5.3.2 Negotiating the Cryptographic Configuration

  • Article

Clients advertise their cryptographic support (for use with Standard RDP Security mechanisms, as described in sections 5.3.3 to 5.3.8) in the Client Security Data (section 2.2.1.3.3), sent to the server as part of the Basic Settings Exchange phase of the RDP Connection Sequence (section 1.3.1.1). Upon receiving the client data the server will determine the cryptographic configuration to use for the session based on its configured Encryption Level and then send this selection to the client in the Server Security Data (section 2.2.1.4.3), as part of the Basic Settings Exchange phase. The client will use this information to configure its cryptographic modules.

Determining the cryptographic configuration for a session

Figure 7: Determining the cryptographic configuration for a session

The Encryption Method and Encryption Level (section 5.3.1) are closely related. If the Encryption Level is zero, then the Encryption Method is zero (the converse is also true). This means that if no encryption is being used for the session (an Encryption Level of zero), there is no Encryption Method being applied to the data. If the Encryption Level is greater than zero (encryption is in force for at least client-to-server traffic) then the Encryption Method is greater than zero (the converse is also true). This means that if encryption is in force for the session, then an Encryption Method is defined which specifies how to encrypt the data. Furthermore, if the Encryption Level is set to FIPS, then the Encryption Method selects only FIPS-compatible methods.

If the server determines that no encryption is necessary for the session, it can send the client a value of zero for the selected Encryption Method and Encryption Level. In this scenario the Security Commencement phase of the connection sequence (section 5.4.2.3) is not executed, with the result that the client does not send the Security Exchange PDU (section 2.2.1.10). This PDU can be dropped because the Client Random (section 5.3.4) is redundant, since no security keys need to be generated. Furthermore, because no security measures are in effect, the Security Header (section 5.3.8) will not be included with any data sent on the wire, except for the Client Info (section 3.2.5.3.11) and licensing PDUs ([MS-RDPELE]), which always contain the Security Header (section 2.2.9.1.1.2). To protect the confidentiality of client-to-server user data, an RDP server ensures that the negotiated Encryption Level is always greater than zero when using Standard RDP Security mechanisms.