locked
[MS-DTAG]: Is something missing from documention? RRS feed

  • Question

  • I'm trying to figure out here if something is missing from the DTAG documenation or a problem in the C# code being used here...

    The documention specifies that "_HostValidateAuthenticatorIter"(from commit action) should match the value of "HMAC(_HostValidateNonceIter, UTF-8(Iter + OTPIter + _HostID + _HostCertificate) )" in the Validate Action... note that Iter and _HostCertificate are to be Base64 Encoded... per section 3.1.1 of DTAG

    So something doesn't seem to add up with this calculation, I received _HostID and _HostCertificate from the Exchange action exactly as they came across the soap message...

    Here is my program output...

    Test HMAC(_HostValidateNonceIter, UTF-8(Iter + OTPIter + _HostID + _HostCertificate) )...
    Expected Value: YoehRnzczacgUnUOvBYFxOQCaI8=
    Calculated Value: YZej+kdb0pxkDawr8YsskJbka6k=

    And here is my C# code...

    string
    HostId = "uuid:84fa64ef-1b8b-41fe-9dcb-1d983d8273fe";
    string HostCertificate = "AAABAANiMIIDXjCCAkagAwIBAgIQJmfuu52TmLhGVtp4qvZJXDANBgkqhkiG9w0BAQUFADA3MTUwMwYDVQQDEyxNaWNyb3NvZnQgV2luZG93cyBNZWRpYSBDZW50ZXIgRXh0ZW5kZXIgSG9zdDAeFw0wOTEyMjIyMzU4MjJaFw0zOTEyMjMwNjIxMjRaMDcxNTAzBgNVBAMTLE1pY3Jvc29mdCBXaW5kb3dzIE1lZGlhIENlbnRlciBFeHRlbmRlciBIb3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqRBuEwk3UKODG8zbZiF5xmQS/zJAMc5/EiH85+FN2i72z6uPI3fFY8k6SbEhT2n63LLn6jIB/zkl97egfxDstrHFSoZAqqhJQifJKbB3r30KkiAcycHWMEhEJXJFnYoDWbdMZxN7cKTyCRWZgd9dJRterX/gCaaGeVDo2vB+KHLMqIru3xDe/ZePaJnEFtZ6B15fU2H/Lko/8GnRUZvGUYEm4XozmCyKAf2enA21VwCyY0MilsM/WEYUi3VqyUx9vtbDs/RJkdi1j0fsg4EzOLMwwN8vYXoChe53Hs7z4ymecOwj8MZhVx1+lpQ5LpaeuMJADmCFGUpUbDdEroAjjQIDAQABo2YwZDA0BgNVHREELTArhil1dWlkOjg0ZmE2NGVmLTFiOGItNDFmZS05ZGNiLTFkOTgzZDgyNzNmZTALBgNVHQ8EBAMCBPAwHwYDVR0lBBgwFgYIKwYBBQUHAwEGCisGAQQBgjcKBQwwDQYJKoZIhvcNAQEFBQADggEBABZg1YaIvkT7KtFM607frLz5l/pBSC96lWx/lAWIzwWGIhHAH9C9OgFBxsuwjqF3XQ0n2kI8UXi2YnSlN64EizlrRXYBioeSmZQIc0/8dkRmrVLivR7HrF5eM13MWIB/rZA13TBC3JlkI4ZT4lcpiS41t/FILPf+Ku7uHaxy63N4Yx9JZ6KrWlDMSRYhXfnB0llNJRLw/GKR9MwiEQNwXDhW9m7Ul2l4qq/BhbECzdaulPihh5lt0YTli60SyKEfYeT3IB5TeTjTYcklbvvr/QX4FjyXdZN4kHiN35DN+KYDua+UR7PgFNcvN5wAWae9eByjV3ayHxgiWUAgazMqNvg=";
    string HostValidateAuthenticator = "YoehRnzczacgUnUOvBYFxOQCaI8=";
    string HostValidateNonce = "c5X3fmXQHx7JFST1Q2li5ypOS0k=";
    string OTP = "66055570";
    int Iterations = 4;
    int Iter = 1;
    string OTPIter1 = "66";

