2.2.9.1.1.2.2 Encrypted Data

The second part of the message payload contains the SOAP encrypted message. It MUST have the following layout:

Tokens

Content-Type: Contains the media type of the encrypted message.

 Content-Type = HT"Content-Type"":" 1#(contenttype)

HT: The horizontal tab character. It MUST precede the literal constant "Content-Type".

contenttype: Contains the encrypted message content type, and MUST be set to the following:

 application/octet-stream

Length-Field: The Length-Field MUST follow immediately after the previous token. It MUST be a 32-bit unsigned integer that specifies the length of the encryption header portion of the Message field (see the discussion of the Message encryption header that follows).

Message: The encrypted message. This is an octet stream of the encrypted SOAP message, which is encrypted and integrity-protected by using the framework specific to the authentication protocol selected by SPNEGO. SPNEGO can select Kerberos or NTLM as the underlying authentication protocol. For Kerberos, the framework is as specified in [RFC4121]. For NTLM, the encryption details are as described in [MS-NLMP].

The encryption header of the Message token varies based on the chosen authentication protocol:

• For Kerberos, it MUST be the per-message token as specified in [RFC4121].

• For NTLM, it MUST be its Message Signature.

The length of the encryption header of Message MUST be given in the Length-Field value. The remaining bytes MUST be the encrypted data, whose length MUST be equal to the lengthvalue field as defined in section 2.2.9.1.1.2.1.