[cifs-protocol] [REG:115021312396540] Wrong Key length in MS-BKRP 3.1.4.1.2.1 Processing a Valid ServerWrap Wrapped Secret
Andrew Bartlett
abartlet at samba.org
Wed Mar 11 14:16:59 MDT 2015
On Wed, 2015-03-11 at 19:40 +0000, Edgar Olougouna wrote:
> Andrew,
> After source code investigation, your observation appears accurate. How did you figure it out?
:-) That reminds me, Catalyst wants me to write up blog posts - this
would be ideal. I figured it out by downloading the secrets over LSA GetSecrets,
and then decrypting it client-side with that key. When that failed, I
removed the truncation, because that seemed pointless, and thankfully
that worked!
> I have opened a document bug to get this addressed in the spec.
>
> Thanks,
> Edgar
>
> -----Original Message-----
> From: Edgar Olougouna
> Sent: Friday, February 13, 2015 11:14 AM
> To: Andrew Bartlett
> Cc: cifs-protocol at lists.samba.org; MSSolve Case Email
> Subject: RE: [REG:115021312396540] Wrong Key length in MS-BKRP 3.1.4.1.2.1 Processing a Valid ServerWrap Wrapped Secret
>
> Andrew,
> I am taking of this as well.
>
> Thanks,
> Edgar
>
> -----Original Message-----
> From: Vilmos Foltenyi
> Sent: Thursday, February 12, 2015 7:34 PM
> To: Andrew Bartlett
> Cc: cifs-protocol at lists.samba.org; MSSolve Case Email
> Subject: [REG:115021312396540] Wrong Key length in MS-BKRP 3.1.4.1.2.1 Processing a Valid ServerWrap Wrapped Secret
>
> [dochelp to Bcc, SR # to Subject]
>
> Hi Andrew,
>
> Thank you for your question. I created case SR 115021312396540 to track this issue with the Protocol Documentation support team. Edgar from our team will begin working with you.
>
> Regards,
> Vilmos Foltenyi - MSFT
>
> -----Original Message-----
> From: Andrew Bartlett [mailto:abartlet at samba.org]
> Sent: Thursday, February 12, 2015 15:55
> To: Interoperability Documentation Help
> Cc: cifs-protocol at lists.samba.org
> Subject: Wrong Key length in MS-BKRP 3.1.4.1.2.1 Processing a Valid ServerWrap Wrapped Secret
>
> G'Day,
>
> The MS-BKRP protocol docs at "3.1.4.1.2.1 Processing a Valid ServerWrap Wrapped Secret" (point 1) and "3.1.4.1.1 BACKUPKEY_BACKUP_GUID" (point 3) clearly state that the first 64 bytes of the secret are used for the key. This is not the case - testing by extracting the key from the Windows DC over LSA QuerySecret show that the entire key (256 bytes), not the first 64 bytes, is used.
>
> Please correct the docs.
>
> Thanks,
>
> Andrew Bartlett
> --
> Andrew Bartlett
> http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
> Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
>
>
>
>
>
>
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the cifs-protocol
mailing list