[cifs-protocol] Session keys are not always 16 bytes long
Stefan (metze) Metzmacher
metze at samba.org
Fri Aug 8 10:19:09 GMT 2008
I just found that the session key used to decrypt the password
attributes in the DsGetNCChanges() is not truncated.
And I need to use gsskrb5_get_subkey() instead of
gsskrb5_get_initiator_subkey(), when aes keys are used.
metze
>> In our last conference call, we talked about your question
>> regarding which of the numerous keys Kerberos produce is considered
>> the 'SMB session key'. I had discussions with the product team to
>> find what or how should be documented. You mentioned that you would
>> like to see the document to specify which GSSAPI call returns the
>> session key. They would like to have a little more background
>> information, which you already talked about a little bit during our
>> conversation. I just want to confirm so I can pass it accurately to
>> product team.
>>
>>
>>
>> What do you mean by GSSAPI with CFX ? Do you mean the mechanism
>> conforming to RFC 4121 ?
>
> Yes. (I should stop using that term, as it never made it into the RFC)
>
>> What implementation are you using for GSSAPI with CFX in Vista
>> ? Is it Heimdal’s implementation ?
>
> Yes.
>
>> What is your expectation about how this detail should be included
>> in the document ? Do you expect it to associate with specific GSSAPI
>> calls?
>
> An indication of the (hopefully shared) MIT/Heimdal API would be very
> useful (as these are almost certainly the basis of any new
> implementations).
>
> However, this should be alongside a description of where in the kerberos
> protocol is is found:
>
> 'the session key generated on ... and encrypted in message ... as
> element ... from (client/server) to the (client/server) is also used as
> the SMB Session key' (for example)
>
>> I hope that with the information we can have a resolution soon.
>> Thanks for your patience.
>
> No worries,
>
> Andrew Bartlett
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> cifs-protocol mailing list
> cifs-protocol at cifs.org
> https://lists.samba.org/mailman/listinfo/cifs-protocol
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://lists.samba.org/archive/cifs-protocol/attachments/20080808/a8040034/signature.bin
More information about the cifs-protocol
mailing list