3.2.5.2.2 Key Used in the Crypto Binding HMAC-SHA1-160 Operation

The key that is used as the input to the HMAC-SHA1-160 operation and used in the creation of the Compound MAC MUST be constructed by following the steps that are specified in the following sections. These steps produce the following intermediate values, which are defined later in this section.

  • Higher-Layer Authentication Key (HLAK)

    First, a 32-byte long string is generated from keys that are provided by the higher-layer PPP authentication method. This key is sent to the SSTP layer as part of the Inner Authentication Completed Event.

    If the higher-layer PPP authentication method generates Microsoft Point-to-Point Encryption (MPPE) keys, as specified in [RFC3079], then an implementation MUST obtain the HLAK by using the following method:

    • For MS-CHAPv2, as specified in [RFC2759]:

      SSTP Client HLAK = MasterSendKey | MasterReceiveKey, and:

      SSTP Server HLAK = MasterReceiveKey | MasterSendKey,

      where | indicates concatenation of strings, and MasterSendKey and MasterReceiveKey are as specified in [RFC3079] section 3.

    • For EAP TLS, as specified in [RFC2716]:

      SSTP Client HLAK = MasterSendKey | MasterReceiveKey, and:

      SSTP Server HLAK = MasterReceiveKey | MasterSendKey,

      where | indicates concatenation of strings and MasterSendKey and MasterReceiveKey are as specified in [RFC3079] section 4.

    • For EAP (other than EAP TLS), as specified in [RFC2284]:

      SSTP Client HLAK = Client Master Session Key (MSK), as specified in [RFC3748], and:

      SSTP Server HLAK = Server Master Session Key (MSK), as specified in [RFC3748].

      If the HLAK is more than 32 octets, then the first 32 octets form the HLAK. If the HLAK is less than 32 octets, then the string is padded with 0x00 at the end to obtain a total length of 32 octets.

      If the higher-layer PPP authentication method did not generate any keys, or if PPP authentication is bypassed (i.e. ClientBypassHLAuth is set to TRUE), then the HLAK MUST be 32 octets of 0x00:

  • Compound MAC Key Seed

    Next, the seed value is generated. An implementation MUST create a byte array of size 29 bytes containing the ASCII values for the string "SSTP inner method derived CMK", which will be used as the Compound MAC Key Seed value.

  • Compound MAC Key (CMK)

    Finally, the PRF+ operation generates the key to be used to derive the Compound MAC by using the HMAC-SHA1-160 operation.

    To generate the Compound MAC Key (CMK), implementations MUST use the HLAK, MUST use the PRF+ seed value as the input to a PRF+ operation, and MUST generate 20 bytes:

    CMK = First 20 octets of PRF+ (HLAK, CMK Seed, 20);

    The PRF algorithm is based on PRF+ from IKEv2 (for more information, see [RFC4306] section 2.13) shown in the following ("|" denotes concatenation):

    • K = Key, S = Seed, LEN = output length, represented as binary in a single unsigned 16-bit integer. This integer MUST be encoded in little-endian format.

    • PRF (K, S, LEN) = T1 | T2 | T3 | T4 | ... where:

      • T1 = HMAC-SHA1 (K, S | LEN | 0x01)

      • T2 = HMAC-SHA1 (K, T1 | S | LEN | 0x02)

      • T3 = HMAC-SHA1 (K, T2 | S | LEN | 0x03)

      • T4 = HMAC-SHA1 (K, T3 | S | LEN | 0x04)

      • ...

Show: