[cifs-protocol] RE: 600634 - RE: salt used for various principal
rguthrie at microsoft.com
Thu Sep 4 14:33:19 GMT 2008
We have completed our research and, in this scenario, the salt calculation is based on MIT Kerberos implementation. We are working on how to document this and will update you once that is complete with the final documentation change.
Please let us know if you have any additional questions.
Open Protocols Support Team
Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM
Tel: +1 (469) 775-7794
E-mail: rguthrie at microsoft.com
We're hiring http://members.microsoft.com/careers/search/details.aspx?JobID=A976CE32-B0B9-41E3-AF57-05A82B88383E&start=1&interval=10&SortCol=DatePosted
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Tuesday, August 26, 2008 5:07 PM
To: Richard Guthrie
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: RE: 600634 - RE: salt used for various principal types
On Tue, 2008-08-26 at 08:37 -0700, Richard Guthrie wrote:
> Microsoft does use different methods of calculating the salt value
> used in encryption depending on the type account that is submitted to
> the salt calculation implementation. For example, in the case of
> interdomain trust accounts, "krbtgt" is appended. In the case of
> machine accounts, "host" is appended to the start of the salt value.
> Implementers are free to implement a salt algorithm of their choice, without affecting interoperability.
This would be true, but this applies only to objects of the type normally found under cn=users. The salt to use for a password stored in trustAuthIncoming/trustAuthOutgoing must be specified in the docs. It is not possible to negotiate an alternate salt for the AES or DES keys of interdomain trusts in Kerberos.
In any case, the salts as you describe should be included in a discussion of the Microsoft KDC.
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
More information about the cifs-protocol