3.1.4.1.3 Decrypting Data

Some data is encrypted before it is transferred between the client and server. The receiver MUST decrypt the data before it can be used. Encrypted data is stored in an IIS_CRYPTO_BLOB message with the BlobSignature field set to ENCRYPTED_DATA_BLOB_SIGNATURE.

The data decryption process assumes that secure session was already negotiated (see section 3.1.4.1.1).

The receiver MUST perform the following steps to decrypt the data:

1. Retrieve the BlobData field from an IIS_CRYPTO_BLOB message.

2. Interpret BlobData as an ENCRYPTED_DATA_BLOB message.

3. Retrieve the EncryptedData field or EncryptedDataLength bytes from the ENCRYPTED_DATA_BLOB message.

4. Decrypt the EncryptedData data using the session key of the sender. The server will use the session key of the client and the client will use the session key of the server.

5. Follow the instructions in section 3.1.4.1.5 to validate the hash. Use the decrypted data from step 4.

   If a hash validation fails, the receiver MUST reject the data and the method that is processing the encrypted data MUST fail. Error messages from a failure are implementation-dependent.

6. Interpret the decrypted data from step 4 as a CLEARTEXT_WITH_PREFIX_BLOB message.

7. Retrieve the ClearTextData field from the CLEARTEXT_WITH_PREFIX_BLOB message. It will contain the final decrypted data.