Transferring Sensitive Data

Some of the data that is transferred between client and server is of sensitive nature and needs to be protected. An example of sensitive data is a password. The IIS IMSAdminBaseW Remote Protocol defines a way to protect sensitive data transferred in the METADATA_RECORD or METADATA_GETALL_RECORD structures.

When the client expects transfer of sensitive data, it will initiate negotiation of a secure session. The secure session is negotiated by processing R_KeyExchangePhase1 and R_KeyExchangePhase2 calls. The 512-bit RSA key exchange keys are used to exchange 40-bit RC4 session keys. RC4 session keys (one for the client and one for the server) are used to encrypt data over the wire. An MD5 hash signed with 512-bit RSA signature keys is used for message integrity checks.<1>

There are four methods that take advantage of this protection:

Sensitive data is marked with the METADATA_SECURE secure flag in the METADATA_RECORD or METADATA_GETALL_RECORD structure.<2>