[cifs-protocol] [REG:115021012380586] Timer events in MS-BKRP - when should we roll over keys?

Andrew Bartlett abartlet at samba.org
Tue Feb 10 16:21:13 MST 2015

On Tue, 2015-02-10 at 22:04 +0000, Edgar Olougouna wrote:
> Andrew,
> I will take a look and follow-up. 
> Considering that NotBefore/NotAfter properties specify the date range
> within which the certificate is valid, are you asking whether this is
> any renewal upon/after expiry? 


> I need to look at how the certificate is generated at the first place,
> perhaps the protocol has some error condition that would trigger
> refreshing the certificate, unless this is outside the protocol I will
> find out. 
> I am trying to get a good scope of what you mean by "roll over keys".

So, the above, and for the symmetric keys the general principal in
cryptography that you try not to use the same key forever, because it
could be broken, and that would expose everything.

The protocol clearly has scope for the preferred key to change (decrypt
old data with old keys, but encrypt new data with a new day), but as
described, it never would. 


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the cifs-protocol mailing list