locked
is there any NAP implementation using HCEP and HTTP as transport protocol of SoH? RRS feed

  • Question

  • I have asked a few questions in this forum and thanks for all your hard work.

     

    We have implemented DHCP Guarantine Enforcement with NAP, and we found its protocol stack is Ipv4, Udp, Dhcp, SOH, and WSH.

     

    we want to know that is there any protocol stack of NAP implementdation (DHCP, VPN, 802.1X, IPsec) involved HCEP and HTTP (even kerboros)?

    in another way, is there any NAP implementation using HCEP and HTTP as transport protocol of SoH?
    Thursday, March 6, 2008 3:07 AM

Answers

  • Parsing SoH Request:

    ================

    When HTTP is used, the SoH Request sent from client to HRA is encoded and the encoded blob is put in to one of the certificate extensions of the Certificate Request, which is located in the body of the HTTP packet.  (Please note that SoH Request is in the body of the HTTP packet and SoH Response is in the header of the HTTP packet)

     

    To parse out this SoH Request, please retreive the correct certificate extension and then decode the content with this API

     

    BOOL WINAPI CryptDecodeObject(
      __in     DWORD dwCertEncodingType,
      __in     LPCSTR lpszStructType,
      __in     const BYTE* pbEncoded,
      __in     DWORD cbEncoded,
      __in     DWORD dwFlags,
      __out    void* pvStructInfo,
      __inout  DWORD* pcbStructInfo
    );

    dwCertEncodingType should be set to CRYPT_ASN_ENCODING,

    lpszStructType should be set to X509_OCTET_STRING

     

    Please see http://msdn2.microsoft.com/en-us/library/aa379911(VS.85).aspx

     

    Parsing SoH Response:

    ==================

    When HTTP is used, the SoH Response sent from HRA to client is only encoded and the encoded blob is put into a HTTP header field.  To decode this SoH Response, you need this Win32 API:

     

    inline BOOL Base64Decode(
       LPCSTR szSrc,
       int nSrcLen,
       BYTE* pbDest,
       int* pnDestLen
    ) throw( );

     

    Please see http://msdn2.microsoft.com/en-us/library/2fzdww6e(VS.80).aspx

    Wednesday, March 12, 2008 7:43 PM

All replies


  • Ying, I think  HCEP  need a  transport protocol in  any  of NAP implementation. However  in case of  NAP-IPsec enforcement you can  find HTTP  and kerberos  proptocol using the HCEP to send SOH.

    Regards
    Brijesh Shukla
    Thursday, March 6, 2008 4:01 AM
  • thanks a lot. i wan to make sure that does NAP-IPsec always use Http and HCEP as transport protocols?

     

    Thursday, March 6, 2008 4:03 AM
  • sorry for my bad expression, maybe i did not understand this system very well. i just want to know in NAP-IPsec case, can we find HCEP, HTTP, and SoH together all the time?

    because i just need SoH (WSH) running in HCEP environment to verify somethingSmile

    Thursday, March 6, 2008 4:09 AM

  • NAP-Ipsec, uses Http or HTTPS, its depend upon your configuration setting.
    And you san find out the SOH in the payload, however SoH data is encrypted.

    Regards
    Brijesh Shukla
    Thursday, March 6, 2008 4:18 AM
  • Brijesh,

     

    I just wanted to clarify on your comment about SoH data encryption. 

     

    In both HTTP and HTTPS, the SoH data is encoded, not encrypted.  In HTTPS, the SoH data is further encrypted like the rest of the payload.

     

    Howard Lee - [MSFT]

     

    Thursday, March 6, 2008 8:27 PM

  • Hi Lee,
    I do agree with you, I made writing mistake.
    Do you know any tool or method to decode the SOH data, I would like to decode SoH data.

    Brijesh Shukla
    Friday, March 7, 2008 1:21 AM
  • Parsing SoH Request:

    ================

    When HTTP is used, the SoH Request sent from client to HRA is encoded and the encoded blob is put in to one of the certificate extensions of the Certificate Request, which is located in the body of the HTTP packet.  (Please note that SoH Request is in the body of the HTTP packet and SoH Response is in the header of the HTTP packet)

     

    To parse out this SoH Request, please retreive the correct certificate extension and then decode the content with this API

     

    BOOL WINAPI CryptDecodeObject(
      __in     DWORD dwCertEncodingType,
      __in     LPCSTR lpszStructType,
      __in     const BYTE* pbEncoded,
      __in     DWORD cbEncoded,
      __in     DWORD dwFlags,
      __out    void* pvStructInfo,
      __inout  DWORD* pcbStructInfo
    );

    dwCertEncodingType should be set to CRYPT_ASN_ENCODING,

    lpszStructType should be set to X509_OCTET_STRING

     

    Please see http://msdn2.microsoft.com/en-us/library/aa379911(VS.85).aspx

     

    Parsing SoH Response:

    ==================

    When HTTP is used, the SoH Response sent from HRA to client is only encoded and the encoded blob is put into a HTTP header field.  To decode this SoH Response, you need this Win32 API:

     

    inline BOOL Base64Decode(
       LPCSTR szSrc,
       int nSrcLen,
       BYTE* pbDest,
       int* pnDestLen
    ) throw( );

     

    Please see http://msdn2.microsoft.com/en-us/library/2fzdww6e(VS.80).aspx

    Wednesday, March 12, 2008 7:43 PM