[cifs-protocol] [EXTERNAL] [MS-GKDI] GetKey — Group Keys and Seed Keys - TrackingID#2311210040001551

Joseph Sutton jsutton at samba.org
Tue Jan 16 22:34:52 UTC 2024 

Thank you. I think I better understand what group/seed keys refer to now.

Regards,
Joseph

On 17/01/24 6:45 am, Obaid Farooqi wrote:
> Hi Joseph:
> The term group key is a generic name. Protocols return two types of group keys; public key or seed key that can be used to derive the private or symmetric keys as stated in the document is section "1.3 Overview", as follows:
> 
> "
> Based on an evaluation of the client's security context and the security
> descriptor, the server can return an error, a public key, or a seed key that can be used to derive
> both the symmetric and asymmetric keys.
> "
> 
> The parameters are used to determine if the key requested is latest, based on a specified root key or based on a specified interval root key. Then if the requester does not have proper privileges, only public key is returned otherwise the requested seed key is returned.
> 
> If you are using the RPC and getting a result a key that does not work, please let me know and I will send you ttt binaries to collect traces to resolve your issue.
> 
> Please let me know if this does not answer your question.
> 
> Regards,
> Obaid Farooqi
> Escalation Engineer | Microsoft
> 
> -----Original Message-----
> From: Jeff McCashland (He/him) <jeffm at microsoft.com>
> Sent: Monday, November 20, 2023 11:07 PM
> To: Joseph Sutton <jsutton at samba.org>; cifs-protocol at lists.samba.org
> Cc: Microsoft Support <supportmail at microsoft.com>
> Subject: RE: [EXTERNAL] [MS-GKDI] GetKey — Group Keys and Seed Keys - TrackingID#2311210040001551
> 
> [DocHelp to BCC, support on CC, SR ID on Subject]
> 
> Hi Joseph,
> 
> Thank you for your question. We have created SR 2311210040001551 to track this issue. One of our engineers will respond soon.
> 
> Best regards,
> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300
> 
> -----Original Message-----
> From: Joseph Sutton <jsutton at samba.org>
> Sent: Monday, November 20, 2023 7:50 PM
> To: cifs-protocol at lists.samba.org; Interoperability Documentation Help <dochelp at microsoft.com>
> Subject: [EXTERNAL] [MS-GKDI] GetKey — Group Keys and Seed Keys
> 
> Hi dochelp,
> 
> The documentation for GetKey ([MS-GKDI] 3.1.4.1) states that, in general, there are four types of GetKey request: two requesting the latest group key, and two requesting a specific seed key. If L0KeyID, L1KeyID, and L2KeyID are all equal to −1, the caller has requested a group key, and if they are all greater than −1, a seed key.
> 
> Further on, the documentation states:
> 
> “6. If the client is only authorized to access public keys […] compute the public key corresponding to the SK […] Return the result in the ppbOut parameter of the GetKey method […] and then exit.
> “7. If the client is authorized to access seed keys […] then:
> [directions follow for returning a seed key].”
> 
> Steps 6 and 7, taken literally, seem to imply that whether to return a seed key depends only on the client’s access privileges. But that would be contrary to the earlier passage which leaves the choice up to the client — although still restricted by their privileges.
> 
> Which reading is the correct one?
> 
> Regards,
> Joseph

More information about the cifs-protocol mailing list