[cifs-protocol] RE: Clarify AEAD behaviour for GSSAPI with AES
billwe at microsoft.com
Mon Jul 28 13:32:50 GMT 2008
Good morning Andrew - I have created a new case (SRX080728600085) for your question; one of my colleagues will be taking ownership and contacting you shortly!
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Monday, July 28, 2008 1:53 AM
To: Interoperability Documentation Help
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: Clarify AEAD behaviour for GSSAPI with AES
I've been spending most of today staring at MS-KILE 126.96.36.199.1 and Heimdal's implementation of GSSAPI CFX.
What has me stumped is exactly what this means:
> If the session key encryption type is AES128-CTS-HMAC-SHA1-96 or
> AES256-CTS-HMAC-SHA1-96, as specified in [RFC3961], the base line is
> [RFC4121] and the encrypted data per [RFC3961] (which [RFC4121] is based on) is:
> C1 | H1[1..h]
> (C1, newIV) = E(Ke, conf | plaintext | pad, oldstate.ivec)
> H1 = HMAC(Ki, conf | plaintext+encrypted-data | pad) where the
> "plaintext+encrypted-data" is all the input data buffers supplied to
> GSS_WrapEx() concatenated in the order provided in the ordered list, input_message.
I see that C1 is the output of the encryption function E, and presume that Ke is the encryption key, but what is 'conf', and is 'plaintext'
the confidential data in plaintext, or the data over which only a signature is computed (presumably the confidential data in plaintex, but then what is conf)?
I presume again that Ki is the signing key.
Likewise, a description of how the pad fits into the HMAC function here would be very helpful.
In short, because this is a deviation from the GSSAPI spec (as the spec does not allow data to be signed, but not sealed), I really need much more detail, and all the inputs and outputs clearly labelled, particularly as this seems to require a major rework of Heimdal to implement :-(
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
More information about the cifs-protocol