BranchCache Content Security | 2pint Knowledge Base

BranchCache Content Security

Applies to

Branch Cache General

Information

BranchCache implements a secure-by-design approach that works seamlessly alongside your existing network security architectures, without the requirement for additional equipment or complex additional security configuration.

BranchCache is non-invasive and does not alter any Windows authentication or authorization processes. After you deploy BranchCache, authentication is still performed using domain credentials, and the way in which authorization with Access Control Lists (ACLs) functions is unchanged. In addition, other configurations continue to function just as they did before BranchCache deployment.

The BranchCache security model is based on the creation of metadata, which takes the form of a series of hashes. These hashes are also called content information.

After content information is created, it is used in BranchCache message exchanges rather than the actual data, and it is exchanged using the supported protocols (HTTP, HTTPS, and SMB).

Cached data is kept encrypted and cannot be accessed by clients that do not have permission to access content from the original source. Clients must be authenticated and authorized by the original content source before they can retrieve content metadata, and must possess content metadata to access the cache in the local office.

How BranchCache generates content information

Because content information is created from multiple elements, the value of the content information is always unique. These elements are:

  • The actual content (such as Web pages or shared files) from which the hashes are derived.

  • Configuration parameters, such as the hashing algorithm and block size. To generate content information, the content server divides the content into segments and then subdivides those segments into blocks. BranchCache uses secure cryptographic hashes to identify and verify each block and segment, supporting the SHA256 hash algorithm.

  • A server secret. All content servers must be configured with a server secret, which is a binary value of arbitrary length.

     

    Note

    The use of a server secret ensures that client computers are not able to generate the content information themselves. This prevents malicious users from using brute force attacks with BranchCache-enabled client computers to guess minor changes in content across versions in situations in which the client had access to a previous version but does not have access to the current version.

    Content information details

    BranchCache uses the server secret as a key in order to derive a content-specific hash that is sent to authorized clients. Applying a hashing algorithm to the combined server secret and the Hash of Data generates this hash.

    This hash is called the segment secret. BranchCache uses segment secrets to secure communications. In addition, BranchCache creates a Block Hash List, which is list of hashed data blocks, and the Hash of Data, which is generated by hashing the Block Hash List.

    The content information includes the following:

  • The Block Hash List:
    BlockHashi = Hash(dataBlocki)   1<=i<=n

  • The Hash of Data (HoD):
    HoD = Hash(BlockHashList)

  • Segment Secret (Kp):
    Kp = HMAC(Ks, HoD)

    BranchCache uses the Peer Content Caching protocol and the Retrieval Framework protocol to implement the processes that are required to ensure the secure caching and retrieval of data between content caches.

    In addition, BranchCache handles content information with the same degree of security that it uses when handling and transmitting the actual content itself.

    This article has been extracted from

    <https://technet.microsoft.com/en-us/library/hh831696%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396>