2.2.2 Remote Assistance Connection String 2
The second type of the Remote Assistance Connection String packet is a Unicode string in XML format.<4> The details of this are as follows.
-
<E> <A KH="Protocol-specific Parameter" KH2="Protocol-specific Parameter" ID="Authorization String Identifier" /> <C> <T ID="Transport ID" SID="Session ID"> <L P="Port" N="Server Name" /> </T> </C> </E>
The novice (server) generates the KH attribute of the Auth String Node <A> in the Remote Assistance Connection String 2. The expert (client) validates the value of KH during the RDP connection sequence.
The KH value is a base64-encoded string of the SHA1 hash of the PublicKeyBlob field of the server certificate received in TS_UD_SC_SEC1. The length, in bytes, of the PublicKeyBlob is given by the wPublicKeyBlobLen field as specified in [MS-RDPBCGR] sections 2.2.1.4.3 and 2.2.1.4.3.1.1.
In addition to the KH attribute, the novice (server) SHOULD<5> generate the KH2 attribute of the Auth String Node <A> in the Remote Assistance Connection String 2. If this parameter is present in the connection string, the expert (client) validates the value of KH2 during the RDP connection. If this parameter is absent in the connection string, the client uses the KH parameter for validating the server as described in the previous paragraph. The KH2 value is a composite of the hashing algorithm used and the base64 encoded string of the PublicKeyBlob field of the server certificate received in TS_UD_SC_SEC1. The hashing algorithm can be sha256, sha384, or sha512. The hashing algorithm and base64 encoded string of the hash are separated by a colon (:).
The Remote Assistance Connection String 2 starts with the root Node <E>. This root Node contains the following child nodes:
The Auth String Node <A> has the following attributes.
Value
Meaning
KH
Parameters specific to a Remote Desktop Protocol
ID
Authstring identifier
KH2
Parameters specific to a Remote Desktop Protocol
The Connector Node <C> has child nodes that give information on the underlying Transport used. This Transport Node <T> has the following attributes.
Value
Meaning
ID
Transport Identifier
SID
Session Identifier
The Transport Node has Listener child Nodes that give information about the Server IP and port. This Listener node <L> has the following attributes.
Value
Meaning
P
Port: The dynamic port on which the Remote Assistance connection could happen.
N
Server Name: The name/IP address of the server, that is, the novice computer.
U
URI: The full URI if websocket listener is enabled. The U (URI) is used instead of the P (port) attribute. N (server name) attribute is still included.
The following is an example of Remote Assistance Connection String 2:
-
<E> <A KH="YiKwWUY8Ioq5NB3wAQHSbs5kwrM=" KH2="sha256:wKSAkAV3sBfa9WpuRFJcP9q1twJc6wOBuoJ9tsyXwpk=" ID="8rYm30RBW8/4dAWoUsWbFCF5jno/7jr5t NpHQc2goLbw4uuBBJvLsU02YYLlBMg5"/> <C> <T ID="1" SID="1440550163"> <L P="49749" N="2001:4898:1a:5:79e2:3356:9b22:3470"/> <L P="49751" N="172.31.250.64"/> </T> </C> </E>
In the preceding example:
The Auth String Node <A> has the attribute KH="YiKwWUY8Ioq5NB3wAQHSbs5kwrM=", KH2="sha256:wKSAkAV3sBfa9WpuRFJcP9q1twJc6wOBuoJ9tsyXwpk=", and attribute ID = "8rYm30RBW8/4dAWoUsWbFCF5jno/7jr5tNpHQc2goLbw4uuBBJvLsU02YYLlBMg5". In this example, the KH2 value contains the encoded string "wKSAkAV3sBfa9WpuRFJcP9q1twJc6wOBuoJ9tsyXwpk=" and the hashing algorithm used is SHA256.
The Connector Node <C> has one Transport child Node <T> with the following attributes:
ID = "1"
Session ID - SID = "1440550163"
The Transport Node has two Listener child Nodes <L> with the following server and port information attributes:
Port - P = "49749"
Server Name - N = "2001:4898:1a:5:79e2:3356:9b22:3470", and
Port - P = "49751"
Server Name - N = "172.31.250.64".