[cifs-protocol] [REG: 110080418357322] [MS-BKRP] 1.3.1 -- in a given domain there is only "active" rsa key

Edgar Olougouna edgaro at microsoft.com
Mon Aug 9 14:54:08 MDT 2010 

Matthieu,
	
G$BCKUPKEY_PREFERRED and G$BCKUPKEY_guid are stored as LSA global secrets. The LSA global secret objects are replicated across domain controllers (DCs) in the same domain, so each DC can respond to secret requests of this type. This is specified in MS-BKRP 1.3.1 which cross-references [MS-LSAD] section 3.1.1.4. The global secrets are synchronized across DCs in the same domain, so that once the client discovers the DC and query a secret, it has the same key pair and corresponding guid that is currently used through the same domain.
MS-BKRP documents how Windows responds to BackupKey protocol queries received over the network. 

Regarding operations on the global secret objects related to the BackupKey protocol, since they are stored as MS-LSAD secret objects, they can be read and/or written using the same mechanisms documented in MS-LSAD 3.1.4.6 Secret Object Methods. In this particular case, you may for instance use MS-LSAD 3.1.4.6.4 LsarQuerySecret (Opnum 30) or 3.1.4.6.6 LsarRetrievePrivateData (Opnum 43).
Depending on the context you want to perform these operations, it might just be simpler to use LsarRetrievePrivateData and supply the KeyName to retrieve the secret since there is no associated old value. 
Please see MS-LSAD for details on each method you are interested in.

MS-LSAD 3.1.4.6.6 LsarRetrievePrivateData (Opnum 43) The LsarRetrievePrivateData method is invoked to retrieve a secret value. 
NTSTATUS LsarRetrievePrivateData(
[in] LSAPR_HANDLE PolicyHandle,
[in] PRPC_UNICODE_STRING KeyName,
[in, out] PLSAPR_CR_CIPHER_VALUE* EncryptedData );
PolicyHandle: An RPC context handle obtained from either LsarOpenPolicy or LsarOpenPolicy2. 
KeyName: The name identifying the secret value to be retrieved. 
EncryptedData: Receives the encrypted value of the secret object. 
…
MS-LSAD 3.1.4.6.4 LsarQuerySecret (Opnum 30) The LsarQuerySecret method is invoked to retrieve the current and old (or previous) value of the secret object. 
NTSTATUS LsarQuerySecret(
[in] LSAPR_HANDLE SecretHandle,
[in, out, unique] PLSAPR_CR_CIPHER_VALUE* EncryptedCurrentValue, [in, out, unique] PLARGE_INTEGER CurrentValueSetTime, [in, out, unique] PLSAPR_CR_CIPHER_VALUE* EncryptedOldValue, [in, out, unique] PLARGE_INTEGER OldValueSetTime );
SecretHandle: An open secret object handle. 
EncryptedCurrentValue: Used to return the encrypted current value of the secret object. 
CurrentValueSetTime: Used to return the time when the current value was set. 
EncryptedOldValue: A BLOB representing the encrypted old value. It is valid for this parameter to be NULL, in which case the current value in the policy database is copied. 
OldValueSetTime: The time corresponding to the instant that the old value was last changed.
…

Best regards,
Edgar

-----Original Message-----
From: Edgar Olougouna 
Sent: Thursday, August 05, 2010 4:35 PM
To: 'mat at samba.org'; 'pfif at tridgell.net'; 'cifs-protocol at samba.org'
Cc: MSSolve Case Email
Subject: [REG: 110080418357322] [MS-BKRP] 1.3.1 -- in a given domain there is only "active" rsa key

Hi Matthieu,

I am researching this issue and will update you as soon I complete my research.

Best regards,
Edgar

Issue verbatim
------------------

Second in paragraph 1.3.1 Call Flows, it is stated "For the ClientWrap subprotocol, the Microsoft implementation of the BackupKey Remote Protocol server stores the following LSA global secret objects (note that the LSA global secret names are Unicode strings):
1. G$BCKUPKEY_PREFERRED: This contains the 16-byte GUID ([MS-DTYP] section 2.3.2.2) of the RSA key pair currently used for client-side secret wrapping.
2. G$BCKUPKEY_guid: Here, guid is the string GUID that identifies the wrapping key, formatted as a GUIDString ([MS-DTYP] section 2.3.2.3). The value of the secret object is the server's ClientWrap key pair, formatted as specified in section 2.2.5"

Should I conclude that in a given domain there is only "active" rsa key on all the server or said in another way no matter which server is asked at a given moment we will always receive the same GUID for the key ?

Also just to be sure this will be stored in the currentValue attribute but it will be only accessible through a lsaQuerySecret call right ?


-----Original Message-----
From: Bryan Burgin
Sent: Wednesday, August 04, 2010 10:12 PM
To: 'mat at samba.org' 
Cc: pfif at tridgell.net; cifs-protocol at samba.org; MSSolve Case Email
Subject: RE: [REG:110071868986368] unused bytes after while decoding bkrp requests 

Matthieu, 

For your new issues, I created three new cases and dispatched them across the team 

110080417580961
[MS-BKRP] 3.1.4.1 "misc" 0x00020000 value 

110080418016869
[MS-BKRP]  3.1.4.1.3 -- version field and a GUID field no documented 

110080418357322
[MS-BKRP] 1.3.1 --  in a given domain there is only "active" rsa key

More information about the cifs-protocol mailing list