4.7 Crypto Binding
The client sends an SSTP_MSG_CALL_CONNECT_REQUEST that encapsulates the PPP protocol. The actual data bytes are as follows.
-
10 01 00 0E 00 01 00 01 00 01 00 06 00 01
The details for the packet are as follows.
Version: 0x10 (Major Version: 0x1, Minor Version: 0x0)
C: 1 (Control Packet)
Length: 0x00E
Message Type: 0x0001 (SSTP_MSG_CALL_CONNECT_REQUEST)
Num Attributes: 0x0001
Attribute 1:
Attribute ID: 0x01 (SSTP_ATTRIB_ENCAPSULATED_PROTOCOL_ID)
Length: 0x006
Value: 0x0001 (SSTP_ENCAPSULATED_PROTOCOL_PPP)
The server responds to the client with SSTP_MSG_CALL_CONNECT_ACK. In this case, the server supports only the SHA256 hash algorithm for crypto binding. The actual data bytes are as follows.
-
10 01 00 30 00 02 00 01 00 04 00 28 00 00 00 02 41 2B 48 9A EB D7 EC C7 D0 89 66 F2 6B E7 CD 72 B2 31 A0 E9 21 0D 7C 91 B3 08 86 2B 03 44 C4 35
The details are as follows.
Version: 0x10 (Major Version: 0x1, Minor Version: 0x0)
C: 1 (Control Packet)
Length: 0x030
Message Type: 0x0002 (SSTP_MSG_CALL_CONNECT_ACK)
Num Attributes: 0x0001
Attribute 1:
ID: 0x04 (SSTP_ATTRIB_CRYPTO_BINDING_REQ)
Length: 0x028
Value:
Protocol Bitmask: 0x02 (CERT_HASH_PROTOCOL_SHA256)
Nonce:
41 2B 48 9A EB D7 EC C7 D0 89 66 F2 6B E7 CD 72 B2 31 A0 E9 21 0D 7C 91 B3 08 86 2B 03 44 C4 35
The client continues with the PPP negotiation after receiving the preceding message. When PPP authentication is finished, the client completes the crypto binding by sending an SSTP_MSG_CALL_CONNECTED message. The data bytes that are transmitted in this scenario are as follows.
-
10 01 00 70 00 04 00 01 00 03 00 68 00 00 00 02 41 2B 48 9A EB D7 EC C7 D0 89 66 F2 6B E7 CD 72 B2 31 A0 E9 21 0D 7C 91 B3 08 86 2B 03 44 C4 35 79 93 EF 31 4C 49 3D AC E9 F0 2D 60 E7 E6 1C 84 B6 69 0A AF E9 D7 AE EA 92 CB BE 8A D5 99 42 2D 52 A6 8E FD 8C FF BF 52 77 0B 8F 0F E8 EC 73 71 65 83 AF 6D 61 1E B6 D1 79 B3 B2 08 40 98 54 49
The computation of Compound MAC is done based on the following.
Higher-Layer Authentication Key (HLAK):
-
2A 1B B4 0D 55 AB 0F 5E F3 2F 06 F2 B3 CC 73 C4 8F D3 FA C4 1D 7A 13 15 A1 92 28 D9 02 4C A1 64
The hash of the certificate that is provided by the server is as follows.
-
79 93 EF 31 4C 49 3D AC E9 F0 2D 60 E7 E6 1C 84 B6 69 0A AF E9 D7 AE EA 92 CB BE 8A D5 99 42 2D
The details of the packet that is sent are as follows.
