4.2 Client Requesting Unlock Over DHCPv6

In this example, an NKPU client requests an unlock over DHCPv6 and successfully receives the server response. The following steps describe the message exchanges and processing:

  1. The NKPU client sends a DHCPv6 Information-Request message that includes the DHCPv6 Vendor Class Option structure, as specified in section 2.2.1.1, and the DHCPv6 Vendor Specific Information Option structure, as specified in section 2.2.1.2.


    0


    1


    2


    3


    4


    5


    6


    7


    8


    9

    1
    0


    1


    2


    3


    4


    5


    6


    7


    8


    9

    2
    0


    1


    2


    3


    4


    5


    6


    7


    8


    9

    3
    0


    1

    Option Code = 0x0010

    Option Length = 0x000F

    Enterprise Number = 0x00000137

    Vendor Class Data Length = 0x0009

    Data String = "BI"

    "TLOC"

    "KER"


    0


    1


    2


    3


    4


    5


    6


    7


    8


    9

    1
    0


    1


    2


    3


    4


    5


    6


    7


    8


    9

    2
    0


    1


    2


    3


    4


    5


    6


    7


    8


    9

    3
    0


    1

    Option Code = 0x0011

    Option Length = 0x0120

    Enterprise Number = 0x00000137

    Suboption Code = 0x0001

    Suboption Length = 0x0014

    Suboption Data = <20-byte hash of the PK ADM element value>

    ...

    ...

    Suboption Code = 0x0002

    Suboption Length = 0x0100

    ...

    ...

    ...

  2. The NKPU server receives the DHCPv6 Information-Request message that includes a Vendor Class Identifier Option structure with the vendor class set to "BITLOCKER", and with other fields of the Information-Request message meeting the requirements specified in section 3.2.5.

    To process this message, the NKPU server is required to do the following:

    • Extract the value of the Thumbprint ADM element from DHCPv6 Vendor Specific Information Option structure Option 17 (0x0011), suboption 1 (0x0001).

    • Using the value of the Thumbprint ADM element (section 3.1.1), locate the Public Key ADM element (section 3.1.1) and the related Private Key ADM element (section 3.2.1) in the local data store.

    • Decrypt the KP ADM element (section 3.1.1) data in Option 17 (0x0011), suboption 2 (0x0002).

    • Using AES-CCM [FIPS197], [RFC3610], encrypt the value of the KPR ADM element (section 3.2.1), in preparation for the reply of the next step.

  3. The NKPU server responds with a DHCPv6 Reply message that includes the DHCPv6 Vendor Class Option structure (section 2.2.1.1) and DHCPv6 Vendor Specific Information Option structure (section 2.2.1.2) containing the KPR ADM element value as the Encrypted Buffer Suboption in the Option Data field.


    0


    1


    2


    3


    4


    5


    6


    7


    8


    9

    1
    0


    1


    2


    3


    4


    5


    6


    7


    8


    9

    2
    0


    1


    2


    3


    4


    5


    6


    7


    8


    9

    3
    0


    1

    Option Code = 0x0010

    Option Length = 0x000F

    Enterprise Number = 0x00000137

    Vendor Class Data Length = 0x0009

    Data String = "BI"

    "TLOC"

    "KER"


    0


    1


    2


    3


    4


    5


    6


    7


    8


    9

    1
    0


    1


    2


    3


    4


    5


    6


    7


    8


    9

    2
    0


    1


    2


    3


    4


    5


    6


    7


    8


    9

    3
    0


    1

    Option Code = 0x0011

    Option Length = 0x0028

    Enterprise Number = 0x00000137

    Suboption Code = 0x0002

    Suboption Length = 0x0020

    Suboption Data = <KPR ADM element>

    ...

    ...