<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:Ubuntu;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F4E79;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F4E79">Hi Andrew,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79">Based on your understanding, does this appear accurate?
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79">“AES256-CTS-HMAC-SHA1-96-SK: Enforce AES session keys when legacy ciphers are in use. When the bit is set, this indicates to the KDC that all cases where RC4 session keys can be used will be superseded with AES
keys.”<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79"><o:p> </o:p></span></p>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">Best regards,</span><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy"><br>
<i>Jeff M</i></span></b><b><i><sup><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#002060">c</span></sup></i></b><b><i><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy">Cashland (He/him)
</span></i></b><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy">| Senior Escalation Engineer<i> | Microsoft</i></span></b><b><span style="font-family:"Arial",sans-serif;color:navy">
</span></b><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy">Protocol Open Specifications Team
<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:blue">Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:blue">Local country phone number found here:
</span><span style="color:#2F5496"><a href="https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com%2Fglobalenglish&data=02%7C01%7Cjeffm%40microsoft.com%7C92c4c7bb8c6d4412e78108d80d79f45f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637274164726698458&sdata=KtEL7V58Q7rscYvr9cPik%2FmYKZIv0rh3E3kBdGywwwI%3D&reserved=0"><span style="font-size:8.0pt;font-family:"Arial",sans-serif">http://support.microsoft.com/globalenglish</span></a></span><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:blue">
| Extension 1138300<o:p></o:p></span></p>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><span style="color:#1F4E79"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Andrew Bartlett <abartlet@samba.org> <br>
<b>Sent:</b> Wednesday, November 16, 2022 12:07 PM<br>
<b>To:</b> Jeff McCashland (He/him) <jeffm@microsoft.com><br>
<b>Cc:</b> cifs-protocol mailing list <cifs-protocol@lists.samba.org>; Microsoft Support <supportmail@microsoft.com><br>
<b>Subject:</b> Re: [EXTERNAL] What is AES256-CTS-HMAC-SHA1-96-SK - TrackingID#2211100040001759<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Yes. We also just confirmed (in different words) the below which we determined experimentally. From Joseph:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #729FCF 1.5pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Ubuntu",sans-serif;color:black">I think I now have the Windows enctype behaviour worked out, and Samba matching it.<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="font-family:"Ubuntu",sans-serif;color:black">The ticket is encrypted with the strongest enctype for which the server explicitly declares support, falling back to RC4 if the server has no declared supported
encryption types. The enctype of the session key is the first enctype listed in the request that the server supports, taking the AES-SK bit as an indication of support for both AES types.<o:p></o:p></span></p>
</div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Ubuntu",sans-serif;color:black">If none of the enctypes in the request are supported by the target server, implicitly or explicitly, return ETYPE_NOSUPP.<o:p></o:p></span></p>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Therefore:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <span style="color:#1F4E79">that if an insecure encryption algorithm is used, you must always use a secure algorithm for session keys instead</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Appears to be incorrect (sadly, as this would aid in establishing policy). <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Andrew Bartlett<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">On Wed, 2022-11-16 at 17:43 +0000, Jeff McCashland (He/him) wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #729FCF 1.5pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<p class="MsoNormal"><span style="color:#1F4E79">Hi Andrew,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79">I understand Steve Syfuhs had a call with Samba engineers yesterday, were you in that call? Did you get your questions answered?
