3.1.1 Abstract Data Model

  • Article

This section describes a conceptual model of possible data organization that an implementation maintains to participate in this protocol. The described organization is provided to facilitate the explanation of how the protocol behaves. This document does not mandate that implementations adhere to this model as long as their external behavior is consistent with that described in this document.

The server abstract data model (ADM) is Active Directory-based only and does not require any local variables to store state for this protocol. The server ADM consists of a Server Configuration object and root key objects along with their associated parameters and attributes, respectively, as specified below.

Server Configuration (Public): The server stores a set of configuration parameters for use when creating a new root key, as specified in section 3.1.4.1.1. These parameters are held in persisted storage in Active Directory where they survive system restarts. They are stored in an object of the msKds-ProvServerConfiguration class at the location specified in section 1.9, which is the RDN of the Server Configuration object relative to the forest root. The parameters are replicated to all servers in the Active Directory forest by Active Directory replication mechanisms.

Note  The Active Directory schema for the Server Configuration object is specified in [MS-ADSC] sections 2.159 and 2.160.

The configuration consists of the following parameters:

Configuration information version: A version number associated with the server configuration format that is stored in the msKds-Version attribute of the Server Configuration object.

  • KDF algorithm: An identifier indicating the key derivation function used to derive group keys from a root key object data element. It is stored in the msKds-KDF-AlgorithmID attribute of the Server Configuration object.

  • KDF algorithm parameters: Additional parameters for the KDF algorithm data element. They are stored in the msKds-KDF-Param attribute of the Server Configuration object.

  • Secret agreement algorithm: An identifier indicating the secret agreement algorithm to be used with the group public keys. It is stored in the msKds-SecretAgreement-AlgorithmID attribute of the Server Configuration object.

  • Secret agreement algorithm parameters: Additional parameters for the secret agreement algorithm data element. They are stored in the msKds-SecretAgreement-Param attribute of the Server Configuration object.

  • Length of secret agreement public keys: The public key length of the secret agreement algorithm data element. It is stored in the msKds-PublicKey-Length attribute of the Server Configuration object.

  • Length of secret agreement private keys: The private key length of the secret agreement algorithm data element. It is stored in the msKds-PrivateKey-Length attribute of the Server Configuration object.

Root keys (Public): The server holds zero or more root key objects in persisted storage in Active Directory, where these objects survive system restarts. These root key data elements are stored as objects of the msKds-ProvRootKey class inside the root key container, as specified in section 1.9. They are replicated to all the servers in the Active Directory forest by Active Directory replication mechanisms.

Each root key data element contains the following attributes:

Root key identifier: A unique identifier associated with this root key. This identifier is stored in the Common-Name attribute of the root key object data element in Active Directory.

Root key configuration: The server configuration that was in force when this root key object was created, and which will apply to this root key throughout its life cycle. The configuration is stored in the following attributes of this root key data element in Active Directory:

  • msKds-Version

  • msKds-KDF-AlgorithmID

  • msKds-KDF-Param

  • msKds-SecretAgreement-AlgorithmID

  • msKds-SecretAgreement-Param

  • msKds-PublicKey-Length

  • msKds-PrivateKey-Length

Root key domain: The distinguished name (DN) of the domain in which this root key object was generated. It is stored in the msKds-DomainID attribute of this root key data element.

Root key creation time: The time at which this root key object was created. It is stored in the msKds-CreateTime attribute of this root key data element.

Root key validity start time: The time after which this root key object can be used. It is stored in the msKds-UseStartTime attribute of this root key data element.

Root key data: The actual random bits that will be used as this root key. It is stored in the msKds-RootKeyData attribute of this root key data element.

Note that the abstract interface notation (Public) for the Server Configuration and Root key objects indicates that these ADM elements can be directly accessed from outside this protocol. Specifically, an authorized administrator can access these data elements directly by querying Active Directory at the RDN locations specified in section 1.9.