1.3 Overview
When a drive volume is protected with a full volume encryption solution and the data stored on the volume is encrypted with a full volume encryption key, this type of solution usually provides multiple ways in which a user can authenticate. Such authentication methods result in obtaining the full volume encryption key or a proxy to it, which allows the user to seamlessly access data. Some examples of authentication mechanisms for this type of solution include password entry, smart-card based authentication, and authentication using system integrity measurements and a trusted platform module (TPM).
The Network Key Protector Unlock Protocol provides a different kind of authentication for this type of encryption solution, where some or all of the information required for authentication is sent to a network server, decrypted by the server, and then provided to the authorized client computer in response to the client request.
This specification provides details about how the Network Key Protector Unlock Protocol performs authentication. It also describes the following NKPU capabilities:
The client can securely broadcast key material and a session key, with both of these encrypted using a public key.
The server, upon successfully decrypting the request content with the private key corresponding to the public key that was used to make the request, can securely unicast a reply of the key material to the client that sent the request by using the session key sent by the client.
Both the request and reply messages are sent in DHCP packets, with the key material and/or session key carried in the packet via DHCP options [RFC2132] [RFC3315].