[cifs-protocol] [EXTERNAL] Re: [MS-SAMR] AEAD-AES-256-CBC-HMAC-SHA512 - TrackingID#2206210040006850
Andreas Schneider
asn at samba.org
Wed Jun 29 14:24:20 UTC 2022
On Tuesday, June 28, 2022 6:41:40 PM CEST Jeff McCashland (He/him) wrote:
> Hi Andreas,
Hi Jeff,
> Can you not use the test data provided in the RFC [AEX-CBC] that you
> originally referenced?
I have an implementation of AEAD-AES-256-CBC-HMAC-SHA512 and implemented it in
rpcclient, but it doesn't work against a Windows server. There are so many
little details which can be different.
./bin/rpcclient ncacn_np:earth.milkyway.site -U'Administrator%Secret007!' -c
'setuserinfo2 bob 31 Pa$$w0rd at 2'
>From MS-SAMR 3.2.2.4 AES Cipher Usage
================
The data MUST be encrypted and decrypted using AEAD-AES-256-CBC-HMAC-SHA512 as
follows:
Let IV be a random 16-byte number.
Then the encryption is done as follows:
Let enc_key ::= HMAC-SHA-512(CEK, SAM_AES256_ENC_KEY_STRING)
Let mac_key ::= HMAC-SHA-512(CEK, SAM_AES256_MAC_KEY_STRING)
Let Cipher ::= AES-CBC(enc_key, IV, secret_plaintext)
Let AuthData ::= HMAC-SHA-512(mac_key, versionbyte + IV + Cipher +
versionbyte_length)
================
As my implementation doesn't work against Windows it can be that my size of
SAM_AES256_ENC_KEY_STRING is wrong.
2.2.1.18 has:
SAM_AES256_ENC_KEY_STRING_LENGTH sizeof(SAM_AES256_ENC_KEY_STRING)
The sizeof() in C would include the \0 terminator of a string, however I think
that actually strlen() is meant.
Same for the mac key ...
Also there is truncation of keys happening. Like the enc_key is truncated to
32 bytes.
For calculating the authdata it isn't clear what data type versionbyte_length
is. I would guess it is uint8_t but it could also be uint32_t ...
Is the AuthData truncated to 32 byte? In the RFC it is, but in MS-SAMR
2.2.6.32 the struct member for AuthData is 64 bytes. If truncation is
happening will the rest be filled with 0 bytes?
Either I provide you the all unclear details and you figure it out for me. Or
you provide the hexdumps and I figure it out and ask better questions :-)
Here is some pseudo C code of my implementation:
#define SAMR_AES_VERSION_BYTE 0x01
#define SAMR_AES_VERSION_BYTE_LEN 1
#define SAMR_AES256_ENC_KEY_STRING \
"Microsoft SAM encryption key AEAD-AES-256-CBC-HMAC-SHA512 16"
#define SAMR_AES256_ENC_KEY_STRING_LEN 60
#define SAMR_AES256_MAC_KEY_STRING \
"Microsoft SAM MAC key AEAD-AES-256-CBC-HMAC-SHA512 16"
#define SAMR_AES256_MAC_KEY_STRING_LEN 53
uint8_t version_byte = SAMR_AES_VERSION_BYTE; /* 0x01 */
uint8_t version_byte_len = SAMR_AES_VERSION_BYTE_LEN; /* 1 */
uint8_t enc_key_data[64];
uint8_t mac_key_data[64];
/* Calculate encryption key */
/* cek_key is just 16 bytes if a SMB session key is used? */
rc = gnutls_hmac_fast(GNUTLS_MAC_SHA512,
cek_key.data,
cek_key.size,
SAMR_AES256_ENC_KEY_STRING,
SAMR_AES256_ENC_KEY_STRING_LEN,
enc_key_data);
enc_key.data = mac_key_data;
enc_key.size = 32; /* truncation from 64 to 32 bytes */
/* Encrypt plaintext */
rc = gnutls_cipher_init(&cipher_hnd,
GNUTLS_CIPHER_AES_256_CBC,
&enc_key,
&iv);
rc = gnutls_cipher_encrypt2(cipher_hnd,
secret->data,
secret->length,
ctext,
ctext_len);
/* Calculate mac key */
rc = gnutls_hmac_fast(GNUTLS_MAC_SHA512,
cek_key.data,
cek_key.size,
SAMR_AES256_MAC_KEY_STRING,
SAMR_AES256_MAC_KEY_STRING_LEN,
mac_key_data);
mac_key.data = mac_key_data;
mac_key.size = 32; /* truncation from 64 to 32 bytes */
/* Generate auth tag */
rc = gnutls_hmac_init(&hmac_hnd,
GNUTLS_MAC_SHA512,
mac_key.data,
mac_key.size);
rc = gnutls_hmac(hmac_hnd,
&version_byte,
sizeof(uint8_t));
rc = gnutls_hmac(hmac_hnd,
iv.data,
iv.size);
rc = gnutls_hmac(hmac_hnd,
ctext,
ctext_len);
rc = gnutls_hmac(hmac_hnd,
&version_byte_len,
sizeof(uint8_t));
