[cifs-protocol] Session keys are not always 16 bytes long

Hongwei Sun hongweis at microsoft.com
Wed Jul 23 22:23:07 GMT 2008 

Andrew,

  I will work with you on this request.  I will contact you as soon as I complete the investigation or I need more information from you.

Thanks

----------------------------------------------------------
Hongwei  Sun - Support Escalation Engineer
DSC Protocol  Team, Microsoft
hongweis at microsoft.com
Tel:  469-7757027 x 57027
-----------------------------------------------------------




-----Original Message-----
From: cifs-protocol-bounces+hongweis=microsoft.com at cifs.org [mailto:cifs-protocol-bounces+hongweis=microsoft.com at cifs.org] On Behalf Of Andrew Bartlett
Sent: Wednesday, July 23, 2008 12:58 AM
To: Interoperability Documentation Help
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: [cifs-protocol] Session keys are not always 16 bytes long

I'm looking for correction assistance regarding SMB session keys.

Our tests show that the session keys, referred consistently in MS-SMB and MS-SAMR as 16 byte quantities are not a simple as they are made out to be.

For example, a Windows Vista SP1 client using GSSAPI with CFX will negotiate an AES session key with Samba4.  This is 32 bytes long, and all 32 bytes are required to satisfy the SMB signing between Vista SP1 and Samba4.  (despite MS-SMB 4.3 talking about a 16 bytes key).
Similarly, our tests have shown that for DES kerberos, an 8 byte key is used.

However, further in on the domain join, Samr password set operations are made.  There similarly we have observed 8 bytes kerberos keys in the past, but testing shows that for the 32 byte key from the Vista join, the key must be truncated to 16 bytes.  (See MS-SAMR 3.1.2.2).

Please correct the documentation to clearly specify when the variable-length key is used (perhaps make it clear that it is usually, but not always 16 bytes), and when a truncated key is used.

Furthermore, please clarify the linkage between MS-SAMR, MS-SMB and MS-KILE regarding session keys.  I can't find a clear reference as to which of the numerous keys kerberos produces is considered the 'SMB session key'.  Is it not possible to include section numbers in the document cross-references?

Thanks,

Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

More information about the cifs-protocol mailing list