[cifs-protocol] RE: string2key for random trust keys
billwe at microsoft.com
Thu Jul 31 09:02:17 GMT 2008
Good morning Andrew!
I have created a new case (SRX080731600026) for your questions; one of our team will take ownership of this shortly, and will contact you concerning same.
MCSE / Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
We're Hiring http://members.microsoft.com/careers/search/details.aspx?JobID=A976CE32-B0B9-41E3-AF57-05A82B88383E&start=1&interval=10&SortCol=DatePosted
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Thursday, July 31, 2008 2:15 AM
To: Interoperability Documentation Help
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: string2key for random trust keys
In MS-ADTS 126.96.36.199.1.2, it states:
This flag indicates that the information stored in the attribute is a Unicode plaintext password. If this auth type is present, Kerberos can then use this password to derive additional key types needed to encrypt and decrypt cross realm TGTs:
DES-CBC [RFC4120] section 8.1
Other derivations of the plaintext password are possible using string to key functionality defined in [RFC3961].
However, it is not stated here or in MS-KILE how to translate between the 'Unicode' strings used in windows trusts (for example, see the trustAuthIncoming, decrypted and decoded, between two of my domains) and the expected input encoding for AES and other non-MD4 keys.
Converting these from UTF16 to UTF8 (I'm assuming this is the intended
translation) fails as the randomly created string cannot be translated into UTF8.
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
More information about the cifs-protocol