3.1.4.1.2.2 Processing a ClientWrap Wrapped Secret

If the server chooses to process a ClientWrap wrapped secret that was passed by the client to the BACKUPKEY_RESTORE_GUID_WIN2K interface, it MUST proceed as follows:

1. Process the wrapped secret (supplied in the pDataIn parameter) as specified in section 3.1.4.1.4. If an error is encountered, stop processing and return a non-zero error code. Otherwise, proceed to step 2.

2. Compute the SHA-1 hash [FIPS180-2] of the Nonce field in the AccessCheck structure (section 2.2.2.4). Let EnvKey denote this hash value.

3. Using a cryptographically strong random number generator, generate a 16-byte random value. Call this value EncSalt.

4. Using a cryptographically strong random number generator, generate a 16-byte random value. Call this value MACSalt.

5. Compute the SHA1 HMAC ([RFC2104] section 2) of EncSalt (computed in step 3) with EnvKey as the HMAC key. Denote this value EncKey.

6. Compute the SHA1 HMAC ([RFC2104] section 2) of MACSalt (computed in step 4) with EnvKey as the HMAC key. Denote this value MACKey.

7. Compute the SHA1 HMAC ([RFC2104] section 2) of the unwrapped secret (obtained in step 1) with MACKey as the HMAC key.

8. Create a Recovered Secret structure as specified in section 2.2.6.1. Place the result of step 4 in the MACSalt field, the result of step 7 in the MAC field, and the result of step 1 in the Secret field.

9. Encrypt the result of step 8 with the RC4 algorithm using EncKey (computed in step 5) as the encryption key. For more information on RC4, see [SCHNEIER] section 17.1.

10. Create an Unwrapped Secret structure as specified in section 2.2.6. Set the first four bytes to fixed values as specified in section 2.2.6. Place the result of step 3 in the EncSalt field and the result of step 9 in the RecoveredSecret field.

11. Return success (that is, zero) to the client, with the result of step 10 in the ppDataOut parameter and its length in bytes in the pcbDataOut parameter.