[cifs-protocol] [EXTERNAL] [MS-OAPXBC] Incorrect session key instructions

David Mulder dmulder at samba.org
Thu Jan 25 17:02:17 UTC 2024 

On 1/25/24 9:54 AM, David Mulder via cifs-protocol wrote:
>
>
> On 1/25/24 9:45 AM, David Mulder wrote:
>>
>>
>> On 1/25/24 9:41 AM, Sreekanth Nadendla wrote:
>>> Hello David, the data obtained after base64url decode is the key in 
>>> encrypted form. You would use the machine transport key to decrypt 
>>> this to obtain the pop key you need. Can you check if this works?
>> That's exactly the problem. It can't be decrypted using the transport 
>> key. The number of bytes is too long. The CEK returned by MS appears 
>> to be corrupted (or a buffer overrun on your side, we're not sure).
>
> For example:
>
> > python3
>
> >>> from cryptography.hazmat.primitives import serialization
> >>> from cryptography.hazmat.primitives.asymmetric import padding
> >>> from cryptography.hazmat.primitives import hashes
> >>> transport_key = serialization.load_der_private_key(b'<redacted>', 
> None)
>
> >>> session_key_jwe = 
> "eyJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiUlNBLU9BRVAifQ.Lwx1oUwtrOVhZoHkPlNCVfvmInTIVfkpY4daNtS7fiL-dL-G2pgnSbCG23vwmk8VF9dbQPKkN4ERiWsXA8hjaZPE4XcWsylUrbT65hyO3U_r3nXLGxAYX06rRP21L8ak1qoFAl9wodJI30yHmBqYdsrO3BNa0QRXNmvliRF1fNnvzuRj5VQiqFi78-8as7rwKtUQ117R11q3EvaoYgwQUJS1JdDAiRDRHuVpVmfH8Gf279EpRuhKlyEN1gtjXCcK1U9cj3Oco47JeS3AuCZOrU0Q0rRSt0hWBFC21mLxqQ64hXTG3NOb5O-DFoN7sIf7vDBdQloZ2Sxq5gDVdegfmcsKTnjD3nooJIOuT8mmCyTeqdHlio-sYNBm0QzSsLPP3Dngl1bK.yLJM5ZkeigtBz5Cl.TA.lBRRBpOedY0K62Ti7jDqNA"
>
> >>> encKey = base64.urlsafe_b64decode(session_key_jwe_parts[1]+'==')
> >>>
> >>> transport_key.decrypt(encKey, 
> padding.OAEP(mgf=padding.MGF1(algorithm=hashes.SHA1()), 
> algorithm=hashes.SHA1(), label=None))
> Traceback (most recent call last):
>   File "<stdin>", line 1, in <module>
>   File 
> "/usr/lib64/python3.11/site-packages/cryptography/hazmat/backends/openssl/rsa.py", 
> line 444, in decrypt
>     raise ValueError("Ciphertext length must be equal to key size.")
> ValueError: Ciphertext length must be equal to key size.

Powershell also fails to decrypt that CEK:


MethodInvocationException: 
/home/dmulder/.local/share/powershell/Modules/AADInternals/0.9.2/PRT_Utils.ps1:754 

Line |
  754 |  …             $CEK    = 
[System.Security.Cryptography.RSAOAEPKeyExchang …
      | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      | Exception calling "DecryptKeyExchange" with "1" argument(s): 
"The length of the data to decrypt is not valid
      | for the size of this key."


I got this error by feeding the bad session_key_jwe response into 
Powershell with the transport_key and attempting to decrypt it.

-- 
David Mulder
Labs Software Engineer, Samba
SUSE
1221 S Valley Grove Way, Suite 500
Pleasant Grove, UT 84062
(P)+1 385.208.2989
dmulder at suse.com
http://www.suse.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20240125/09104b55/attachment.htm>

More information about the cifs-protocol mailing list