Windows 10 TPM 2.0 Client Authentication in TLS 1.2 with RSA PSS making trouble

S1ngl3t0n 16 Reputation points
2021-07-08T07:55:53.607+00:00

Hi everyone

I just wanted let you know that we have found an error in combination with TPM-saved RSA certificates and Client Authentication on TLS1.2 with newer Windows 10 Clients (probably all after 1909).
It seems that a lot of 2.0 TPMs have a problem with RSA PSS.

I wanted to share this problem because we have spent a lot of time to identify the issue. So I hope that other admins will find this post before they spend a lot of time in troubleshooting.

The issue happens during the TLS handshake. The TPM just doesn't signs the certificate verify step as shown on this print screen:
112943-1.jpg

By disabling RSA PSS on the client, the client uses another cipher to sign the packet and then it works.
You can disable RSA PSS by following those steps:

  • Backup this key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010003
  • Under Functions remove the following signature suites from the list:
  • RSAE-PSS/SHA256
  • RSAE-PSS/SHA384
  • RSAE-PSS/SHA512
  • Reboot

After the reboot, the client uses now RSA PKCS1 and the signature step runs successful:
112928-2.jpg

The issue was initially identified on a EAP-TLS authentication for an IPSec tunnel. But the issue happens also on client certificate authentication on https websites as both use TLS for the handshake.

Keep in mind that this is only a workaround and should not be used as a final solution. We are actually still working with Microsoft on a solution.
It's still not 100% clear if it's the TPM that is making the issue or if it is the OS.

I will keep you updated...

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,754 questions

7 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Robert Schönemann 10 Reputation points
    2023-07-25T09:18:29.3066667+00:00

    This problem gave me the following error when saving the Bitlocker recovery key in AzureAD:

    Failed to backup BitLocker Drive Encryption recovery information for volume C: to your Azure AD.
TraceId: {....}
Error: Unknown HResult Error code: 0x80072f8f

    Problem occured on Windows 11 version 10.0.22621

    Removing the 3 registry values helped.

    Output from tpmtool getdeviceinformation

    -TPM Present: True
-TPM version: 2.0
-TPM Vendor ID: IFX
- Full name of TPM manufacturer: Infineon
-TPM Manufacturer Version: 7.63.3353.0
-PPI version: 1.3
-Is initialized: True
-Ready to save: True
-Ready for Evidence: True
-Is verifiable: True
-Must be deleted to restore: False
-Can be deleted: True
  Incorrect
-Bitlocker PCR7 Binding Status: Bound
-Maintenance task completed: True
-TPM specification version: 1.16
-TPM Errata Date: Wednesday, September 21, 2016
-PC client version: 1.00
-Lockout information:
         -Is blocked: False
         -Lockout counter: 0
         -Max. Authentication error: 31
         -Lockout interval: 600s
         -Lockout recovery: 86400s
    2 people found this answer helpful.
  2. Sunny Qi 10,896 Reputation points Microsoft Vendor
    2021-07-09T04:04:04.537+00:00

    Hi,

    Welcome to Q&A platform.

    Please kindly understand that analyze Wireshark network traffics is beyond our forum support level. Due to forum security policy, we have no such channel to collect user log information. So we recommend you open a case with MS Professional tech support service, they will help you open a phone or email case to Microsoft, so that you would get a technical support on a one-to-one basis while ensuring private information.

    Here is the link:

    https://support.microsoft.com/en-us/gp/customer-service-phone-numbers

    Best Regards,
    Sunny

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  3. TryToFix 1 Reputation point
    2021-09-03T06:38:42.117+00:00

    Have the same issue. In our case, Wireshark only tells "<MISSING>" for the signature attribute.
    Disabling the signature algorithms only helps for windows SSL, but not for the Chromium Engine in Chrome or Edge Browser.

    Please tell me, if you have some news.

    0 comments
  4. Ola Magnus Sundlisæter 1 Reputation point
    2022-04-21T13:52:27.77+00:00

    Does it help upgrading TPM version to 7.85.4555.0?

  5. James Edmonds 811 Reputation points
    2022-08-23T14:50:43.72+00:00

    Was there ever any proper solution to this issue?

    We are encountering this with our older TPM 1.2 devices with always on VPN tunnels using PEAP-TLS, and wondered if we could have Windows instead store certs/keys for the VPN certificates in the software crypto provider rather than TPM?

    Cheers
    James

    0 comments