Version: 0x10 (Major Version: 0x1, Minor Version: 0x0)
C: 1 (Control Packet)
Length: 0x070
Message Type: 0x0004 (SSTP_MSG_CALL_CONNECTED)
Num Attributes: 0x0001
Attribute 1:
Attribute ID: 0x03 (SSTP_ATTRIB_CRYPTO_BINDING)
Length: 0x068
Value:
Hash Protocol Bitmask: 0x02 (CERT_HASH_PROTOCOL_SHA256)
Nonce:
41 2B 48 9A EB D7 EC C7 D0 89 66 F2 6B E7 CD 72 B2 31 A0 E9 21 0D 7C 91 B3 08 86 2B 03 44 C4 35
Certificate Hash:
79 93 EF 31 4C 49 3D AC E9 F0 2D 60 E7 E6 1C 84 B6 69 0A AF E9 D7 AE EA 92 CB BE 8A D5 99 42 2D
Compound MAC:
52 A6 8E FD 8C FF BF 52 77 0B 8F 0F E8 EC 73 71 65 83 AF 6D 61 1E B6 D1 79 B3 B2 08 40 98 54 49
In this example, the server uses a SHA1 hash for crypto binding. The following is a sample SSTP_MSG_CALL_CONNECT_ACK in this scenario.
-
10 01 00 30 00 02 00 01 00 04 00 28 00 00 00 01 0F 1A 2D 58 D4 A3 E3 00 0F AD 3C E4 90 6E 07 B7 07 AA 9E 44 1C CE AC 5C BD 7B 2C C1 C9 D8 6C DF
The details of the packet are as follows.
Version: 0x10 (Major Version: 0x1, Minor Version: 0x0)
C: 1 (Control Packet)
Length: 0x030
Message Type: 0x0002 (SSTP_MSG_CALL_CONNECT_ACK)
Num Attributes: 0x0001
Attribute 1:
Attribute ID: 0x04 (SSTP_ATTRIB_CRYPTO_BINDING_REQ)
Length: 0x028
Value:
Hash Protocol Bitmask: 0x01 (CERT_HASH_PROTOCOL_SHA1)
Nonce:
0F 1A 2D 58 D4 A3 E3 00 0F AD 3C E4 90 6E 07 B7 07 AA 9E 44 1C CE AC 5C BD 7B 2C C1 C9 D8 6C DF
For this SSTP_MSG_CALL_CONNECT_ACK, the following shows a valid crypto binding completion via the SSTP_MSG_CALL_CONNECTED message.
-
10 01 00 70 00 04 00 01 00 03 00 68 00 00 00 01 0F 1A 2D 58 D4 A3 E3 00 0F AD 3C E4 90 6E 07 B7 07 AA 9E 44 1C CE AC 5C BD 7B 2C C1 C9 D8 6C DF 58 26 B6 29 BD A5 9B 8E 6F D8 DC D2 62 2F D3 4C 53 48 05 A5 00 00 00 00 00 00 00 00 00 00 00 00 69 91 5D D5 83 D8 06 2F EF 16 F6 1D B2 F0 32 90 EC 27 CB 6C 00 00 00 00 00 00 00 00 00 00 00 00
The compound MAC is computed based on the following values for HLAK and certificate hash.
Higher-Layer Authentication Key (HLAK):
-
4B 31 28 F4 39 25 D9 00-6E EF B1 C4 E8 65 15 A1 D8 8E 56 BA B3 CA 2B DF-03 73 B7 F5 A8 A1 3B 19
The hash of the certificate that is provided by the server is as follows.
-
58 26 B6 29 BD A5 9B 8E 6F D8 DC D2 62 2F D3 4C 53 48 05 A5
The details of the packet are as follows.
Version: 0x10 (Major Version: 0x1, Minor Version: 0x0)
C: 1 (Control Packet)
Length: 0x070
Message Type: 0x0004 (SSTP_MSG_CALL_CONNECTED)
Num Attributes: 0x0001
Attribute 1:
Attribute ID: 0x03 (SSTP_ATTRIB_CRYPTO_BINDING)
Length: 0x068
Value:
Hash Protocol Bitmask: 0x01 (CERT_HASH_PROTOCOL_SHA1)
Nonce:
0F 1A 2D 58 D4 A3 E3 00 0F AD 3C E4 90 6E 07 B7 07 AA 9E 44 1C CE AC 5C BD 7B 2C C1 C9 D8 6C DF
Certificate Hash:
58 26 B6 29 BD A5 9B 8E 6F D8 DC D2 62 2F D3 4C 53 48 05 A5
Compound MAC:
69 91 5D D5 83 D8 06 2F EF 16 F6 1D B2 F0 32 90 EC 27 CB 6C