[cifs-protocol] [EXTERNAL] What is AES256-CTS-HMAC-SHA1-96-SK - TrackingID#2211100040001759
Andrew Bartlett
abartlet at samba.org
Wed Nov 16 20:07:27 UTC 2022
Yes. We also just confirmed (in different words) the below which we
determined experimentally. From Joseph:
> I think I now have the Windows enctype behaviour worked out, and
> Samba matching it.
> The ticket is encrypted with the strongest enctype for which the
> server explicitly declares support, falling back to RC4 if the server
> has no declared supported encryption types. The enctype of the
> session key is the first enctype listed in the request that the
> server supports, taking the AES-SK bit as an indication of support
> for both AES types.
> If none of the enctypes in the request are supported by the target
> server, implicitly or explicitly, return ETYPE_NOSUPP.
Therefore: that if an insecure encryption algorithm is used, you must
always use a secure algorithm for session keys instead
Appears to be incorrect (sadly, as this would aid in establishing
policy).
Andrew Bartlett
On Wed, 2022-11-16 at 17:43 +0000, Jeff McCashland (He/him) wrote:
> Hi Andrew,
>
> I understand Steve Syfuhs had a call with Samba engineers yesterday,
> were you in that call? Did you get your questions answered?
>
>
>
>
>
>
> Best regards,
>
> Jeff McCashland (He/him)
> | Senior Escalation Engineer | Microsoft
> Protocol Open Specifications Team
>
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-
> 08:00) Pacific Time (US and Canada)
> Local country phone number found here:
> http://support.microsoft.com/globalenglish
> | Extension 1138300
>
>
>
>
>
>
>
> From: Andrew Bartlett <abartlet at samba.org>
>
> Sent: Thursday, November 10, 2022 3:17 PM
>
> To: Jeff McCashland (He/him) <jeffm at microsoft.com>
>
> Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>;
> Microsoft Support <supportmail at microsoft.com>
>
> Subject: Re: [EXTERNAL] What is AES256-CTS-HMAC-SHA1-96-SK -
> TrackingID#2211100040001759
>
>
>
>
> Thanks.
>
>
>
>
>
> So, what I understand is this:
>
>
>
>
>
> - A KDC will always select the strongest key to encrypt the ticket
> based on the keys held at the server, permitted by msDS-
> SupportedEncryptionTypes and understood by this KDC (ticket key)
>
>
> - The client has no ability to influence this key, so as long as the
> password is regularly rotated and the msDS-SupportedEncryptionType is
> up to date, then AES256-CTS-HMAC-SHA1-96 encrypted tickets are always
> issued.
>
>
> - The server however may not have rotated it's password, nor
> updated msDS-SupportedEncryptionTypes since it was in a FL 2003
> domain
>
>
> - Even if it does rotate it's password, it may not be storing an AES
> key in a keytab, so AES256-CTS-HMAC-SHA1-96 can't be arbitarily set
> in msDS-SupportedEncryptionTypes as that would change the ticket key
>
>
>
>
>
> - Most Kerberos software these days, no matter which keys were
> shared, supports AES256-CTS-HMAC-SHA1-96 session keys
>
>
> - Clients can influence the session key type, as they must
> understand it for interopability. They could select a weak or
> problematic encryption type (eg 3DES in Samba recently)
>
>
> - Servers could previously influence the session key type by
> the msDS-SupportedEncryptionType but we don't want to use that as
> above
>
>
> - Therefore this value indicates that regardless, AES256-CTS-HMAC-
> SHA1-96 is the mandatory session key type, arcfour-hmac-md5 (or 3DES,
> in our case) session keys should never be used.
>
>
>
>
>
> Is this correct?
>
>
>
>
>
> Is there anything I've missed?
>
>
>
>
>
> Thanks,
>
>
>
>
>
> Andrew Bartlett
>
>
>
>
>
> On Thu, 2022-11-10 at 22:58 +0000, Jeff McCashland (He/him) wrote:
>
> > Hi Andrew,
> >
> > AES256-CTS-HMAC-SHA1-96-SK is a temporary value we have added as
> > part of the security update to indicate that if an insecure
> > encryption algorithm is used, you must always use a secure
> > algorithm for session keys
> > instead.
> >
> > I will file a request to update [MS-KILE] with a description of the
> > encryption type.