    Debug.WriteLine("Test HMAC(_HostValidateNonceIter, UTF-8(Iter + OTPIter + _HostID + _HostCertificate) )...");
    Debug.WriteLine("Expected Value: " + HostValidateAuthenticator);

    byte[] hmac_key = Convert.FromBase64String(HostValidateNonce);
    byte[] hmac_text = Encoding.UTF8.GetBytes(
        Convert.ToBase64String(new byte[] { Convert.ToByte(Iter) }) + // Convert iterator to base64
        OTPIter1 + // First two char's of OTP for iteration 1
        HostId + // Includes uuid: as it came across soap messages from Exchange Action
        HostCertificate // Already base64 from Exchange Action
    );

    HMACSHA1 hmac = new HMACSHA1(hmac_key);
    byte[] result = hmac.ComputeHash(hmac_text);
    Debug.WriteLine("Calculated Value: " + Convert.ToBase64String(result));

    Is there something missing from the concat that is missing from the documenation?

     

    Saturday, January 23, 2010 8:07 AM

Answers

  • There is a solution to my problem, for some reason the host is not using the last 4 digits of the OTP, so the OTP is "6605" instead of "66055570" so that also means the OTPIter1 is "6" instead of "66"

    One last change to make this work is that the Iter should NOT be converted to base64 like the documentation says but instead just converted to a string so the Iter should be "1" when doing the concat

    Here is the final code...
                string HostId = "uuid:84fa64ef-1b8b-41fe-9dcb-1d983d8273fe";
                string HostCertificate = "AAABAANiMIIDXjCCAkagAwIBAgIQJmfuu52TmLhGVtp4qvZJXDANBgkqhkiG9w0BAQUFADA3MTUwMwYDVQQDEyxNaWNyb3NvZnQgV2luZG93cyBNZWRpYSBDZW50ZXIgRXh0ZW5kZXIgSG9zdDAeFw0wOTEyMjIyMzU4MjJaFw0zOTEyMjMwNjIxMjRaMDcxNTAzBgNVBAMTLE1pY3Jvc29mdCBXaW5kb3dzIE1lZGlhIENlbnRlciBFeHRlbmRlciBIb3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqRBuEwk3UKODG8zbZiF5xmQS/zJAMc5/EiH85+FN2i72z6uPI3fFY8k6SbEhT2n63LLn6jIB/zkl97egfxDstrHFSoZAqqhJQifJKbB3r30KkiAcycHWMEhEJXJFnYoDWbdMZxN7cKTyCRWZgd9dJRterX/gCaaGeVDo2vB+KHLMqIru3xDe/ZePaJnEFtZ6B15fU2H/Lko/8GnRUZvGUYEm4XozmCyKAf2enA21VwCyY0MilsM/WEYUi3VqyUx9vtbDs/RJkdi1j0fsg4EzOLMwwN8vYXoChe53Hs7z4ymecOwj8MZhVx1+lpQ5LpaeuMJADmCFGUpUbDdEroAjjQIDAQABo2YwZDA0BgNVHREELTArhil1dWlkOjg0ZmE2NGVmLTFiOGItNDFmZS05ZGNiLTFkOTgzZDgyNzNmZTALBgNVHQ8EBAMCBPAwHwYDVR0lBBgwFgYIKwYBBQUHAwEGCisGAQQBgjcKBQwwDQYJKoZIhvcNAQEFBQADggEBABZg1YaIvkT7KtFM607frLz5l/pBSC96lWx/lAWIzwWGIhHAH9C9OgFBxsuwjqF3XQ0n2kI8UXi2YnSlN64EizlrRXYBioeSmZQIc0/8dkRmrVLivR7HrF5eM13MWIB/rZA13TBC3JlkI4ZT4lcpiS41t/FILPf+Ku7uHaxy63N4Yx9JZ6KrWlDMSRYhXfnB0llNJRLw/GKR9MwiEQNwXDhW9m7Ul2l4qq/BhbECzdaulPihh5lt0YTli60SyKEfYeT3IB5TeTjTYcklbvvr/QX4FjyXdZN4kHiN35DN+KYDua+UR7PgFNcvN5wAWae9eByjV3ayHxgiWUAgazMqNvg=";
                string HostValidateAuthenticator = "YoehRnzczacgUnUOvBYFxOQCaI8=";
                string HostValidateNonce = "c5X3fmXQHx7JFST1Q2li5ypOS0k=";
                string OTP = "66055570".Substring(0,4);
                int Iterations = 4;
                int Iter = 1;
                string OTPIter1 = "6";
    
