[cifs-protocol] [REG:115021312396540] Wrong Key length in MS-BKRP 3.1.4.1.2.1 Processing a Valid ServerWrap Wrapped Secret

Andrew Bartlett abartlet at samba.org
Wed Mar 11 14:16:59 MDT 2015 

On Wed, 2015-03-11 at 19:40 +0000, Edgar Olougouna wrote:
> Andrew,
> After source code investigation, your observation appears accurate. How did you figure it out? 

:-)  That reminds me, Catalyst wants me to write up blog posts - this
would be ideal.  I figured it out by downloading the secrets over LSA GetSecrets,
and then decrypting it client-side with that key.  When that failed, I
removed the truncation, because that seemed pointless, and thankfully
that worked!

> I have opened a document bug to get this addressed in the spec.
> 
> Thanks,
> Edgar
> 
> -----Original Message-----
> From: Edgar Olougouna 
> Sent: Friday, February 13, 2015 11:14 AM
> To: Andrew Bartlett
> Cc: cifs-protocol at lists.samba.org; MSSolve Case Email
> Subject: RE: [REG:115021312396540] Wrong Key length in MS-BKRP 3.1.4.1.2.1 Processing a Valid ServerWrap Wrapped Secret
> 
> Andrew,
> I am taking of this as well.
> 
> Thanks,
> Edgar
> 
> -----Original Message-----
> From: Vilmos Foltenyi 
> Sent: Thursday, February 12, 2015 7:34 PM
> To: Andrew Bartlett
> Cc: cifs-protocol at lists.samba.org; MSSolve Case Email
> Subject: [REG:115021312396540] Wrong Key length in MS-BKRP 3.1.4.1.2.1 Processing a Valid ServerWrap Wrapped Secret
> 
> [dochelp to Bcc, SR # to Subject]
> 
> Hi Andrew,
> 
> Thank you for your question. I created case SR 115021312396540 to track this issue with the Protocol Documentation support team. Edgar from our team will begin working with you.
> 
> Regards,
> Vilmos Foltenyi - MSFT
> 
> -----Original Message-----
> From: Andrew Bartlett [mailto:abartlet at samba.org] 
> Sent: Thursday, February 12, 2015 15:55
> To: Interoperability Documentation Help
> Cc: cifs-protocol at lists.samba.org
> Subject: Wrong Key length in MS-BKRP 3.1.4.1.2.1 Processing a Valid ServerWrap Wrapped Secret
> 
> G'Day,
> 
> The MS-BKRP protocol docs at "3.1.4.1.2.1 Processing a Valid ServerWrap Wrapped Secret" (point 1) and "3.1.4.1.1 BACKUPKEY_BACKUP_GUID" (point 3) clearly state that the first 64 bytes of the secret are used for the key.  This is not the case - testing by extracting the key from the Windows DC over LSA QuerySecret show that the entire key (256 bytes), not the first 64 bytes, is used.
> 
> Please correct the docs. 
> 
> Thanks,
> 
> Andrew Bartlett
> --
> Andrew Bartlett
> http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
> 
> 
> 
> 
> 
> 

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the cifs-protocol mailing list