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79"><o:p> </o:p></span></p>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">Best regards,</span><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy"><br>
<i>Jeff M</i></span></b><b><i><sup><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#002060">c</span></sup></i></b><b><i><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy">Cashland (He/him)
</span></i></b><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy">| Senior Escalation Engineer<i> | Microsoft</i></span></b><b><span style="font-family:"Arial",sans-serif;color:navy">
</span></b><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy">Protocol Open Specifications Team
<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:blue">Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:blue">Local country phone number found here:
</span><span style="color:#2F5496"><a href="https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.com%7C170f7699888e4757bf4e08dac80e328e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638042260563569737%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=VkzHZDPMfiMIgaygUKHWC%2FGtDPSoslly4lJCXFb9JW4%3D&reserved=0"><span style="font-size:8.0pt;font-family:"Arial",sans-serif">http://support.microsoft.com/globalenglish</span></a></span><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:blue">
| Extension 1138300<o:p></o:p></span></p>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><span style="color:#1F4E79"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Andrew Bartlett <<a href="mailto:abartlet@samba.org">abartlet@samba.org</a>>
<br>
<b>Sent:</b> Thursday, November 10, 2022 3:17 PM<br>
<b>To:</b> Jeff McCashland (He/him) <<a href="mailto:jeffm@microsoft.com">jeffm@microsoft.com</a>><br>
<b>Cc:</b> cifs-protocol mailing list <<a href="mailto:cifs-protocol@lists.samba.org">cifs-protocol@lists.samba.org</a>>; Microsoft Support <<a href="mailto:supportmail@microsoft.com">supportmail@microsoft.com</a>><br>
<b>Subject:</b> Re: [EXTERNAL] What is AES256-CTS-HMAC-SHA1-96-SK - TrackingID#2211100040001759<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Thanks. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">So, what I understand is this:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"> - A KDC will always select the strongest key to encrypt the ticket based on the keys held at the server, permitted by msDS-SupportedEncryptionTypes and understood by this KDC (ticket key)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> - The client has no ability to influence this key, so as long as the password is regularly rotated and the msDS-SupportedEncryptionType is up to date, then AES256-CTS-HMAC-SHA1-96 encrypted tickets are always issued.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> - The server however may not have rotated it's password, nor updated msDS-SupportedEncryptionTypes since it was in a FL 2003 domain<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> - Even if it does rotate it's password, it may not be storing an AES key in a keytab, so AES256-CTS-HMAC-SHA1-96 can't be arbitarily set in msDS-SupportedEncryptionTypes as that would change the ticket key<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"> - Most Kerberos software these days, no matter which keys were shared, supports AES256-CTS-HMAC-SHA1-96 session keys<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> - Clients can influence the session key type, as they must understand it for interopability. They could select a weak or problematic encryption type (eg 3DES in Samba recently)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> - Servers could previously influence the session key type by the msDS-SupportedEncryptionType but we don't want to use that as above<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> - Therefore this value indicates that regardless, AES256-CTS-HMAC-SHA1-96 is the mandatory session key type, arcfour-hmac-md5 (or 3DES, in our case) session keys should never be used.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Is this correct?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Is there anything I've missed?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Andrew Bartlett<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Courier New"">On Thu, 2022-11-10 at 22:58 +0000, Jeff McCashland (He/him) wrote:</span><o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #729FCF 1.5pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<p class="MsoNormal"><span style="color:#1F4E79">Hi Andrew,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79">AES256-CTS-HMAC-SHA1-96-SK is a temporary value we have added as part of the security update to indicate that if an insecure encryption algorithm is used, you must always use a secure algorithm for session keys
instead.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79">I will file a request to update [MS-KILE] with a description of the encryption type.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79"><o:p> </o:p></span></p>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">Best regards,</span><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy"><br>
<i>Jeff M</i></span></b><b><i><sup><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#002060">c</span></sup></i></b><b><i><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy">Cashland (He/him)
