[cifs-protocol] RE: string2key for random trust keys

Bill Wesse billwe at microsoft.com
Thu Jul 31 09:02:17 GMT 2008

Good morning Andrew!

I have created a new case (SRX080731600026) for your questions; one of our team will take ownership of this shortly, and will contact you concerning same.

Bill Wesse
MCSE / Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL:  980-776-8200
CELL: 704-661-5438
FAX:  704-665-9606
We're Hiring http://members.microsoft.com/careers/search/details.aspx?JobID=A976CE32-B0B9-41E3-AF57-05A82B88383E&start=1&interval=10&SortCol=DatePosted

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Thursday, July 31, 2008 2:15 AM
To: Interoperability Documentation Help
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: string2key for random trust keys

In MS-ADTS, it states:

This flag indicates that the information stored in the attribute is a Unicode plaintext password. If this auth type is present, Kerberos can then use this password to derive additional key types needed to encrypt and decrypt cross realm TGTs:
    DES-CBC [RFC4120] section 8.1
    DES-CRC [RFC4120]
    RC4HMAC [RFC4757]
Other derivations of the plaintext password are possible using string to key functionality defined in [RFC3961].

However, it is not stated here or in MS-KILE how to translate between the 'Unicode' strings used in windows trusts (for example, see the trustAuthIncoming, decrypted and decoded, between two of my domains) and the expected input encoding for AES and other non-MD4 keys.

Converting these from UTF16 to UTF8 (I'm assuming this is the intended
translation) fails as the randomly created string cannot be translated into UTF8.


Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

More information about the cifs-protocol mailing list