4.2 Client Requesting Unlock Over DHCPv6
In this example, an NKPU client requests an unlock over DHCPv6 and successfully receives the server response. The following steps describe the message exchanges and processing:
The NKPU client sends a DHCPv6 Information-Request message that includes the DHCPv6 Vendor Class Option structure, as specified in section 2.2.1.1, and the DHCPv6 Vendor Specific Information Option structure, as specified in section 2.2.1.2.
0
1
2
3
4
5
6
7
8
91
0
1
2
3
4
5
6
7
8
92
0
1
2
3
4
5
6
7
8
93
0
1Option Code = 0x0010
Option Length = 0x000F
Enterprise Number = 0x00000137
Vendor Class Data Length = 0x0009
Data String = "BI"
"TLOC"
"KER"
0
1
2
3
4
5
6
7
8
91
0
1
2
3
4
5
6
7
8
92
0
1
2
3
4
5
6
7
8
93
0
1Option Code = 0x0011
Option Length = 0x0120
Enterprise Number = 0x00000137
Suboption Code = 0x0001
Suboption Length = 0x0014
Suboption Data = <20-byte hash of the PK ADM element value>
...
...
Suboption Code = 0x0002
Suboption Length = 0x0100
...
...
...
The NKPU server receives the DHCPv6 Information-Request message that includes a Vendor Class Identifier Option structure with the vendor class set to "BITLOCKER", and with other fields of the Information-Request message meeting the requirements specified in section 3.2.5.
To process this message, the NKPU server is required to do the following:
Extract the value of the Thumbprint ADM element from DHCPv6 Vendor Specific Information Option structure Option 17 (0x0011), suboption 1 (0x0001).
Using the value of the Thumbprint ADM element (section 3.1.1), locate the Public Key ADM element (section 3.1.1) and the related Private Key ADM element (section 3.2.1) in the local data store.
Decrypt the KP ADM element (section 3.1.1) data in Option 17 (0x0011), suboption 2 (0x0002).
Using AES-CCM [FIPS197], [RFC3610], encrypt the value of the KPR ADM element (section 3.2.1), in preparation for the reply of the next step.
The NKPU server responds with a DHCPv6 Reply message that includes the DHCPv6 Vendor Class Option structure (section 2.2.1.1) and DHCPv6 Vendor Specific Information Option structure (section 2.2.1.2) containing the KPR ADM element value as the Encrypted Buffer Suboption in the Option Data field.
0
1
2
3
4
5
6
7
8
91
0
1
2
3
4
5
6
7
8
92
0
1
2
3
4
5
6
7
8
93
0
1Option Code = 0x0010
Option Length = 0x000F
Enterprise Number = 0x00000137
Vendor Class Data Length = 0x0009
Data String = "BI"
"TLOC"
"KER"
0
1
2
3
4
5
6
7
8
91
0
1
2
3
4
5
6
7
8
92
0
1
2
3
4
5
6
7
8
93
0
1Option Code = 0x0011
Option Length = 0x0028
Enterprise Number = 0x00000137
Suboption Code = 0x0002
Suboption Length = 0x0020
Suboption Data = <KPR ADM element>
...
...