gnutls_hmac_deinit(hmac_hnd, auth_data);
/* Is auth_data truncated? */
Best regards
Andreas
> It appears to have all or most of what you're looking for:
> K (secret input key)
> MAC_KEY
> ENC_KEY
> P (plaintext)
> IV (initialization vector)
> A (associated data)
> PS (padding string)
> AL (associated data length)
> S (ciphertext - intermediate)
> T (authentication tag)
> C (ciphertext)
>
> Best regards,
> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol
> Open Specifications Team Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm |
> Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone
> number found here: http://support.microsoft.com/globalenglish | Extension
> 1138300 We value your feedback. My manager is Stacy Gray (stacygr), +1
> (469) 775-4055
>
> -----Original Message-----
> From: Jeff McCashland (He/him)
> Sent: Monday, June 27, 2022 11:55 AM
> To: Andreas Schneider <asn at samba.org>
> Cc: cifs-protocol at lists.samba.org; Jeff McCashland
> <jeffm at microsoftsupport.com>; Obaid Farooqi <obaidf at microsoft.com> Subject:
> RE: [EXTERNAL] Re: [MS-SAMR] AEAD-AES-256-CBC-HMAC-SHA512 -
> TrackingID#2206210040006850
>
> Hi Andreas,
>
> Our plan is to capture traffic where AEAD-AES-256-CBC-HMAC-SHA512 is used.
>
> We're working on setting up a Windows repro. However, Windows uses LDAP
> instead of SAMR, so we're working out how to configure it to use SAMR.
>
> I'll keep you posted.
>
> Best regards,
> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol
> Open Specifications Team Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm |
> Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone
> number found here: http://support.microsoft.com/globalenglish | Extension
> 1138300 We value your feedback. My manager is Stacy Gray (stacygr), +1
> (469) 775-4055
>
> -----Original Message-----
> From: Andreas Schneider <asn at samba.org>
> Sent: Monday, June 27, 2022 4:56 AM
> To: Jeff McCashland (He/him) <jeffm at microsoft.com>
> Cc: cifs-protocol at lists.samba.org; Jeff McCashland
> <jeffm at microsoftsupport.com>; Obaid Farooqi <obaidf at microsoft.com> Subject:
> [EXTERNAL] Re: [MS-SAMR] AEAD-AES-256-CBC-HMAC-SHA512 -
> TrackingID#2206210040006850
> On Wednesday, June 22, 2022 8:09:34 PM CEST Jeff McCashland (He/him) wrote:
> > Hi Andreas,
>
> Hi Jeff,
>
> > I will research your question and see what we can come up with for
> > test data.
>
> thank you very much. Looking forward to hear from you :-)
>
>
> Andreas
>
> > Best regards,
> > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
> > Protocol Open Specifications Team Phone: +1 (425) 703-8300 x38300 |
> > Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
> > Local country phone number found here:
> > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsuppo
> > rt.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.
> > com%7Cb133cf48cfa147d4956b08da5833fc38%7C72f988bf86f141af91ab2d7cd011d
> > b47%7C1%7C0%7C637919277699900369%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL
> > jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&
> > amp;sdata=%2BJdN4TiV%2Bvqq4dqYGpq7mGhZ1vh3gQrrvgjqsBuBXbg%3D&reser
> > ved=0 | Extension
> > 1138300 We value your feedback. My manager is Stacy Gray (stacygr),
> > +1
> > (469) 775-4055
> >
> > -----Original Message-----
> > From: Obaid Farooqi <obaidf at microsoft.com>
> > Sent: Tuesday, June 21, 2022 9:08 AM
> > To: Andreas Schneider <asn at samba.org>
> > Cc: cifs-protocol at lists.samba.org; Obaid Farooqi
> > <obaidf at microsoftsupport.com> Subject: [EXTERNAL] [MS-SAMR]
> > AEAD-AES-256-CBC-HMAC-SHA512 - TrackingID#2206210040006850
> >
> > Hi Andreas:
> > Thanks for contacting Microsoft. I have created a case to track this
> > issue.
