[cifs-protocol] Session keys are not always 16 bytes long

Hongwei Sun hongweis at microsoft.com
Fri Aug 8 19:05:42 GMT 2008 

Stefan,

>>I just found that the session key used to decrypt the password attributes in the DsGetNCChanges() is not truncated.

  Do you have network trace for this case ?

>>And I need to use gsskrb5_get_subkey() instead of gsskrb5_get_initiator_subkey(), when aes keys are used.

  Does this happen only when you use AES keys

Thanks

----------------------------------------------------------
Hongwei  Sun - Support Escalation Engineer
DSC Protocol  Team, Microsoft
hongweis at microsoft.com
Tel:  469-7757027 x 57027
-----------------------------------------------------------




-----Original Message-----
From: Stefan (metze) Metzmacher [mailto:metze at samba.org]
Sent: Friday, August 08, 2008 5:19 AM
To: Andrew Bartlett
Cc: Hongwei Sun; pfif at tridgell.net; cifs-protocol at samba.org
Subject: Re: [cifs-protocol] Session keys are not always 16 bytes long

I just found that the session key used to decrypt the password attributes in the DsGetNCChanges() is not truncated.
And I need to use gsskrb5_get_subkey() instead of gsskrb5_get_initiator_subkey(), when aes keys are used.

metze
>>    In our last conference call, we talked about your question
>> regarding which of the numerous keys Kerberos produce is considered
>> the 'SMB session key'.  I had discussions with the product team to
>> find what or how should be documented.   You mentioned that you would
>> like to see the document to specify which GSSAPI call returns the
>> session key.   They would like to have a little more background
>> information, which you already talked about a little bit during our
>> conversation.  I just want to confirm so I can pass it accurately to
>> product team.
>>
>>
>>
>>     What do you mean by GSSAPI with CFX ? Do you mean the mechanism
>> conforming to RFC 4121 ?
>
> Yes.  (I should stop using that term, as it never made it into the
> RFC)
>
>>     What implementation are you using  for GSSAPI with CFX in Vista
>>  ?   Is it Heimdal’s implementation ?
>
> Yes.
>
>>     What is your expectation about how this detail should be included
>> in the document ?  Do you expect it to associate with specific GSSAPI
>> calls?
>
> An indication of the (hopefully shared) MIT/Heimdal API would be very
> useful (as these are almost certainly the basis of any new
> implementations).
>
> However, this should be alongside a description of where in the
> kerberos protocol is is found:
>
> 'the session key generated on ... and encrypted in message ... as
> element ... from (client/server) to the (client/server) is also used
> as the SMB Session key' (for example)
>
>>    I hope that with the information we can have a resolution soon.
>> Thanks for your patience.
>
> No worries,
>
> Andrew Bartlett
>
>
>
> ----------------------------------------------------------------------
> --
>
> _______________________________________________
> cifs-protocol mailing list
> cifs-protocol at cifs.org
> https://lists.samba.org/mailman/listinfo/cifs-protocol

More information about the cifs-protocol mailing list