> >
> >
> >
> >
> >
> >
> > Best regards,
> >
> > Jeff McCashland (He/him)
> > | Senior Escalation Engineer | Microsoft
> > Protocol Open Specifications Team
> >
> > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-
> > 08:00) Pacific Time (US and Canada)
> > Local country phone number found here:
> > http://support.microsoft.com/globalenglish
> > | Extension 1138300
> >
> >
> >
> >
> >
> >
> >
> > From: Jeff McCashland (He/him)
> >
> > Sent: Thursday, November 10, 2022 8:53 AM
> >
> > To: Andrew Bartlett <abartlet at samba.org>
> >
> > Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>;
> > Microsoft Support <supportmail at microsoft.com>
> >
> > Subject: RE: [EXTERNAL] What is AES256-CTS-HMAC-SHA1-96-SK -
> > TrackingID#2211100040001759
> >
> >
> >
> > [Michael to BCC]
> >
> > Hi Andrew,
> >
> > I will research the algorithm and let you know what I learn.
> >
> >
> >
> >
> >
> >
> > Best regards,
> >
> > Jeff McCashland (He/him)
> > | Senior Escalation Engineer | Microsoft
> > Protocol Open Specifications Team
> >
> > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-
> > 08:00) Pacific Time (US and Canada)
> > Local country phone number found here:
> > http://support.microsoft.com/globalenglish
> > | Extension 1138300
> >
> >
> >
> >
> >
> >
> >
> > From: Michael Bowen <Mike.Bowen at microsoft.com>
> >
> >
> > Sent: Wednesday, November 9, 2022 9:38 PM
> >
> > To: Andrew Bartlett <abartlet at samba.org>
> >
> > Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>;
> > Microsoft Support <supportmail at microsoft.com>
> >
> > Subject: RE: [EXTERNAL] What is AES256-CTS-HMAC-SHA1-96-SK -
> > TrackingID#2211100040001759
> >
> >
> >
> > [DocHelp to bcc, Support mail to cc]
> >
> > Hi Andrew,
> >
> > Thanks for your inquiry. I've created case number 2211100040001759
> > to track this issue. In your correspondence, please leave the case
> > number in the subject line and use reply all. One of our engineers
> > will contact you soon
> >
> > Best regards,
> >
> > Mike Bowen
> >
> > Escalation Engineer - Microsoft Open Specifications
> >
> >
> >
> >
> > From: Andrew Bartlett <abartlet at samba.org>
> >
> >
> > Sent: Wednesday, November 9, 2022 3:03 PM
> >
> > To: Interoperability Documentation Help <dochelp at microsoft.com>
> >
> > Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>
> >
> > Subject: [EXTERNAL] What is AES256-CTS-HMAC-SHA1-96-SK
> >
> >
> >
> >
> > Kia Ora Dochelp!
> >
> >
> >
> >
> >
> > In the errata to MS-KILE I see references to AES256-CTS-HMAC-SHA1-
> > 96-SK however I can't find any public references to this constant,
> > nor further documentation on what it is used for.
> >
> >
> >
> >
> >
> > https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-winerrata/c982f6c4-2f70-4dc7-b252-09092e9f1eed
> >
> >
> >
> >
> >
> > Can you explain what this encryption type is and where to learn
> > more about it?
> >
> >
> >
> >
> >
> > Thanks,
> >
> >
> >
> >
> >
> > Andrew Bartlett
> >
> >
> > --
> >
> >
> > Andrew Bartlett (he/him) https://samba.org/~abartlet/
> >
> >
> > Samba Team Member (since 2001)
> > https://samba.org
> >
> >
> > Samba Team Lead, Catalyst IT
> > https://catalyst.net.nz/services/samba
> >
> >
> >
> >
> >
> >
> > Samba Development and Support, Catalyst IT - Expert Open Source
> > Solutions
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
>
> --
>
> Andrew Bartlett (he/him) https://samba.org/~abartlet/
>
>
> Samba Team Member (since 2001)
>
> https://samba.org
>
>
> Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
>
>
>
>
>
> Samba Development and Support, Catalyst IT - Expert Open Source
>
>
> Solutions
>
>
>
>
>
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20221117/2d22bdf5/attachment.htm>
More information about the cifs-protocol
mailing list