[cifs-protocol] [Pfif] MS-NRPC: AES Schannel problems

Hongwei Sun hongweis at microsoft.com
Wed Sep 16 10:37:40 MDT 2009 

Metze,

   I think that Nick already informed you that AES 128 with 8 bit CFB mode has to be used.  I filed a request to add the information into 3.1.4.4 of MS-NRPC.  I also noticed that in  mxnrpc.c you attached , you used AES_cfb128_encrypt() (128 bit CFB mode) for computing server credential.  Please let us know if you have resolved the issue and if we can provide further help.

   Meanwhile, I provide some sample values that I captured from debugger for you to verify your logic. 

	OWF Password :

	    13 c0 b0 4b 66 25 0d 08-b8 a3 90 4d cc 8b 34 e3

	Client Challenge:

	   25 63 e3 5f 69 e1 5a 24

	Server Challenge:

	   9C 66 5F 90 D9 83 DF 43 

	Session Key calculated: 
  
	    c9 c7 f7 2f c6 b9 13 e3-67 ae a9 1d 0a e3 a7 70

	Client Credential:

	   58 6a df 53 ef 72 78 d9

	Server Credential

	   E1 41 62 09 B2 3E 57 51

Thanks!

Hongwei

     

-----Original Message-----
From: Stefan (metze) Metzmacher [mailto:metze at samba.org] 
Sent: Monday, September 14, 2009 7:31 PM
To: Hongwei Sun
Cc: pfif at tridgell.net; cifs-protocol at samba.org; Nick Meier
Subject: Re: [Pfif] MS-NRPC: AES Schannel problems

now with attachment...

>>>   We confirmed that AesCrypt follows the normative reference of [FIPS197] (http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdf).   As far as the statement about AES128 encryption CFB mode,  we also confirmed that we do use 0 as Initialize Vector(IV), so in this case all you have to do is set the IV to the 128-bit quantity consisting of all zeros.   The reference we are using for CFB mode is [SP800-38A] ( http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf ) which states that CFB mode requires a valid and unpredictable IV (Section 6.3). Zero is a valid IV, certainly not unpredictable. However, the unpredictability is required only to guard against specific types of attacks, which become possible when a single key is used to encrypt a large number of related plaintexts. Predictable IVs could be used in applications where this is not a concern.   
>> thanks I'll try that.
>>
>> AES128 is also used in section 3.3.4.2.1 "Generating an Initial 
>> Netlogon Signature Token" under 8., is that the same AesCrypt 
>> function (also using CFB mode) with a just IV being contructed by 
>> using the sequence number twice?
> 
> I've tried to get that working, but it doesn't work:-(
> 
> I've setup a trust between two w2k8r2 domains and captured the 
> ServerReqChallenge and ServerAuthenticate3. And they're using Netlogon 
> Schannel with AES. (They also use NDR64, wireshark doesn't handle this
> yet...)
> 
> There're 5 ServerAuthenticate3 exchanges in the capture and I put the 
> data into a simple standalone crypto challenge program.
> 
> So all we need is to find the algorithm to recalculate the examples, 
> changing the mxnrpc.c file.
> 
> metze
> 
>>>   We will update the document with the correct references to the related statements in the MS-NRPC document.
>> It would be really nice if you could also add some more example 
>> values in secion 4.2 Cryptographic Values for Session Key Validation.
>

More information about the cifs-protocol mailing list