                Debug.WriteLine("Test HMAC(_HostValidateNonceIter, UTF-8(Iter + OTPIter + _HostID + _HostCertificate) )...");
                Debug.WriteLine("Expected Value: " + HostValidateAuthenticator);
    
                byte[] hmac_key = Convert.FromBase64String(HostValidateNonce);
                byte[] hmac_text = Encoding.UTF8.GetBytes(
                    Iter + // Leave iterator as integer instead of converting to base64
                    OTPIter1 + // First two char's of OTP for iteration 1
                    HostId + // Includes uuid: as it came across soap messages from Exchange Action
                    HostCertificate // Already base64 from Exchange Action
                );
    
                HMACSHA1 hmac = new HMACSHA1(hmac_key);
                byte[] result = hmac.ComputeHash(hmac_text);
                Debug.WriteLine("Calculated Value: " + Convert.ToBase64String(result));
    Output is...

    Test HMAC(_HostValidateNonceIter, UTF-8(Iter + OTPIter + _HostID + _HostCertificate) )...
    Expected Value: YoehRnzczacgUnUOvBYFxOQCaI8=
    Calculated Value: YoehRnzczacgUnUOvBYFxOQCaI8=

    • Marked as answer by 4fields Thursday, January 28, 2010 11:39 PM
    • Edited by 4fields Thursday, January 28, 2010 11:40 PM Fixed Iter comment
    Thursday, January 28, 2010 11:38 PM
  • Hi,

     

    Your observation regarding the _HostValidateAuthenticatorIter computation is correct. MS-DTAG “3.1.1 Abstract Data Model” will update the encoding rule of the Iter input to the HMAC-SHA1 hashing function.

     

    _HostValidateAuthenticatorIter

    = HMAC( _HostValidateNonceIter, UTF-8( IterIter + OTPIter + _HostID + _HostCertificate )

     

    Current specification:

     

    ·        N (or Iter) , encoded as a Base64 string

     

    Update similar to:

     

    ·        N (or Iter) , encoded as a decimal number string

     

    Thanks,

    Edgar

    Thursday, February 11, 2010 11:17 PM

All replies

  • Hi 4Fields,

    Thank you for your question.  One of my colleague's will contact you to investigate this issue.

    Regards,
    Mark Miller
    Escalation Engineer

    US-CSS DSC PROTOCOL TEAM

    Saturday, January 23, 2010 12:41 PM
  • Thank you
    • Proposed as answer by Sanmilie Sunday, January 24, 2010 7:44 PM
    • Unproposed as answer by 4fields Monday, January 25, 2010 10:19 PM
    Sunday, January 24, 2010 7:25 AM
  • Did your colleague get a chance to look at this today? Sanmilie suggested it may have to be converted to UTF16 and then to UTF8 but I had no luck with that.
    Tuesday, January 26, 2010 5:53 AM
  • Hi 4fields,

    We are investigating your question and will update you as soon as we have news.

    Regards,
    Edgar

    Wednesday, January 27, 2010 8:29 PM
  • There is a solution to my problem, for some reason the host is not using the last 4 digits of the OTP, so the OTP is "6605" instead of "66055570" so that also means the OTPIter1 is "6" instead of "66"

    One last change to make this work is that the Iter should NOT be converted to base64 like the documentation says but instead just converted to a string so the Iter should be "1" when doing the concat

