[cifs-protocol] MS-NRPC: AES Schannel problems

Hongwei Sun hongweis at microsoft.com
Fri Sep 11 15:46:18 MDT 2009 

Metze,

   Yes,  AesCrypt function referenced in 3.3.4.2.1 is also the same function as in 3.1.4.4 that is using CFB mode.   You just need to concatenate twice the same SequenceNumber, which is 8 byte number, to make a 16 byte IV.  

   I submitted a request for more example values in Section 4.2 Cryptographic Values for Session Key Validation in MS-NRPC.  I will let you know. 

Thanks!

Hongwei 

-----Original Message-----
From: Stefan (metze) Metzmacher [mailto:metze at samba.org] 
Sent: Friday, September 11, 2009 3:34 AM
To: Hongwei Sun
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: Re: MS-NRPC: AES Schannel problems

Hongwei,

>   We confirmed that AesCrypt follows the normative reference of [FIPS197] (http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdf).   As far as the statement about AES128 encryption CFB mode,  we also confirmed that we do use 0 as Initialize Vector(IV), so in this case all you have to do is set the IV to the 128-bit quantity consisting of all zeros.   The reference we are using for CFB mode is [SP800-38A] ( http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf ) which states that CFB mode requires a valid and unpredictable IV (Section 6.3). Zero is a valid IV, certainly not unpredictable. However, the unpredictability is required only to guard against specific types of attacks, which become possible when a single key is used to encrypt a large number of related plaintexts. Predictable IVs could be used in applications where this is not a concern.   

thanks I'll try that.

AES128 is also used in section 3.3.4.2.1 "Generating an Initial Netlogon Signature Token" under 8., is that the same AesCrypt function (also using CFB mode) with a just IV being contructed by using the sequence number twice?

>   We will update the document with the correct references to the related statements in the MS-NRPC document.

It would be really nice if you could also add some more example values in secion 4.2 Cryptographic Values for Session Key Validation.

metze

> Thanks!
> 
> Hongwei
> 
> -----Original Message-----
> From: Stefan (metze) Metzmacher [mailto:metze at samba.org]
> Sent: Wednesday, August 26, 2009 12:15 AM
> To: Hongwei Sun
> Cc: pfif at tridgell.net; cifs-protocol at samba.org
> Subject: Re: MS-NRPC: AES Schannel problems
> 
> Hongwei,
> 
>>     The SharedSecret used for AES session key computation, as described in 3.1.4.3 MS-NRPC , should be the NTOWF (MD4(UNICODE(Passwd))) of the plaintext password.   The section 3.1.1 of MS-NRPC explains what a SharedSecret is used for session key calculation in Windows implementations.  The SharedSecret  is stored in UnicodePwd AD attribute.  Please see section 3.1.1 and Windows Behavior notes <66>,<67> of MS-NRPC for details.
> 
> Yes, I saw that and that's why I've also done it like this, but I was wondering why Section 3.4.1 has M4SS := MD4(UNICODE(SharedSecret)) explicit for the hmac_md5 session key and the des session key.
> 
> I think it would make sense to also add it to the hmac_sha256 section in order to remove the confusion I had.
> 
>>      I will continue working on all questions related to AES encryption.
> 
> Thanks, as it seems I compute the session key correct, this is the 
> place
> (netlogon_creds_step_crypt()) where I have a bug, because I'm getting access denied when I try DCERPC_SCHANNEL_AES against a w2k8r2rc server.
> 
> metze
>> -----Original Message-----
>>
>> From: Stefan (metze) Metzmacher [mailto:metze at samba.org]
>>
>> Sent: Tuesday, August 25, 2009 11:13 AM
>>
>> To: Interoperability Documentation Help
>>
>> Cc: pfif at tridgell.net; cifs-protocol at samba.org
>>
>> Subject: MS-NRPC: AES Schannel problems
>>
>>
>>
>> Hi,
>>
>>
>>
>> I'm currently trying to implement the AES based Netlogon Secure Channel in Samba.
>>
>>
>>
>> But the documentation is not really clear about the used algorithms.
>>
>>
>>
>> I have started with the implementation here:
>>
>> http://gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/head
>> s
>> /master4-schannel
>>
>>
>>
>> And here's the actual commit that tries to add aes support:
>>
>> http://gitweb.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=50dca9c
>> e
>> 0f051c863f00cc949db2c19bf247887b
>>
>>
>>
>> In Section "3.1.4.3 Session-Key Computation" the hmac-sha256 base computation of the session-key seems to use the plain SharedSecret and not the NT-HASH of it (MD4(UNICODE(ShareSecret))), is that correct?
>>
>> I thought the plain text is never stored in AD by default...
>>
>> Where should the netlogon server get the plain text from?
>>
>> I just tried the NT-HASH see my netlogon_creds_init_hmac_sha256() function.
>>
>>
>>
>> In Section "3.1.4.4 Netlogon Credential Computation" there's a AesEncrypt function used. Can you please document the exact algorithm that's used there. You say AES128 is used in CFB mode without initialization vector.
>>
>>
>>
>> http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation
>>
>> says that all modes except ECB require an IV.
>>
>>
>>
>> It would also be nice if you could add some more example values in secion 4.2 Cryptographic Values for Session Key Validation.
>>
>>
>>
>> metze
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
> 
>

More information about the cifs-protocol mailing list