[cifs-protocol] [EXTERNAL] [MS-GKDI] GetKey — Group Keys and Seed Keys - TrackingID#2311210040001551
Obaid Farooqi
obaidf at microsoft.com
Tue Jan 16 17:45:16 UTC 2024
Hi Joseph:
The term group key is a generic name. Protocols return two types of group keys; public key or seed key that can be used to derive the private or symmetric keys as stated in the document is section "1.3 Overview", as follows:
"
Based on an evaluation of the client's security context and the security
descriptor, the server can return an error, a public key, or a seed key that can be used to derive
both the symmetric and asymmetric keys.
"
The parameters are used to determine if the key requested is latest, based on a specified root key or based on a specified interval root key. Then if the requester does not have proper privileges, only public key is returned otherwise the requested seed key is returned.
If you are using the RPC and getting a result a key that does not work, please let me know and I will send you ttt binaries to collect traces to resolve your issue.
Please let me know if this does not answer your question.
Regards,
Obaid Farooqi
Escalation Engineer | Microsoft
-----Original Message-----
From: Jeff McCashland (He/him) <jeffm at microsoft.com>
Sent: Monday, November 20, 2023 11:07 PM
To: Joseph Sutton <jsutton at samba.org>; cifs-protocol at lists.samba.org
Cc: Microsoft Support <supportmail at microsoft.com>
Subject: RE: [EXTERNAL] [MS-GKDI] GetKey — Group Keys and Seed Keys - TrackingID#2311210040001551
[DocHelp to BCC, support on CC, SR ID on Subject]
Hi Joseph,
Thank you for your question. We have created SR 2311210040001551 to track this issue. One of our engineers will respond soon.
Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300
-----Original Message-----
From: Joseph Sutton <jsutton at samba.org>
Sent: Monday, November 20, 2023 7:50 PM
To: cifs-protocol at lists.samba.org; Interoperability Documentation Help <dochelp at microsoft.com>
Subject: [EXTERNAL] [MS-GKDI] GetKey — Group Keys and Seed Keys
Hi dochelp,
The documentation for GetKey ([MS-GKDI] 3.1.4.1) states that, in general, there are four types of GetKey request: two requesting the latest group key, and two requesting a specific seed key. If L0KeyID, L1KeyID, and L2KeyID are all equal to −1, the caller has requested a group key, and if they are all greater than −1, a seed key.
Further on, the documentation states:
“6. If the client is only authorized to access public keys […] compute the public key corresponding to the SK […] Return the result in the ppbOut parameter of the GetKey method […] and then exit.
“7. If the client is authorized to access seed keys […] then:
[directions follow for returning a seed key].”
Steps 6 and 7, taken literally, seem to imply that whether to return a seed key depends only on the client’s access privileges. But that would be contrary to the earlier passage which leaves the choice up to the client — although still restricted by their privileges.
Which reading is the correct one?
Regards,
Joseph
More information about the cifs-protocol
mailing list