[cifs-protocol] MS-NRPC: AES Schannel problems

Stefan (metze) Metzmacher metze at samba.org
Fri Sep 11 02:33:47 MDT 2009 

Hongwei,

>   We confirmed that AesCrypt follows the normative reference of [FIPS197] (http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdf).   As far as the statement about AES128 encryption CFB mode,  we also confirmed that we do use 0 as Initialize Vector(IV), so in this case all you have to do is set the IV to the 128-bit quantity consisting of all zeros.   The reference we are using for CFB mode is [SP800-38A] ( http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf ) which states that CFB mode requires a valid and unpredictable IV (Section 6.3). Zero is a valid IV, certainly not unpredictable. However, the unpredictability is required only to guard against specific types of attacks, which become possible when a single key is used to encrypt a large number of related plaintexts. Predictable IVs could be used in applications where this is not a concern.   

thanks I'll try that.

AES128 is also used in section 3.3.4.2.1 "Generating an Initial Netlogon
Signature Token" under 8., is that the same AesCrypt function (also
using CFB mode) with a just IV being contructed by using the sequence
number twice?

>   We will update the document with the correct references to the related statements in the MS-NRPC document.

It would be really nice if you could also add some more example values
in secion 4.2 Cryptographic Values for Session Key Validation.

metze

> Thanks!
> 
> Hongwei
> 
> -----Original Message-----
> From: Stefan (metze) Metzmacher [mailto:metze at samba.org] 
> Sent: Wednesday, August 26, 2009 12:15 AM
> To: Hongwei Sun
> Cc: pfif at tridgell.net; cifs-protocol at samba.org
> Subject: Re: MS-NRPC: AES Schannel problems
> 
> Hongwei,
> 
>>     The SharedSecret used for AES session key computation, as described in 3.1.4.3 MS-NRPC , should be the NTOWF (MD4(UNICODE(Passwd))) of the plaintext password.   The section 3.1.1 of MS-NRPC explains what a SharedSecret is used for session key calculation in Windows implementations.  The SharedSecret  is stored in UnicodePwd AD attribute.  Please see section 3.1.1 and Windows Behavior notes <66>,<67> of MS-NRPC for details.
> 
> Yes, I saw that and that's why I've also done it like this, but I was wondering why Section 3.4.1 has M4SS := MD4(UNICODE(SharedSecret)) explicit for the hmac_md5 session key and the des session key.
> 
> I think it would make sense to also add it to the hmac_sha256 section in order to remove the confusion I had.
> 
>>      I will continue working on all questions related to AES encryption.
> 
> Thanks, as it seems I compute the session key correct, this is the place
> (netlogon_creds_step_crypt()) where I have a bug, because I'm getting access denied when I try DCERPC_SCHANNEL_AES against a w2k8r2rc server.
> 
> metze
>> -----Original Message-----
>>
>> From: Stefan (metze) Metzmacher [mailto:metze at samba.org]
>>
>> Sent: Tuesday, August 25, 2009 11:13 AM
>>
>> To: Interoperability Documentation Help
>>
>> Cc: pfif at tridgell.net; cifs-protocol at samba.org
>>
>> Subject: MS-NRPC: AES Schannel problems
>>
>>
>>
>> Hi,
>>
>>
>>
>> I'm currently trying to implement the AES based Netlogon Secure Channel in Samba.
>>
>>
>>
>> But the documentation is not really clear about the used algorithms.
>>
>>
>>
>> I have started with the implementation here:
>>
>> http://gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads
>> /master4-schannel
>>
>>
>>
>> And here's the actual commit that tries to add aes support:
>>
>> http://gitweb.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=50dca9ce
>> 0f051c863f00cc949db2c19bf247887b
>>
>>
>>
>> In Section "3.1.4.3 Session-Key Computation" the hmac-sha256 base computation of the session-key seems to use the plain SharedSecret and not the NT-HASH of it (MD4(UNICODE(ShareSecret))), is that correct?
>>
>> I thought the plain text is never stored in AD by default...
>>
>> Where should the netlogon server get the plain text from?
>>
>> I just tried the NT-HASH see my netlogon_creds_init_hmac_sha256() function.
>>
>>
>>
>> In Section "3.1.4.4 Netlogon Credential Computation" there's a AesEncrypt function used. Can you please document the exact algorithm that's used there. You say AES128 is used in CFB mode without initialization vector.
>>
>>
>>
>> http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation
>>
>> says that all modes except ECB require an IV.
>>
>>
>>
>> It would also be nice if you could add some more example values in secion 4.2 Cryptographic Values for Session Key Validation.
>>
>>
>>
>> metze
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
> 
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20090911/9284ed7d/attachment.pgp>

More information about the cifs-protocol mailing list