[cifs-protocol] Regarding String2key for random trust keys ([MS-ADTS]

John Dunning johndun at microsoft.com
Fri Aug 8 15:48:54 GMT 2008

Hello Andrew,
    I received feedback from our Product team and they have some questions to help in clarification.

Your original question:

"In MS-ADTS, it states:

This flag indicates that the information stored in the attribute is a Unicode plaintext password. If this auth type is present, Kerberos can then use this password to derive additional key types needed to encrypt and decrypt cross realm TGTs:

    DES-CBC [RFC4120] section 8.1
    DES-CRC [RFC4120]
    RC4HMAC [RFC4757]

Other derivations of the plaintext password are possible using string to key functionality defined in [RFC3961].

However, it is not stated here or in MS-KILE how to translate between the 'Unicode' strings used in windows trusts (for example, see the trustAuthIncoming, decrypted and decoded, between two of my domains) and the expected input encoding for AES and other non-MD4 keys.

Converting these from UTF16 to UTF8 (I'm assuming this is the intended translation) fails as the randomly created string cannot be translated into UTF8."

Questions from the Product team:

1.       Does the Unicode strings in the request only refer to the plaintext password as the section referred to indicated?
2.       What does the "translation" refer to? Does it mean how the password is used in the hash function?
3.       What section does the example refer to and how is it related?
4.       What makes AES and non-MD4 keys stand out on the expected input encoding in this request?

John Dunning
Escalation Engineer Microsoft Corporation
Email: johndun at microsoft.com<mailto:johndun at microsoft.com>
Tele: (469)775-7008

We're hiring<http://members.microsoft.com/careers/search/details.aspx?JobID=A976CE32-B0B9-41E3-AF57-05A82B88383E&start=1&interval=10&SortCol=DatePosted>

-------------- next part --------------
HTML attachment scrubbed and removed

More information about the cifs-protocol mailing list