[cifs-protocol] [REG:115021012380586] Timer events in MS-BKRP - when should we roll over keys?

Andrew Bartlett abartlet at samba.org
Thu Feb 12 16:57:32 MST 2015

On Wed, 2015-02-11 at 12:21 +1300, Andrew Bartlett wrote:
> On Tue, 2015-02-10 at 22:04 +0000, Edgar Olougouna wrote:
> > Andrew,
> > I will take a look and follow-up. 
> > Considering that NotBefore/NotAfter properties specify the date range
> > within which the certificate is valid, are you asking whether this is
> > any renewal upon/after expiry? 
> Yes.
> > I need to look at how the certificate is generated at the first place,
> > perhaps the protocol has some error condition that would trigger
> > refreshing the certificate, unless this is outside the protocol I will
> > find out. 
> > I am trying to get a good scope of what you mean by "roll over keys".
> So, the above, and for the symmetric keys the general principal in
> cryptography that you try not to use the same key forever, because it
> could be broken, and that would expose everything.
> The protocol clearly has scope for the preferred key to change (decrypt
> old data with old keys, but encrypt new data with a new day), but as
> described, it never would. 

BTW, I tried to manually roll over the keys by deleting G$BCKUPKEY_P,
but it appears to cache it at runtime, as no new G$BCKUPKEY_P appeared
until I rebooted the server.

Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the cifs-protocol mailing list