[cifs-protocol] [MS-SAMR] AEAD-AES-256-CBC-HMAC-SHA512 - TrackingID#2206210040006850

Obaid Farooqi obaidf at microsoft.com
Tue Jun 21 16:08:06 UTC 2022 

Hi Andreas:
Thanks for contacting Microsoft. I have created a case to track this issue. A member of the open specifications team will be in touch soon.

Regards,
Obaid Farooqi
Escalation Engineer | Microsoft

-----Original Message-----
From: Andreas Schneider <asn at samba.org> 
Sent: Tuesday, June 21, 2022 8:00 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol at lists.samba.org
Subject: [EXTERNAL] [MS-SAMR] AEAD-AES-256-CBC-HMAC-SHA512

Hello Dochelp,

I'm trying to implement support for AEAD-AES-256-CBC-HMAC-SHA512 from [MS- SAMR] 3.2.2.4 AES Cipher Usage.

This is not really easy as there are some details unclear. I would love to write a unit test for AEAD-AES-256-CBC-HMAC-SHA512.

Could you please provide hexdump of the buffers used in encryption from a
SamrSetInformationUser2 level 31 from a test platform.

When it performs the following:

Let enc_key ::= HMAC-SHA-512(CEK, SAM_AES256_ENC_KEY_STRING) Let mac_key ::= HMAC-SHA-512(CEK, SAM_AES256_MAC_KEY_STRING) Let Cipher ::= AES-CBC(enc_key, IV, secret_plaintext) Let AuthData ::= HMAC-SHA-512(mac_key, versionbyte + IV + Cipher +
versionbyte_length)


I would like to have hexdumps of the following buffers:

* cek (16byte sesssion key)
* enc_key
* mac_key
* IV
* secret_plaintext
* cipher
* authdata

The RFC implementation provides something like that, see:
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fid%2Fdraft-mcgrew-aead-aes-cbc-hmac-sha2-03.html%23rfc.section.5.4&data=05%7C01%7Cobaidf%40microsoft.com%7C050d0b7b7590452b21a008da53861f8a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637914132786856139%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=6Z%2BoMRkwlcNR%2Fm3S3Heac8VgRyjWZG161ZY5NN2UqA8%3D&reserved=0

This would allow me to write a unit test and figure out the details what in my 
implementation something goes wrong. I can then provide feedback to improve 
the documentation.


Thank you very much!


Best regards


	Andreas Schneider


-- 
Andreas Schneider                      asn at samba.org
Samba Team                             https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.samba.org%2F&data=05%7C01%7Cobaidf%40microsoft.com%7C050d0b7b7590452b21a008da53861f8a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637914132786856139%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=p6A%2BSe6DkGKtuvhpBiF20xo96QyL6ZG3tiZbaNNlqSU%3D&reserved=0
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D

More information about the cifs-protocol mailing list