Skip to content

PowerShell remoting protocol is updated to deprecate the key exchange used for transmitting SecureString object #12272

New issue
New issue
Closed
#12291
Closed
PowerShell remoting protocol is updated to deprecate the key exchange used for transmitting SecureString object#12272
#12291
Labels
area-securityArea - Security module and conceptshold-for-releaseWaiting - for next releaseissue-doc-ideaIssue - request for new content
@daxian-dbw

Description

@daxian-dbw
daxian-dbw
opened on Aug 7, 2025

Prerequisites

  • Existing Issue: Search the existing issues for this repository. If there is an issue that fits your needs do not file a new one. Subscribe, react, or comment on that issue instead.
  • Descriptive Title: Write the title for this issue as a short synopsis. If possible, provide context. For example, "Document new Get-Foo cmdlet" instead of "New cmdlet."

Summary

Today, a Session_Key is used to encrypt a SecureString before sending it on wire and decrypt it after receiving one. The PowerShell Remoting Protocol (PSRP) does the Session_Key exchange between client and server when a SecureString object needs to be transferred. It involves the following steps:

  1. The client side generates a public key pair and sends the public key to the server.
  2. The server generates a session key (symmetric)
  3. The server uses the public key to encrypt the session key and then send it to the client.
  4. Afterwards, both the client and server will use the session key to encrypt a SecureString object before sending it, and decrypt after receiving one.

However, the padding algorithm RSAEncryptionPadding.Pkcs1 used in the PSRP Session_Key exchange is NOT secure, and therefore, the PSRP needs to be used on top of a secure transport and the Session_Key doesn't add any extra security.

So, we decided to deprecate the Session_Key exchange in PSRP, and instead, require secure transportation layer for secure data transfer between PSRP clients and servers.

This PR increments the protocol version to v2.4 with the following changes:

  1. The following PSRP messages are deprecated when both client and server are v2.4+
    • PUBLIC_KEY
    • PUBLIC_KEY_REQUEST
    • ENCRYPTED_SESSION_KEY
  2. The encryption and decryption steps for SecureString are skipped when both client and server are v2.4+
  3. The change is backward compatible. For old client or server (v2.3 or prior), the key exchange will still be kicked off as needed.
  4. Updated the named pipe transport (used for Enter-PSHostProcess) in PowerShell to reject remote client.

Details

This is because of a CodeQL issue -- the padding algorithm used in the key exchange is not secure. The recommendation from the crypto board is to require secure transport for network connection with PSRP and remove the key exchange from our remoting protocol that doesn't really offer extra security.

So, we need to update our documents to call out this change, as well as the secure transport requirement for network connections.

Articles

I'm not sure what docs need to be changed.

Related Source Pull Requests

Related Source Issues

It's a CodeQL issue in ADO: https://dev.azure.com/msazure/One/_workitems/edit/29471182

Metadata

Metadata

Assignees

No one assigned

    Labels

    area-securityArea - Security module and conceptshold-for-releaseWaiting - for next releaseissue-doc-ideaIssue - request for new content

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions