data.

1. Load the encrypted data, application key

blob, and RK key blob into the TPM.

Data

A similar sequence of events occurs when data is encrypted or signed with a TCS application

key. Note that the TPM performs the data decryption, encryption, and signing operations using

its local processor and never exposes the TCS application key, RK, or SRK private keys during

these operations.

18 Trusted Computing Systems Overview