    Here is the final code...
                string HostId = "uuid:84fa64ef-1b8b-41fe-9dcb-1d983d8273fe";
                string HostCertificate = "AAABAANiMIIDXjCCAkagAwIBAgIQJmfuu52TmLhGVtp4qvZJXDANBgkqhkiG9w0BAQUFADA3MTUwMwYDVQQDEyxNaWNyb3NvZnQgV2luZG93cyBNZWRpYSBDZW50ZXIgRXh0ZW5kZXIgSG9zdDAeFw0wOTEyMjIyMzU4MjJaFw0zOTEyMjMwNjIxMjRaMDcxNTAzBgNVBAMTLE1pY3Jvc29mdCBXaW5kb3dzIE1lZGlhIENlbnRlciBFeHRlbmRlciBIb3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqRBuEwk3UKODG8zbZiF5xmQS/zJAMc5/EiH85+FN2i72z6uPI3fFY8k6SbEhT2n63LLn6jIB/zkl97egfxDstrHFSoZAqqhJQifJKbB3r30KkiAcycHWMEhEJXJFnYoDWbdMZxN7cKTyCRWZgd9dJRterX/gCaaGeVDo2vB+KHLMqIru3xDe/ZePaJnEFtZ6B15fU2H/Lko/8GnRUZvGUYEm4XozmCyKAf2enA21VwCyY0MilsM/WEYUi3VqyUx9vtbDs/RJkdi1j0fsg4EzOLMwwN8vYXoChe53Hs7z4ymecOwj8MZhVx1+lpQ5LpaeuMJADmCFGUpUbDdEroAjjQIDAQABo2YwZDA0BgNVHREELTArhil1dWlkOjg0ZmE2NGVmLTFiOGItNDFmZS05ZGNiLTFkOTgzZDgyNzNmZTALBgNVHQ8EBAMCBPAwHwYDVR0lBBgwFgYIKwYBBQUHAwEGCisGAQQBgjcKBQwwDQYJKoZIhvcNAQEFBQADggEBABZg1YaIvkT7KtFM607frLz5l/pBSC96lWx/lAWIzwWGIhHAH9C9OgFBxsuwjqF3XQ0n2kI8UXi2YnSlN64EizlrRXYBioeSmZQIc0/8dkRmrVLivR7HrF5eM13MWIB/rZA13TBC3JlkI4ZT4lcpiS41t/FILPf+Ku7uHaxy63N4Yx9JZ6KrWlDMSRYhXfnB0llNJRLw/GKR9MwiEQNwXDhW9m7Ul2l4qq/BhbECzdaulPihh5lt0YTli60SyKEfYeT3IB5TeTjTYcklbvvr/QX4FjyXdZN4kHiN35DN+KYDua+UR7PgFNcvN5wAWae9eByjV3ayHxgiWUAgazMqNvg=";
                string HostValidateAuthenticator = "YoehRnzczacgUnUOvBYFxOQCaI8=";
                string HostValidateNonce = "c5X3fmXQHx7JFST1Q2li5ypOS0k=";
                string OTP = "66055570".Substring(0,4);
                int Iterations = 4;
                int Iter = 1;
                string OTPIter1 = "6";
    
                Debug.WriteLine("Test HMAC(_HostValidateNonceIter, UTF-8(Iter + OTPIter + _HostID + _HostCertificate) )...");
                Debug.WriteLine("Expected Value: " + HostValidateAuthenticator);
    
                byte[] hmac_key = Convert.FromBase64String(HostValidateNonce);
                byte[] hmac_text = Encoding.UTF8.GetBytes(
                    Iter + // Leave iterator as integer instead of converting to base64
                    OTPIter1 + // First two char's of OTP for iteration 1
                    HostId + // Includes uuid: as it came across soap messages from Exchange Action
                    HostCertificate // Already base64 from Exchange Action
                );
    
                HMACSHA1 hmac = new HMACSHA1(hmac_key);
                byte[] result = hmac.ComputeHash(hmac_text);
                Debug.WriteLine("Calculated Value: " + Convert.ToBase64String(result));
    Output is...

    Test HMAC(_HostValidateNonceIter, UTF-8(Iter + OTPIter + _HostID + _HostCertificate) )...
    Expected Value: YoehRnzczacgUnUOvBYFxOQCaI8=
    Calculated Value: YoehRnzczacgUnUOvBYFxOQCaI8=

    • Marked as answer by 4fields Thursday, January 28, 2010 11:39 PM
    • Edited by 4fields Thursday, January 28, 2010 11:40 PM Fixed Iter comment
    Thursday, January 28, 2010 11:38 PM
  • Hi 4fields,

    I filed a technical document issue on MS-DTAG. I will update you as soon we complete our investigation.

    Thanks,
    Edgar

    Friday, January 29, 2010 8:23 PM
  • Hi,

     

    Your observation regarding the _HostValidateAuthenticatorIter computation is correct. MS-DTAG “3.1.1 Abstract Data Model” will update the encoding rule of the Iter input to the HMAC-SHA1 hashing function.

     

    _HostValidateAuthenticatorIter

    = HMAC( _HostValidateNonceIter, UTF-8( IterIter + OTPIter + _HostID + _HostCertificate )

     

    Current specification:

     

    ·        N (or Iter) , encoded as a Base64 string

     

    Update similar to:

     

    ·        N (or Iter) , encoded as a decimal number string

     

    Thanks,

    Edgar

    Thursday, February 11, 2010 11:17 PM