[cifs-protocol] [MS-NRPC] Problem encrypting data when use AES based Netlogon SChannel

Moh Yen Liew mohyen.liew at wesoft.com
Sun Jul 3 18:47:55 MDT 2011 

Hi:
                I am trying to implement AES-based Netlogon SChannel with Windows 2k8R2 server.
                However, the server always return 0x00721 status code to me.

                In [MS-NRPC].pdf doc, step 8 of section  3.3.4.2.1,   mentioned that :

"If AES is negotiated, then the server MUST use AES-128 for encryption. The server MUST derive the AES key using the following algorithm:

FOR (I=0; I < Key Length; I++)

EncryptionKey[I] = SessionKey[I] XOR 0xf0
The server MUST encrypt the Confounder field using the initialization vector constructed by concatenating the sequence number with itself twice (thus getting 16 bytes of data).
For encrypting the data, the initialization vector MUST be constructed using the last block of the encrypted Confounder field. "

So, I followed the doc and

1.       Encrypt the confounder using AES-128-cfb8 mode, with ivec=(seqNum+seqNum)

2.       Encrypt the data, using same encryption algorithm, with ivec=(encrypted_Confounder+ encrypted_Confounder), to get 16 bytes of ivec
However, the server always return 0x721 status code .
Please see  attached network trace:

-          pkt 531, which contain the encrypted data

-          Pkt 532, server return 0x721 status code .
It is unclear to me that how to construct the ivec when encrypting the data, can you help ?

And, In Section 3.3.4.2.2, Step 9 , it mentioned
                The Confounder and the data MUST be decrypted.
                ....
                If AES is negotiated, decrypt using an initialization vector constructed by concatenating twice the sequence number ( thus getting 16 bytes of data)

I suppose the above step is saying how to decrypt the confounder only?    What ivec should use to decrypt the data ?

                Please help.
Thanks,
Yen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20110704/95770d8d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cap3.zip
Type: application/x-zip-compressed
Size: 76559 bytes
Desc: cap3.zip
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20110704/95770d8d/attachment-0001.bin>

More information about the cifs-protocol mailing list