2.2.1.4.3 Server Security Data (TS_UD_SC_SEC1)

The TS_UD_SC_SEC1 data block returns negotiated security-related information to the client. See section 5.3.2 for a detailed discussion of how this information is used.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

header

encryptionMethod

encryptionLevel

serverRandomLen (optional)

serverCertLen (optional)

serverRandom (variable)

...

serverCertificate (variable)

...

header (4 bytes): A GCC user data block header, as specified in User Data Header (section 2.2.1.3.1). The User Data Header type field MUST be set to SC_SECURITY (0x0C02).

encryptionMethod (4 bytes): A 32-bit, unsigned integer. The selected cryptographic method to use for the session. When Enhanced RDP Security (section 5.4) is being used, this field MUST be set to ENCRYPTION_METHOD_NONE (0).

Value

Meaning

ENCRYPTION_METHOD_NONE

0x00000000

No encryption or Message Authentication Codes (MACs) will be used.

ENCRYPTION_METHOD_40BIT

0x00000001

40-bit session keys will be used to encrypt data (with RC4) and generate MACs.

ENCRYPTION_METHOD_128BIT

0x00000002

128-bit session keys will be used to encrypt data (with RC4) and generate MACs.

ENCRYPTION_METHOD_56BIT

0x00000008

56-bit session keys will be used to encrypt data (with RC4) and generate MACs.

ENCRYPTION_METHOD_FIPS

0x00000010

All encryption and Message Authentication Code generation routines will be FIPS 140-1 compliant.

encryptionLevel (4 bytes): A 32-bit, unsigned integer that describes the encryption behavior to use for the session. When Enhanced RDP Security (section 5.4) is being used, this field MUST be set to ENCRYPTION_LEVEL_NONE (0).

Name

Value

ENCRYPTION_LEVEL_NONE

0x00000000

ENCRYPTION_LEVEL_LOW

0x00000001

ENCRYPTION_LEVEL_CLIENT_COMPATIBLE

0x00000002

ENCRYPTION_LEVEL_HIGH

0x00000003

ENCRYPTION_LEVEL_FIPS

0x00000004

See section 5.3.1 for a description of each of the low, client-compatible, high, and FIPS encryption levels.

serverRandomLen (4 bytes): An optional 32-bit, unsigned integer that specifies the size in bytes of the serverRandom field. If the encryptionMethod and encryptionLevel fields are both set to zero, then this field MUST NOT be present and the length of the serverRandom field MUST be zero. If either the encryptionMethod or encryptionLevel field is non-zero, this field MUST be set to 0x00000020.

serverCertLen (4 bytes): An optional 32-bit, unsigned integer that specifies the size in bytes of the serverCertificate field. If the encryptionMethod and encryptionLevel fields are both set to zero, then this field MUST NOT be present and the length of the serverCertificate field MUST be zero.

serverRandom (variable): The variable-length server random value used to derive session keys (sections 5.3.4 and 5.3.5). The length in bytes is given by the serverRandomLen field. If the encryptionMethod and encryptionLevel fields are both set to zero, then this field MUST NOT be present.

serverCertificate (variable): The variable-length certificate containing the server's public key information. The length in bytes is given by the serverCertLen field. If the encryptionMethod and encryptionLevel fields are both set to zero, then this field MUST NOT be present.

Show: