[cifs-protocol] [REG:115021012380586] Timer events in MS-BKRP - when should we roll over keys?

[Edgar Olougouna]

Andrew,
In Windows implementation, the preferred key GUID is stored along with the expiration date as a structure of {GUID; FILETIME} in a file “Preferred” under
%APPDATA%\Microsoft\Protect\%UserSID%
For example, C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-1972584655-1140703441-473452811-500\
This is used during any DPAPI call CryptProtectData() or CryptUnprotectData().

Thanks,
Edgar

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Thursday, March 19, 2015 4:30 PM
To: Edgar Olougouna
Cc: cifs-protocol at lists.samba.org; MSSolve Case Email
Subject: Re: [REG:115021012380586] Timer events in MS-BKRP - when should we roll over keys?

On Thu, 2015-03-19 at 21:19 +0000, Edgar Olougouna wrote:
> Andrew,
> MS-BKRP will be updated to reflect the following. 
> The current (preferred) key is rolled over 90 days from creation, this 
> is non configurable in Windows. When a new key is created, the 
> expiration date of 90 days is calculated and saved with the associated 
> key guid. Expiration is detected when the key is used (attempted to be
> used) for encryption. If the key has expired, key roll over should 
> occur and encryption creates and uses a new key. Expired keys remain 
> available for decryption only. Encryption only uses the preferred key.

Thanks.  

How specifically is the expiration date stored?

> Thanks again for helping us improve the specs.

My pleasure,

Andrew Bartlett


--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba