[cifs-protocol] [REG:115021012380586] Timer events in MS-BKRP - when should we roll over keys?
Edgar Olougouna
edgaro at microsoft.com
Fri Mar 20 14:12:52 MDT 2015
Andrew,
In Windows implementation, the preferred key GUID is stored along with the expiration date as a structure of {GUID; FILETIME} in a file “Preferred” under
%APPDATA%\Microsoft\Protect\%UserSID%
For example, C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-1972584655-1140703441-473452811-500\
This is used during any DPAPI call CryptProtectData() or CryptUnprotectData().
Thanks,
Edgar
-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Thursday, March 19, 2015 4:30 PM
To: Edgar Olougouna
Cc: cifs-protocol at lists.samba.org; MSSolve Case Email
Subject: Re: [REG:115021012380586] Timer events in MS-BKRP - when should we roll over keys?
On Thu, 2015-03-19 at 21:19 +0000, Edgar Olougouna wrote:
> Andrew,
> MS-BKRP will be updated to reflect the following.
> The current (preferred) key is rolled over 90 days from creation, this
> is non configurable in Windows. When a new key is created, the
> expiration date of 90 days is calculated and saved with the associated
> key guid. Expiration is detected when the key is used (attempted to be
> used) for encryption. If the key has expired, key roll over should
> occur and encryption creates and uses a new key. Expired keys remain
> available for decryption only. Encryption only uses the preferred key.
Thanks.
How specifically is the expiration date stored?
> Thanks again for helping us improve the specs.
My pleasure,
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the cifs-protocol
mailing list