[cifs-protocol] [REG:115021012380586] Timer events in MS-BKRP - when should we roll over keys?

Andrew Bartlett abartlet at samba.org
Thu Mar 19 15:30:10 MDT 2015

On Thu, 2015-03-19 at 21:19 +0000, Edgar Olougouna wrote:
> Andrew,
> MS-BKRP will be updated to reflect the following. 
> The current (preferred) key is rolled over 90 days from creation, this
> is non configurable in Windows. When a new key is created, the
> expiration date of 90 days is calculated and saved with the associated
> key guid. Expiration is detected when the key is used (attempted to be
> used) for encryption. If the key has expired, key roll over should
> occur and encryption creates and uses a new key. Expired keys remain
> available for decryption only. Encryption only uses the preferred
> key. 


How specifically is the expiration date stored?

> Thanks again for helping us improve the specs.

My pleasure,

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the cifs-protocol mailing list