Share via

3.2.5.6.3 AutomaticPasswordReset

  • Article

This method provides a mechanism for management server to do an automatic password reset and send a message with the new password to the member. The client will use authenticated URL returned by GMSConfig service to make this request, if GMSConfig service does not specify an authenticated URL, then the request will be made over http://server/autoactivate/gms.dll URL.

Request Validation:

Parameter

Validation conditions

Fault code

Authenticated User.

Authenticated member MUST be identifiable in management server.

200: Account not found.

AccountGUID

There MUST be an entry in the Accounts table with account GUID and domain GUID as the key.

200: Account not found.

IdentityURL

A unique URL to identify a member.

200: Account not found.

CertificatePublicKeyHash

CertificatePublicKeyHash MUST match the hash of the domain's data recovery certificate.

218: Failure during password reset data.

Data Processing:

The data processing specified in this section references the domain table specified in the abstract data model.

The management server MUST

  1. If the authenticated user cannot be matched with a management server member, then management server MUST use combination of AccountGUID and IdentityURL to identify the member.

  2. Fetch member’s management domain's data recovery certificate.

  3. Generate a new random password (temporary password), with at least 21 bytes of randomness.

  4. Use the private key from the data recovery certificate to decrypt the encrypted storage master key info using the RSA algorithm as defined in [PKCS1].

  5. Take the first 20 bytes of the result, and save it as a verifier for the following comparison.

  6. Take the rest of the result, and save it as a master key itself for the following processing.

  7. Compute the SHA1 hash of the account GUID, identity URL, and the master key, in this order:

    1. AccountGUID and identity URL are Unicode strings, which, for the purposes of the SHA1 hash, MUST be interpreted as byte arrays, not including a NULL-terminator (2 bytes).

  8. Compare the verifier saved in step 5 with the result of the hash.

  9. If not equal, the management server MUST send a Fault message with a 218 fault code to the client

  10. Otherwise, the management server MUST derive a 256-bit AES secret key, by using the PBKDF2 function with the temporary password, no salt, and iteration count of 1 as defined in [PKCS5] (default pseudo-random function HMAC-SHA1 is used in this case).

  11. Next, this secret key MUST be used to encrypt both master keys using AES CTR mode. A new initialization vector (IV) MUST be generated when encrypting each key.

  12. Compute the SHA1 digest of the following, in order: re-encrypted master key, re-encrypted master key's IV, re-encrypted secret master key, re-encrypted secret master key's IV.

  13. Compute HMAC-SHA1 with the computed SHA1 digest, and the secret key used to re-encrypt master keys.

  14. Send an e-mail with the temporary password to the e-mail address kept by the server for the user requesting the reset.

  15. The response MUST contain:

    1. Re-encrypted master keys ("EncryptedMasterKey" and "EncryptedSecretMasterKey")

    2. IVs for both re-encrypted master keys

    3. Computed HMAC MUST be set as MAC attribute

Results:

If no faults occur during the operation, the management server MUST return an AutomaticPasswordResetStatusResponse message as defined in section 2.2.3.14.

The master key is used for encrypting the account keys and the secret master key is used to establish the handshake communication. See section 5 for a description of the master key and secret master key.