3.1.4.1.2 Encrypting Data

Some data transferred between the client and server must be encrypted before it is sent. Encrypted data will be transferred in an IIS_CRYPTO_BLOB message with the BlobSignature field set to ENCRYPTED_DATA_BLOB_SIGNATURE.

Secure session MUST be negotiated before the data encryption takes place (see section 3.1.4.1.1).

Sender MUST perform the following steps to encrypt data and build IIS_CRYPTO_BLOB:

  1. Create an instance of a CLEARTEXT_WITH_PREFIX_BLOB message:

    • Set the Reserved field to zero.

    • Place the data to be encrypted into the ClearTextData field.

  2. Calculate the signed hash and hash length of the CLEARTEXT_WITH_PREFIX_BLOB message from the previous step, as specified in section 3.1.4.1.4.

  3. Encrypt the CLEARTEXT_WITH_PREFIX_BLOB message data using the session key of the sender. The client will use the session key of the client, and the server will use the session key of the server.

  4. Create an instance of ENCRYPTED_DATA_BLOB:

    • Set the EncryptedDataLength field to the number of encrypted bytes from the previous step.

    • Store encrypted data from the earlier step in the EncryptedData field.

    • Calculate the padding size between zero and seven, so that EncryptedDataLength + padding length is a multiple of eight. Set padding bytes to 0x00.

    • Set the SignedHashLength and SignedHash fields calculated in the earlier step.

  5. Create an instance of an IIS_CRYPTO_BLOB message:

    • Set the BlobSignature field to ENCRYPTED_DATA_BLOB_SIGNATURE.

    • Calculate the BlobDataLength field value in the IIS_CRYPTO_BLOB message by adding the EncryptedDataLength + padding length + SignedHashLength.

    • Store the ENCRYPTED_DATA_BLOB instance from the earlier step in the BlobData field.