[cifs-protocol] [REG:118021917664904] MS-SAMR SetUserInfo fails to backlink to RC4
Edgar Olougouna
edgaro at microsoft.com
Mon Feb 26 20:46:32 UTC 2018
Andrew,
It appears “3.2.2.1 RC4 Cipher Usage” is referenced in 2.2.7.22 SAMPR_ENCRYPTED_USER_PASSWORD_NEW, which is the structure of UserPassword field inside 2.2.7.25 SAMPR_USER_INTERNAL4_INFORMATION_NEW.
I think the “(decrypted)” verbiage for the clearTextPassword attribute in the sections you mentioned are meant to make it clear and remove any ambiguity what the value is and how it’s populated.
[MS-SAMR]
2.2.7.25 SAMPR_USER_INTERNAL4_INFORMATION_NEW
https://msdn.microsoft.com/en-us/library/cc245614.aspx
The SAMPR_USER_INTERNAL4_INFORMATION_NEW structure holds all attributes of a user, along with an encrypted password. The encrypted password uses a salt to improve the encryption algorithm. See the specification for SAMPR_ENCRYPTED_USER_PASSWORD_NEW (section 2.2.7.22) for details on salt value selection.
typedef struct _SAMPR_USER_INTERNAL4_INFORMATION_NEW {
SAMPR_USER_ALL_INFORMATION I1;
SAMPR_ENCRYPTED_USER_PASSWORD_NEW UserPassword;
} SAMPR_USER_INTERNAL4_INFORMATION_NEW,
*PSAMPR_USER_INTERNAL4_INFORMATION_NEW;
I1: See section 2.2.7.6.
UserPassword: See section 2.2.7.22.
2.2.7.22 SAMPR_ENCRYPTED_USER_PASSWORD_NEW
https://msdn.microsoft.com/en-us/library/cc245610.aspx
. . .
Implementations of this protocol MUST protect the SAMPR_ENCRYPTED_USER_PASSWORD_NEW structure by encrypting the first 516 bytes of data referenced in its Buffer field on request (and reply) and by decrypting on receipt. See section 3.2.2.1 for the specification of the algorithm performing encryption and decryption.
The first 516 bytes are defined as the first 516 bytes of the SAMPR_USER_PASSWORD_NEW structure defined previously. The last 16 bytes of the SAMPR_ENCRYPTED_USER_PASSWORD_NEW structure are defined as the last 16 bytes of the SAMPR_USER_PASSWORD_NEW structure and MUST NOT be encrypted or decrypted.
3.2.2.1 RC4 Cipher Usage
https://msdn.microsoft.com/en-us/library/cc245826.aspx
Thanks,
Edgar
-----Original Message-----
From: Edgar Olougouna
Sent: Sunday, February 18, 2018 10:20 PM
To: Andrew Bartlett <abartlet at samba.org>; cifs-protocol mailing list <cifs-protocol at lists.samba.org>
Cc: MSSolve Case Email <casemail at microsoft.com>
Subject: [REG:118021917664904] MS-SAMR SetUserInfo fails to backlink to RC4
[case number in subject, cc casemail, bcc dochelp] Hello Andrew, We created the case number 118021917664904 for this inquiry. I will review this and follow-up soon.
Thank you,
Edgar
-----Original Message-----
From: Andrew Bartlett <abartlet at samba.org>
Sent: Sunday, February 18, 2018 8:30 PM
To: Interoperability Documentation Help <dochelp at microsoft.com>; cifs-protocol mailing list <cifs-protocol at lists.samba.org>
Subject: MS-SAMR SetUserInfo fails to backlink to RC4
G'Day,
I was looking for a concise reference for the cryptography used in
SamrSetUserInfo2 for my security overview doc.
However
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmsdn.microsoft.com%2Fen-us%2Flibrary%2Fcc245793.aspx&data=04%7C01%7Cdochelp%40windows.microsoft.com%7Ca655df175bbe440263f908d57740a1bf%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636546041859933260%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=PJ%2FxS1kaFUPb6P5DNbII%2F32RIGof4dKQuYWcVq6N5W4%3D&reserved=0
3.1.5.6.4 SamrSetInformationUser2 (Opnum 58)
does not really fill in the details of the cryptographic operation.
In https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmsdn.microsoft.com%2Fen-us%2Flibrary%2Fcc245798.aspx&data=04%7C01%7Cdochelp%40windows.microsoft.com%7Ca655df175bbe440263f908d57740a1bf%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636546041859933260%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=U9VvHeHSJuZNYT3IBDc%2FVAfdm%2BlXZaf0XRGBVgR7vDE%3D&reserved=0
3.1.5.6.4.5 UserInternal4InformationNew
and https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmsdn.microsoft.com%2Fen-us%2Flibrary%2Fcc245797.aspx&data=04%7C01%7Cdochelp%40windows.microsoft.com%7Ca655df175bbe440263f908d57740a1bf%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636546041859943268%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=LAiV4alD0X1jFjoRiJezTFUqVsDoCxSqNFWbQDjPbdk%3D&reserved=0
3.1.5.6.4.4 UserInternal4Information
it does say the server MUST update the clearTextPassword attribute with the (decrypted) but it only makes sense if you search the PDF for RC4 and find 3.2.2.1 RC4 Cipher Usage, but even this references different structure names.
I think this could be improved to link clearly back to the exact cryptographic operations from the operation that uses it, rather than just saying 'decrypted'.
Thanks,
Andrew Bartlett
--
Andrew Bartlett
https://na01.safelinks.protection.outlook.com/?url=https:%2F%2Fsamba.org%2F~abartlet%2F&data=04%7C01%7Cdochelp%40windows.microsoft.com%7Ca655df175bbe440263f908d57740a1bf%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636546041859943268%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=GCkoBWul0Ua15uAXp2hdfr1uJSVMKs6P0gq7jGB6eHI%3D&reserved=0
Authentication Developer, Samba Team https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org&data=04%7C01%7Cdochelp%40windows.microsoft.com%7Ca655df175bbe440263f908d57740a1bf%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636546041859943268%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=YAk5L%2FdOgaznuYfH5ovh4nHrEMZytZ%2BL4LERBS0xpzI%3D&reserved=0
Samba Development and Support, Catalyst IT
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcatalyst.net.nz%2Fservices%2Fsamba&data=04%7C01%7Cdochelp%40windows.microsoft.com%7Ca655df175bbe440263f908d57740a1bf%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636546041859943268%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=O2byUfg8ixVBRiWr%2FUpIZ05NK3no9x6DbsheWfhLd%2F0%3D&reserved=0
More information about the cifs-protocol
mailing list