3.2.5.2.4 Key Used in the Crypto Binding HMAC-SHA256-256 Operation

  • Article

The key that is used as the input to the HMAC-SHA256-256 operation and used in the creation of the Compound MAC MUST be constructed by following the steps that are specified in the following sections. These steps produce the following intermediate values that are defined later in this section.

  1. Higher-Layer Authentication Key (HLAK)

    First, a 32-byte long string is generated from keys that are provided by the higher-layer PPP authentication method. This key is sent to the SSTP layer as part of the Inner Authentication Completed Event. This is also the case for EAP TLS.

    If the higher-layer PPP authentication method generates Microsoft Point-to-Point Encryption (MPPE) keys, as specified in [RFC3079], then an implementation MUST obtain the HLAK using the following method:

    • For MS-CHAPv2, as specified in [RFC2759]:

      SSTP Client HLAK = MasterSendKey | MasterReceiveKey and:

      SSTP Server HLAK = MasterReceiveKey | MasterSendKey,

      where | indicates concatenation of strings and MasterSendKey and MasterReceiveKey are as specified in [RFC3079] section 3.

    • For EAP-TLS, as specified in [RFC5216]:<9>

      SSTP Client HLAK = Client MasterSendKey, and:

      SSTP Server HLAK = Client MasterReceiveKey,

      where MasterSendKey and MasterReceiveKey are as specified in [RFC3079] section 4.

    • For EAP, other than EAP-TLS, as specified in [RFC2284]:

      SSTP Client HLAK = Client Master Session Key (MSK), as specified in [RFC3748] and:

      SSTP Server HLAK = Server Master Session Key (MSK), as specified in [RFC3748].

    If the HLAK is more than 32 octets, then the first 32 octets form the HLAK. Note that this covers EAP-TLS as well because, the EAP TLS master session key is at least 64 bytes (see [RFC5247]). If the HLAK is less than 32 octets, then the string is padded with 0x00 at the end to obtain a total length of 32 octets.

    If the higher-layer PPP authentication method did not generate any keys, or if PPP authentication is bypassed (i.e. ClientBypassHLAuth is set to TRUE), then the HLAK MUST be 32 octets of 0x00.

  2. Compound MAC Key Seed

    Next, the seed value is generated. An implementation MUST create a byte array of size 29 bytes containing the ASCII values for the string "SSTP inner method derived CMK", which will be used as the Compound MAC Key Seed value.

  3. Compound MAC Key (CMK)

    Finally, the PRF+ operation generates the key to be used to derive the Compound MAC using the HMAC-SHA256-256 operation.

    To generate the Compound MAC Key (CMK), implementations MUST use the HLAK, MUST use the PRF+ seed value as the input to a PRF+ operation, and MUST generate 32 bytes.

    CMK = First 32 octets of PRF+ (HLAK, CMK Seed, 32);

    The PRF algorithm is based on PRF+ from IKEv2 (for more information, see [RFC4306] section 2.13) as follows ("|" denotes concatenation):

    • K = Key, S = Seed, LEN = output length, represented as binary in a single unsigned 16-bit integer. This integer MUST be encoded in little-endian format.

    • PRF (K, S, LEN) = T1 | T2 | T3 | T4 | ... where:

      • T1 = HMAC-SHA256 (K, S | LEN | 0x01)

      • T2 = HMAC-SHA256 (K, T1 | S | LEN | 0x02)

      • T3 = HMAC-SHA256 (K, T2 | S | LEN | 0x03)

      • T4 = HMAC-SHA256 (K, T3 | S | LEN | 0x04)

      • ...