4.1 Client Requesting Unlock over DHCPv4
In this example, an NKPU client requests an unlock over DHCPv4 and successfully receives the server response. The following steps describe the message exchanges and processing:
The NKPU client sends a DHCPDISCOVER message that includes a DHCPv4 Vendor Specific Information Option structure, as specified in section 2.2.1.4; a DHCPv4 Vendor-Identifying Vendor-Specific Information Option structure, as specified in section 2.2.1.3; and a DHCPv4 Vendor Class Identifier Option structure, as specified in section 2.2.1.5.
0
1
2
3
4
5
6
7
8
91
0
1
2
3
4
5
6
7
8
92
0
1
2
3
4
5
6
7
8
93
0
1Option Code = 0x2B
Option Length =0x98
Option Data (variable)
Option Data (continued)
20-bytes of Certificate Thumbprint Suboption followed by an Encrypted Buffer Suboption containing the first 128 bytes of the KP ADM element data.
...
0
1
2
3
4
5
6
7
8
91
0
1
2
3
4
5
6
7
8
92
0
1
2
3
4
5
6
7
8
93
0
1Option Code = 0x7D
Option Length = 0x98
Enterprise Number = 0x0137
...
Data Length
Option Data
Suboption Code=0x01
Option Data
Suboption Length=0x80
Option Data (variable)
...
0
1
2
3
4
5
6
7
8
91
0
1
2
3
4
5
6
7
8
92
0
1
2
3
4
5
6
7
8
93
0
1Option Code = 0x3C
Option Length = 0x09
Value (variable): "BITLOCKER"
...
...
The NKPU server receives the DHCPDISCOVER message that includes a Vendor Class Identifier Option structure with the vendor class set to "BITLOCKER", and with other fields of the DHCPDISCOVER message meeting the requirements specified in section 3.2.5. To process this message, the NKPU server is required to do the following:
Extract the value of the Thumbprint ADM element from the DHCPv4 Vendor Specific Information Option structure.
Using the value of the Thumbprint ADM element, locate the Public Key ADM element and related Private Key ADM element in the local data store.
Concatenate the value of the KP ADM element (section 3.1.1) in Option 43 (0x2B) and Option 125 (0x7D) and then decrypt it.
Using AES-CCM [FIPS197], [RFC3610], construct the KPR ADM element (section 3.2.1), in preparation for the reply of the next step.
The NKPU server responds with a BOOTREPLY message, which includes the following:
The DHCPv4 Vendor Specific Information Option structure (section 2.2.1.4) containing the KPR ADM element value.
The DHCPv4 Vendor Class Identifier Option structure, as defined in section 2.2.1.5.
0
1
2
3
4
5
6
7
8
91
0
1
2
3
4
5
6
7
8
92
0
1
2
3
4
5
6
7
8
93
0
1Option Code = 0x2B
Option Length =0x22
Option Data (variable)
Option Data (continued)
Key Protector Response (KPR) ADM element
...
0
1
2
3
4
5
6
7
8
91
0
1
2
3
4
5
6
7
8
92
0
1
2
3
4
5
6
7
8
93
0
1Option Code = 0x3C
Option Length = 0x09
Value (variable): "BITLOCKER"
...