</span></i></b><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy">| Senior Escalation Engineer<i> | Microsoft</i></span></b><b><span style="font-family:"Arial",sans-serif;color:navy">
</span></b><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy">Protocol Open Specifications Team
<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:blue">Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:blue">Local country phone number found here:
</span><span style="color:#2F5496"><a href="https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.com%7C170f7699888e4757bf4e08dac80e328e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638042260563569737%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=VkzHZDPMfiMIgaygUKHWC%2FGtDPSoslly4lJCXFb9JW4%3D&reserved=0"><span style="font-size:8.0pt;font-family:"Arial",sans-serif">http://support.microsoft.com/globalenglish</span></a></span><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:blue">
| Extension 1138300<o:p></o:p></span></p>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><span style="color:#1F4E79"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Jeff McCashland (He/him) <br>
<b>Sent:</b> Thursday, November 10, 2022 8:53 AM<br>
<b>To:</b> Andrew Bartlett <<a href="mailto:abartlet@samba.org">abartlet@samba.org</a>><br>
<b>Cc:</b> cifs-protocol mailing list <<a href="mailto:cifs-protocol@lists.samba.org">cifs-protocol@lists.samba.org</a>>; Microsoft Support <<a href="mailto:supportmail@microsoft.com">supportmail@microsoft.com</a>><br>
<b>Subject:</b> RE: [EXTERNAL] What is AES256-CTS-HMAC-SHA1-96-SK - TrackingID#2211100040001759<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color:#1F4E79">[Michael to BCC]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79">Hi Andrew,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79">I will research the algorithm and let you know what I learn.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79"><o:p> </o:p></span></p>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">Best regards,</span><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy"><br>
<i>Jeff M</i></span></b><b><i><sup><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#002060">c</span></sup></i></b><b><i><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy">Cashland (He/him)
</span></i></b><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy">| Senior Escalation Engineer<i> | Microsoft</i></span></b><b><span style="font-family:"Arial",sans-serif;color:navy">
</span></b><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy">Protocol Open Specifications Team
<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:blue">Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:blue">Local country phone number found here:
</span><span style="color:#2F5496"><a href="https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.com%7C170f7699888e4757bf4e08dac80e328e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638042260563569737%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=VkzHZDPMfiMIgaygUKHWC%2FGtDPSoslly4lJCXFb9JW4%3D&reserved=0"><span style="font-size:8.0pt;font-family:"Arial",sans-serif">http://support.microsoft.com/globalenglish</span></a></span><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:blue">
| Extension 1138300<o:p></o:p></span></p>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><span style="color:#1F4E79"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Michael Bowen <<a href="mailto:Mike.Bowen@microsoft.com">Mike.Bowen@microsoft.com</a>>
<br>
<b>Sent:</b> Wednesday, November 9, 2022 9:38 PM<br>
<b>To:</b> Andrew Bartlett <<a href="mailto:abartlet@samba.org">abartlet@samba.org</a>><br>
<b>Cc:</b> cifs-protocol mailing list <<a href="mailto:cifs-protocol@lists.samba.org">cifs-protocol@lists.samba.org</a>>; Microsoft Support <<a href="mailto:supportmail@microsoft.com">supportmail@microsoft.com</a>><br>
<b>Subject:</b> RE: [EXTERNAL] What is AES256-CTS-HMAC-SHA1-96-SK - TrackingID#2211100040001759<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoPlainText">[DocHelp to bcc, Support mail to cc]<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Hi Andrew,<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Thanks for your inquiry. I've created case number 2211100040001759 to track this issue. In your correspondence, please leave the case number in the subject line and use reply all. One of our engineers will contact you soon<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Best regards,<o:p></o:p></p>
<div>
<p class="MsoNormal"><span style="color:#333333;background:white">Mike Bowen</span><span style="color:#333333"><br>
<span style="background:white">Escalation Engineer - Microsoft Open Specifications</span></span><o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Andrew Bartlett <<a href="mailto:abartlet@samba.org">abartlet@samba.org</a>>
<br>
<b>Sent:</b> Wednesday, November 9, 2022 3:03 PM<br>
<b>To:</b> Interoperability Documentation Help <<a href="mailto:dochelp@microsoft.com">dochelp@microsoft.com</a>><br>
<b>Cc:</b> cifs-protocol mailing list <<a href="mailto:cifs-protocol@lists.samba.org">cifs-protocol@lists.samba.org</a>><br>
<b>Subject:</b> [EXTERNAL] What is AES256-CTS-HMAC-SHA1-96-SK<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Kia Ora Dochelp!<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">In the errata to MS-KILE I see references to AES256-CTS-HMAC-SHA1-96-SK however I can't find any public references to this constant, nor further documentation on what it is used for.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-winerrata%2Fc982f6c4-2f70-4dc7-b252-09092e9f1eed&data=05%7C01%7Cjeffm%40microsoft.com%7C170f7699888e4757bf4e08dac80e328e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638042260563569737%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=leHjMbCVjqlpEsRh%2Fq5l1Vw%2Bo5UYJsS69VTgEGwV5X4%3D&reserved=0">https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-winerrata/c982f6c4-2f70-4dc7-b252-09092e9f1eed</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Can you explain what this encryption type is and where to learn more about it?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Andrew Bartlett<o:p></o:p></p>
</div>
<div>
<pre>-- <o:p></o:p></pre>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<div>
<p class="MsoNormal">Andrew Bartlett (he/him) <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F~abartlet%2F&data=05%7C01%7Cjeffm%40microsoft.com%7C170f7699888e4757bf4e08dac80e328e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638042260563569737%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=vo8oU7fhEpW044Ot%2Bguv5pjLh%2FJptec5RUIcL6PumAs%3D&reserved=0">https://samba.org/~abartlet/</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Samba Team Member (since 2001) <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F&data=05%7C01%7Cjeffm%40microsoft.com%7C170f7699888e4757bf4e08dac80e328e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638042260563569737%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Ra%2FWZ411EOVrQXbYG6tFSPn0WI56%2FeZEJSa%2Fow8yMec%3D&reserved=0">
https://samba.org</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Samba Team Lead, Catalyst IT <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcatalyst.net.nz%2Fservices%2Fsamba&data=05%7C01%7Cjeffm%40microsoft.com%7C170f7699888e4757bf4e08dac80e328e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638042260563569737%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2BjawEZnUJ18jRe7x8vf6Cn0pcwAm3%2BpZx2WJ6KqcOo0%3D&reserved=0">https://catalyst.net.nz/services/samba</a><o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Samba Development and Support, Catalyst IT - Expert Open Source Solutions<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</blockquote>
<div>
<pre>-- <o:p></o:p></pre>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Courier New"">Andrew Bartlett (he/him) <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F~abartlet%2F&data=05%7C01%7Cjeffm%40microsoft.com%7C170f7699888e4757bf4e08dac80e328e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638042260563569737%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=vo8oU7fhEpW044Ot%2Bguv5pjLh%2FJptec5RUIcL6PumAs%3D&reserved=0">https://samba.org/~abartlet/</a><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Courier New"">Samba Team Member (since 2001)
<a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F&data=05%7C01%7Cjeffm%40microsoft.com%7C170f7699888e4757bf4e08dac80e328e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638042260563569737%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Ra%2FWZ411EOVrQXbYG6tFSPn0WI56%2FeZEJSa%2Fow8yMec%3D&reserved=0">
https://samba.org</a><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Courier New"">Samba Team Lead, Catalyst IT <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcatalyst.net.nz%2Fservices%2Fsamba&data=05%7C01%7Cjeffm%40microsoft.com%7C170f7699888e4757bf4e08dac80e328e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638042260563569737%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2BjawEZnUJ18jRe7x8vf6Cn0pcwAm3%2BpZx2WJ6KqcOo0%3D&reserved=0">https://catalyst.net.nz/services/samba</a><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Courier New"">Samba Development and Support, Catalyst IT - Expert Open Source<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Courier New"">Solutions<o:p></o:p></span></p>
</div>
</div>
</blockquote>
<div>
<pre>-- <o:p></o:p></pre>
<div>
<p class="MsoNormal">Andrew Bartlett (he/him) <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F~abartlet%2F&data=05%7C01%7Cjeffm%40microsoft.com%7C170f7699888e4757bf4e08dac80e328e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638042260563569737%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=vo8oU7fhEpW044Ot%2Bguv5pjLh%2FJptec5RUIcL6PumAs%3D&reserved=0">https://samba.org/~abartlet/</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Samba Team Member (since 2001) <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F&data=05%7C01%7Cjeffm%40microsoft.com%7C170f7699888e4757bf4e08dac80e328e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638042260563569737%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Ra%2FWZ411EOVrQXbYG6tFSPn0WI56%2FeZEJSa%2Fow8yMec%3D&reserved=0">
https://samba.org</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Samba Team Lead, Catalyst IT <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcatalyst.net.nz%2Fservices%2Fsamba&data=05%7C01%7Cjeffm%40microsoft.com%7C170f7699888e4757bf4e08dac80e328e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638042260563569737%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2BjawEZnUJ18jRe7x8vf6Cn0pcwAm3%2BpZx2WJ6KqcOo0%3D&reserved=0">https://catalyst.net.nz/services/samba</a><o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Samba Development and Support, Catalyst IT - Expert Open Source Solutions<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</body>
</html>