> > A member of the open specifications team will be in touch soon.
> >
> > Regards,
> > Obaid Farooqi
> > Escalation Engineer | Microsoft
> >
> > -----Original Message-----
> > From: Andreas Schneider <asn at samba.org>
> > Sent: Tuesday, June 21, 2022 8:00 AM
> > To: Interoperability Documentation Help <dochelp at microsoft.com>
> > Cc: cifs-protocol at lists.samba.org
> > Subject: [EXTERNAL] [MS-SAMR] AEAD-AES-256-CBC-HMAC-SHA512
> >
> > Hello Dochelp,
> >
> > I'm trying to implement support for AEAD-AES-256-CBC-HMAC-SHA512 from
> > [MS- SAMR] 3.2.2.4 AES Cipher Usage.
> >
> > This is not really easy as there are some details unclear. I would
> > love to write a unit test for AEAD-AES-256-CBC-HMAC-SHA512.
> >
> > Could you please provide hexdump of the buffers used in encryption
> > from a
> > SamrSetInformationUser2 level 31 from a test platform.
> >
> > When it performs the following:
> >
> > Let enc_key ::= HMAC-SHA-512(CEK, SAM_AES256_ENC_KEY_STRING) Let
> > mac_key ::= HMAC-SHA-512(CEK, SAM_AES256_MAC_KEY_STRING) Let Cipher
> >
> > ::= AES-CBC(enc_key, IV, secret_plaintext) Let AuthData ::=
> >
> > HMAC-SHA-512(mac_key, versionbyte + IV + Cipher + versionbyte_length)
> >
> >
> > I would like to have hexdumps of the following buffers:
> >
> > * cek (16byte sesssion key)
> > * enc_key
> > * mac_key
> > * IV
> > * secret_plaintext
> > * cipher
> > * authdata
> >
> > The RFC implementation provides something like that, see:
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftool
> > s.ietf%2F&data=05%7C01%7Cjeffm%40microsoft.com%7Cb133cf48cfa147d49
> > 56b08da5833fc38%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637919277
> > 699900369%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIi
> > LCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ihsJ1PYjg2cT7
> > 4D3zmlfdDV3UEVNtpJeOX%2BPWQYmg%2FI%3D&reserved=0
> > .org%2Fid%2Fdraft-mcgrew-aead-aes-cbc-hmac-sha2-03.html%23rfc.section.
> > 5.4&am
> > p;data=05%7C01%7Cjeffm%40microsoft.com%7C382019859d9f4eb7cc1b08da53a03
> > c24%7C
> > 72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637914244951310820%7CUnknow
> > n%7CTW
> > FpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6
> > Mn0%3D
> > %7C3000%7C%7C%7C&sdata=jzVMJ8GS%2BP30uF6pHSTfJf8ioOzDOK69Y%2ByyFKD
> > zpKo%3
> > D&reserved=0
> >
> > This would allow me to write a unit test and figure out the details
> > what in my implementation something goes wrong. I can then provide
> > feedback to improve the documentation.
> >
> >
> > Thank you very much!
> >
> >
> > Best regards
> >
> > Andreas Schneider
> >
> > --
> > Andreas Schneider asn at samba.org
> > Samba Team
> > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.samba
> > %2F&data=05%7C01%7Cjeffm%40microsoft.com%7Cb133cf48cfa147d4956b08da583
> > 3fc38%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637919277699900369%7CUn
> > known%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLC
> > JXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Q04le03I8jml11uEltlzIssEEkpVMfFeHjD
> > Ydw2cPIU%3D&reserved=0.
> > org%2F&data=05%7C01%7Cjeffm%40microsoft.com%7C382019859d9f4eb7cc1b
> > 08da53
> > a03c24%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637914244951310820
> > %7CUnk
> > nown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWw
> > iLCJXV
> > CI6Mn0%3D%7C3000%7C%7C%7C&sdata=0VU8ycMe9EFGOAEV7JROkmRRoQCDje5N%2FxAI
> > bz qpbI4%3D&reserved=0 GPG-ID:
> > 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
--
Andreas Schneider asn at samba.org
Samba Team www.samba.org
GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
More information about the cifs-protocol
mailing list