[cifs-protocol] Session keys are not always 16 bytes long

Stefan (metze) Metzmacher metze at samba.org
Fri Aug 8 10:19:09 GMT 2008


I just found that the session key used to decrypt the password
attributes in the DsGetNCChanges() is not truncated.
And I need to use gsskrb5_get_subkey() instead of
gsskrb5_get_initiator_subkey(), when aes keys are used.

metze
>>    In our last conference call, we talked about your question
>> regarding which of the numerous keys Kerberos produce is considered
>> the 'SMB session key'.  I had discussions with the product team to
>> find what or how should be documented.   You mentioned that you would
>> like to see the document to specify which GSSAPI call returns the
>> session key.   They would like to have a little more background
>> information, which you already talked about a little bit during our
>> conversation.  I just want to confirm so I can pass it accurately to
>> product team.  
>>
>>  
>>
>>     What do you mean by GSSAPI with CFX ? Do you mean the mechanism
>> conforming to RFC 4121 ?
> 
> Yes.  (I should stop using that term, as it never made it into the RFC)
> 
>>     What implementation are you using  for GSSAPI with CFX in Vista
>>  ?   Is it Heimdal’s implementation ?  
> 
> Yes. 
> 
>>     What is your expectation about how this detail should be included
>> in the document ?  Do you expect it to associate with specific GSSAPI
>> calls? 
> 
> An indication of the (hopefully shared) MIT/Heimdal API would be very
> useful (as these are almost certainly the basis of any new
> implementations).
> 
> However, this should be alongside a description of where in the kerberos
> protocol is is found:
> 
> 'the session key generated on ... and encrypted in message ... as
> element ... from (client/server) to the (client/server) is also used as
> the SMB Session key' (for example)
> 
>>    I hope that with the information we can have a resolution soon.
>> Thanks for your patience.
> 
> No worries,
> 
> Andrew Bartlett
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> cifs-protocol mailing list
> cifs-protocol at cifs.org
> https://lists.samba.org/mailman/listinfo/cifs-protocol


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://lists.samba.org/archive/cifs-protocol/attachments/20080808/a8040034/signature.bin


More information about the cifs-protocol mailing list