3.3.5.1 Generating the Required PNRP Data

  • Article

To generate the encrypted connection string payload, the following algorithm MUST be followed:

  1. Generate a pseudo-random 256-bit cipher key to use with the AES_256 encryption algorithm, as specified in [FIPS197].

  2. Encrypt the Unicode connection string by using the AES_256 encryption algorithm, as specified in [FIPS197], and the cipher key that was generated in step 1, to produce the encrypted Connection Data.

  3. The publisher MUST obtain a public key that matches a private key that the consumer will use. Encrypt the cipher key that was generated in step 1 using the public key of the consumer and the Rivest-Shamir-Adleman (RSA) algorithm.

  4. Transform the encrypted cipher key generated in step 3 to a base64-encoded Unicode string as specified in [RFC4648], and call it the exported AES key. The byte length of the exported AES key MUST be used when the peer name is registered as specified in section 3.3.5.2.

  5. The encrypted connection string payload is obtained by appending the encrypted Connection Data from step 2 to the end of the exported AES key from step 4.