3.1.4.1.1 Creating a New Root Key

  • Article

If the root keys container in Active Directory on the DC is empty when a GetKey request is received by the server, the server MUST create a new root key object based on the default Server Configuration object that is present in Active Directory (section 1.5). If additional (new) root keys are required, the server MUST create them based on either the default Server Configuration object or an updated one that specifies optional configuration values.

Note  The default Server Configuration can be overridden with specified configuration values. A procedure for creating or updating a Server Configuration object is specified in section 3.1.4.1.3. Any server configuration that is created or updated by the procedure in section 3.1.4.1.3 will be used by all servers in the Active Directory forest when creating future root keys, but will not affect any existing root keys.

To create a new root key object, the server MUST proceed as follows:

  1. Using a cryptographically strong random number generator, generate a random 16-byte GUID.

  2. Using a cryptographically strong random number generator, generate 64 random bytes for use as the root key.

  3. Retrieve the current time as a FILETIME ([MS-DTYP] section 2.3.3), and convert this to a single 64-bit integer.

  4. Retrieve the Server Configuration from the Active Directory location specified in section 1.9.

  5. Create a new Active Directory object of class msKds-ProvRootKey in the root key container specified in section 1.9, and populate the attributes of the object as follows:

    • Set the common name (CN) of the object to the result of step 1, represented in the string format of a UUID as specified in [RFC4122] section 3.

    • Set the msKds-RootKeyData attribute to the result of step 2.

    • Set both the msKds-CreateTime and msKds-UseStartTime attributes of this root key object to the result of step 3.

    • Set the msKds-DomainID attribute to the DN of the server's Active Directory domain.

    • Set the msKds-Version attribute of this root key object to the value of the msKds-Version attribute in the Server Configuration object retrieved in step 4.

    • Check for the existence of the msKds-KDF-AlgorithmID attribute in the Server Configuration object retrieved in step 4. If it is present, set the msKds-KDF-AlgorithmID and msKds-KDF-Param attributes of the root key object to the values of the corresponding attributes in the Server Configuration object. If the msKds-KDF-AlgorithmID attribute is not present in the Server Configuration object, set the msKds-KDF-AlgorithmID attribute of this root key object to the Unicode string value "SP800_108_CTR_HMAC", and the msKds-KDF-Param attribute to a KDF Parameters structure (section 2.2.1) that has the Hash algorithm name field set to the null-terminated Unicode string "SHA512".

    • Check for the existence of the msKds-SecretAgreement-AlgorithmID attribute in the Server Configuration object retrieved in step 4. If it is present, set the msKds-SecretAgreement-AlgorithmID, msKds-SecretAgreement-Param, msKds-PublicKey-Length, and msKds-PrivateKey-Length attributes of this root key object to the values of the corresponding attributes in the Server Configuration object. If the msKds-SecretAgreement-AlgorithmID attribute is not present in the Server Configuration object, set the msKds-SecretAgreement-AlgorithmID attribute of this root key object to the Unicode string value "DH", the msKds-SecretAgreement-Param attribute to a FFC DH Parameters structure (section 2.2.2) containing the constants specified in [RFC5114] section 2.3, the msKds-PublicKey-Length attribute to 2048, and the msKds-PrivateKey-Length attribute to 256.

  6. Add this new root key object to the server's state, as specified in section 3.1.1.