2.2.7 Crypto Binding Attribute
The following diagram specifies the format that MUST be used for the Crypto Binding attribute. This attribute is sent by the SSTP client to the SSTP server and is used to ensure that the SSTP client and SSTP server participated in SSL negotiation and higher-layer authentication (that is, PPP authentication). For more information, see [RFC1661].
Note Without the Crypto Binding attribute, an untrusted man-in-the-middle can relay the PPP packets that are received by the client on another protocol (for example, over wireless) on the SSTP connection without the knowledge of the SSTP client and SSTP server.
The fields of the structure MUST be transmitted as bytes from left to right.
|
|
|
|
|
|
|
|
|
|
1 |
|
|
|
|
|
|
|
|
|
2 |
|
|
|
|
|
|
|
|
|
3 |
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Reserved |
Attribute ID |
LengthPacket |
|||||||||||||||||||||||||||||
|
Reserved1 |
Hash Protocol |
||||||||||||||||||||||||||||||
|
Nonce (32 bytes) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
Cert Hash (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
Padding (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
Compound MAC (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
Padding1 (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
Reserved (1 byte): This 8-bit field is reserved for future use. MUST be set to zero when sent and MUST be ignored on receipt.
Attribute ID (1 byte): An 8-bit (1-byte) field that is used to specify the type of attribute; its value MUST be 0x03 for the Crypto Binding attribute.
LengthPacket (2 bytes): A 16-bit unsigned integer in network byte order that packs data for two fields, configured in the following format.
-
0
1
2
3
4
5
6
7
8
9
1
0
1
2
3
4
5
R
Length
-
R (4 bits): This 4-bit field is reserved for future use. MUST be set to zero when sent and MUST be ignored on receipt.
-
Length (12 bits): A 12-bit unsigned integer in network byte order that MUST specify the length of the Crypto Binding attribute. Its value MUST be 104 (that is, 0x068).
Reserved1 (3 bytes): This 24-bit field is reserved for future use. MUST be set to zero when sent and MUST be ignored on receipt.
Hash Protocol (1 byte): A 1-byte field that specifies the Cert Hash type and hash algorithm that is used for Compound MAC calculation. Its value MUST be one of the following.
-
Name
Value
CERT_HASH_PROTOCOL_SHA1
0x01
CERT_HASH_PROTOCOL_SHA256
0x02
Nonce (32 bytes): A 256-bit unsigned integer that contains a temporally unique (or random) value. For more information, see [RFC1750]. This value MUST be the same as what is received from the SSTP server in the Crypto Binding Request attribute.
Cert Hash (variable): A variable-length field in network byte order that contains either the SHA1 hash [RFC3174] or the SHA256 hash [SHA256] of the server certificate. The hash algorithm to be used is specified by the Hash Protocol field in the message. The server certificate is an X.509 certificate as described in [RFC5280]; it is available as a part of the SSL/TLS handshake ([SSL3] section 5.6.2 and [RFC2246] section 7.4.2). The SSL/TLS handshake happens during the HTTPS session setup. For more details on the SSL/TLS handshake, see [SSL3] section 5.6 and [RFC2246] section 7.4. The length of this field is either 20 bytes when SHA1 hash is used or 32 bytes when SHA256 hash is used.
Padding (variable): This field is reserved for future use. MUST be set to zero when sent and MUST be ignored on receipt. This field is either zero bytes long when the SHA256 Cert Hash is used, or 12 bytes long when the SHA1 Cert Hash is used.
Compound MAC (variable): A variable-length unsigned integer that contains the value that is used to cryptographically associate the higher-layer authentication (that is, PPP authentication) with the lower-layer HTTPS connection and therefore ensure that the SSTP client and the SSTP server participated in both of them. (For more information, see section 3.2.5.2 and also see [RFC1661].) This field is either 20 bytes long when the SHA1 Hash Protocol is used for Compound MAC computation, or 32 bytes long when the SHA256 Hash Protocol is used for Compound MAC computation.
Padding1 (variable): A variable-length field that is reserved for future use. MUST be set to zero when sent and MUST be ignored on receipt. This field is either zero bytes long when the SHA256 Cert Hash is used, or 12 bytes long when the SHA1 Cert Hash is used.