[cifs-protocol] Session keys are not always 16 bytes long
Hongwei Sun
hongweis at microsoft.com
Fri Aug 8 19:05:42 GMT 2008
Stefan,
>>I just found that the session key used to decrypt the password attributes in the DsGetNCChanges() is not truncated.
Do you have network trace for this case ?
>>And I need to use gsskrb5_get_subkey() instead of gsskrb5_get_initiator_subkey(), when aes keys are used.
Does this happen only when you use AES keys
Thanks
----------------------------------------------------------
Hongwei Sun - Support Escalation Engineer
DSC Protocol Team, Microsoft
hongweis at microsoft.com
Tel: 469-7757027 x 57027
-----------------------------------------------------------
-----Original Message-----
From: Stefan (metze) Metzmacher [mailto:metze at samba.org]
Sent: Friday, August 08, 2008 5:19 AM
To: Andrew Bartlett
Cc: Hongwei Sun; pfif at tridgell.net; cifs-protocol at samba.org
Subject: Re: [cifs-protocol] Session keys are not always 16 bytes long
I just found that the session key used to decrypt the password attributes in the DsGetNCChanges() is not truncated.
And I need to use gsskrb5_get_subkey() instead of gsskrb5_get_initiator_subkey(), when aes keys are used.
metze
>> In our last conference call, we talked about your question
>> regarding which of the numerous keys Kerberos produce is considered
>> the 'SMB session key'. I had discussions with the product team to
>> find what or how should be documented. You mentioned that you would
>> like to see the document to specify which GSSAPI call returns the
>> session key. They would like to have a little more background
>> information, which you already talked about a little bit during our
>> conversation. I just want to confirm so I can pass it accurately to
>> product team.
>>
>>
>>
>> What do you mean by GSSAPI with CFX ? Do you mean the mechanism
>> conforming to RFC 4121 ?
>
> Yes. (I should stop using that term, as it never made it into the
> RFC)
>
>> What implementation are you using for GSSAPI with CFX in Vista
>> ? Is it Heimdal’s implementation ?
>
> Yes.
>
>> What is your expectation about how this detail should be included
>> in the document ? Do you expect it to associate with specific GSSAPI
>> calls?
>
> An indication of the (hopefully shared) MIT/Heimdal API would be very
> useful (as these are almost certainly the basis of any new
> implementations).
>
> However, this should be alongside a description of where in the
> kerberos protocol is is found:
>
> 'the session key generated on ... and encrypted in message ... as
> element ... from (client/server) to the (client/server) is also used
> as the SMB Session key' (for example)
>
>> I hope that with the information we can have a resolution soon.
>> Thanks for your patience.
>
> No worries,
>
> Andrew Bartlett
>
>
>
> ----------------------------------------------------------------------
> --
>
> _______________________________________________
> cifs-protocol mailing list
> cifs-protocol at cifs.org
> https://lists.samba.org/mailman/listinfo/cifs-protocol
More information about the cifs-protocol
mailing list