[cifs-protocol] [REG:115021312396540] Wrong Key length in MS-BKRP 3.1.4.1.2.1 Processing a Valid ServerWrap Wrapped Secret

Edgar Olougouna edgaro at microsoft.com
Wed Mar 11 13:40:39 MDT 2015 

Andrew,
After source code investigation, your observation appears accurate. How did you figure it out? 
I have opened a document bug to get this addressed in the spec.

Thanks,
Edgar

-----Original Message-----
From: Edgar Olougouna 
Sent: Friday, February 13, 2015 11:14 AM
To: Andrew Bartlett
Cc: cifs-protocol at lists.samba.org; MSSolve Case Email
Subject: RE: [REG:115021312396540] Wrong Key length in MS-BKRP 3.1.4.1.2.1 Processing a Valid ServerWrap Wrapped Secret

Andrew,
I am taking of this as well.

Thanks,
Edgar

-----Original Message-----
From: Vilmos Foltenyi 
Sent: Thursday, February 12, 2015 7:34 PM
To: Andrew Bartlett
Cc: cifs-protocol at lists.samba.org; MSSolve Case Email
Subject: [REG:115021312396540] Wrong Key length in MS-BKRP 3.1.4.1.2.1 Processing a Valid ServerWrap Wrapped Secret

[dochelp to Bcc, SR # to Subject]

Hi Andrew,

Thank you for your question. I created case SR 115021312396540 to track this issue with the Protocol Documentation support team. Edgar from our team will begin working with you.

Regards,
Vilmos Foltenyi - MSFT

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Thursday, February 12, 2015 15:55
To: Interoperability Documentation Help
Cc: cifs-protocol at lists.samba.org
Subject: Wrong Key length in MS-BKRP 3.1.4.1.2.1 Processing a Valid ServerWrap Wrapped Secret

G'Day,

The MS-BKRP protocol docs at "3.1.4.1.2.1 Processing a Valid ServerWrap Wrapped Secret" (point 1) and "3.1.4.1.1 BACKUPKEY_BACKUP_GUID" (point 3) clearly state that the first 64 bytes of the secret are used for the key.  This is not the case - testing by extracting the key from the Windows DC over LSA QuerySecret show that the entire key (256 bytes), not the first 64 bytes, is used.

Please correct the docs. 

Thanks,

Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the cifs-protocol mailing list