[cifs-protocol] [EXTERNAL] What is AES256-CTS-HMAC-SHA1-96-SK - TrackingID#2211100040001759
Andrew Bartlett
abartlet at samba.org
Thu Nov 17 00:47:39 UTC 2022
We would say: AES256-CTS-HMAC-SHA1-96-SK: Allow AES session keys. When
the bit is set, this indicates to the KDC that AES session keys can be
used, even when AES256-CTS-HMAC-SHA1-96 or AES128-CTS-HMAC-SHA1-96 is
not set. This allows use of AES keys against hosts otherwise only
configured with RC4 for ticket keys.”
We are still seeing an implicit allow of RC4 session keys which we will
double-check with Paul on.
On Wed, 2022-11-16 at 22:40 +0000, Jeff McCashland (He/him) wrote:
> Hi Andrew,
>
> Based on your understanding, does this appear accurate?
>
>
> “AES256-CTS-HMAC-SHA1-96-SK: Enforce AES session keys when legacy
> ciphers are in use. When the bit is set, this indicates to the KDC
> that all cases where RC4 session keys can be used will be superseded
> with AES
> keys.”
>
>
>
>
>
> Best regards,
>
> Jeff McCashland (He/him)
> | Senior Escalation Engineer | Microsoft
> Protocol Open Specifications Team
>
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-
> 08:00) Pacific Time (US and Canada)
> Local country phone number found here:
> http://support.microsoft.com/globalenglish
> | Extension 1138300
>
>
>
>
>
>
>
> From: Andrew Bartlett <abartlet at samba.org>
>
> Sent: Wednesday, November 16, 2022 12:07 PM
>
> To: Jeff McCashland (He/him) <jeffm at microsoft.com>
>
> Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>;
> Microsoft Support <supportmail at microsoft.com>
>
> Subject: Re: [EXTERNAL] What is AES256-CTS-HMAC-SHA1-96-SK -
> TrackingID#2211100040001759
>
>
>
>
> Yes. We also just confirmed (in different words) the below which we
> determined experimentally. From Joseph:
>
> > I think I now have the Windows enctype behaviour worked out, and
> > Samba matching it.
> > The ticket is encrypted with the strongest enctype for which the
> > server explicitly declares support, falling back to RC4 if the
> > server has no declared supported
> > encryption types. The enctype of the session key is the first
> > enctype listed in the request that the server supports, taking the
> > AES-SK bit as an indication of support for both AES types.
> >
> > If none of the enctypes in the request are supported by the target
> > server, implicitly or explicitly, return ETYPE_NOSUPP.
>
>
>
>
> Therefore:
>
>
> that if an insecure encryption algorithm is used, you must always
> use a secure algorithm for session keys instead
>
>
>
>
>
> Appears to be incorrect (sadly, as this would aid in establishing
> policy).
>
>
>
>
>
> Andrew Bartlett
>
>
>
>
>
> On Wed, 2022-11-16 at 17:43 +0000, Jeff McCashland (He/him) wrote:
>
> > Hi Andrew,
> >
> > I understand Steve Syfuhs had a call with Samba engineers
> > yesterday, were you in that call? Did you get your questions
> > answered?
> >
> >
> >
> >
> >
> >
> > Best regards,
> >
> > Jeff McCashland (He/him)
> > | Senior Escalation Engineer | Microsoft
> > Protocol Open Specifications Team
> >
> > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-
> > 08:00) Pacific Time (US and Canada)
> > Local country phone number found here:
> > http://support.microsoft.com/globalenglish
> > | Extension 1138300
> >
> >
> >
> >
> >
> >
> >
> > From: Andrew Bartlett <abartlet at samba.org>
> >
> >
> > Sent: Thursday, November 10, 2022 3:17 PM
> >
> > To: Jeff McCashland (He/him) <jeffm at microsoft.com>
> >
> > Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>;
> > Microsoft Support <supportmail at microsoft.com>
> >
> > Subject: Re: [EXTERNAL] What is AES256-CTS-HMAC-SHA1-96-SK -
> > TrackingID#2211100040001759
> >
> >
> >
> >
> > Thanks.
> >
> >
> >
> >
> >
> > So, what I understand is this:
> >
> >
> >
> >
> >
> > - A KDC will always select the strongest key to encrypt the ticket
> > based on the keys held at the server, permitted by msDS-
> > SupportedEncryptionTypes and understood by this KDC (ticket key)
> >
> >
> > - The client has no ability to influence this key, so as long as
> > the password is regularly rotated and the msDS-
> > SupportedEncryptionType is up to date, then AES256-CTS-HMAC-SHA1-96
> > encrypted tickets are always issued.
> >
> >
> > - The server however may not have rotated it's password, nor
> > updated msDS-SupportedEncryptionTypes since it was in a FL 2003
> > domain
> >
> >
> > - Even if it does rotate it's password, it may not be storing an
> > AES key in a keytab, so AES256-CTS-HMAC-SHA1-96 can't be arbitarily
> > set in msDS-SupportedEncryptionTypes as that would change the
> > ticket key
> >
> >
> >
> >
> >
> > - Most Kerberos software these days, no matter which keys were
> > shared, supports AES256-CTS-HMAC-SHA1-96 session keys
> >
> >
> > - Clients can influence the session key type, as they must
> > understand it for interopability. They could select a weak or
> > problematic encryption type (eg 3DES in Samba recently)
> >
> >
> > - Servers could previously influence the session key type by
> > the msDS-SupportedEncryptionType but we don't want to use that as
> > above
> >
> >
> > - Therefore this value indicates that regardless, AES256-CTS-HMAC-
> > SHA1-96 is the mandatory session key type, arcfour-hmac-md5 (or
> > 3DES, in our case) session keys should never be used.
> >
> >
> >
> >
> >
> > Is this correct?
> >
> >
> >
> >
> >
> > Is there anything I've missed?
> >
> >
> >
> >
> >
> > Thanks,
> >
> >
> >
> >
> >
> > Andrew Bartlett
> >
> >
> >
> >
> >
> > On Thu, 2022-11-10 at 22:58 +0000, Jeff McCashland (He/him) wrote:
> >
> > > Hi Andrew,
> > >
> > > AES256-CTS-HMAC-SHA1-96-SK is a temporary value we have added as
> > > part of the security update to indicate that if an insecure
> > > encryption algorithm is used, you must always use a secure
> > > algorithm for session keys
> > > instead.
> > >
> > > I will file a request to update [MS-KILE] with a description of
> > > the encryption type.
> > >
> > >
> > >
> > >
> > >
> > >
> > > Best regards,
> > >
> > > Jeff McCashland (He/him)
> > > | Senior Escalation Engineer | Microsoft
> > > Protocol Open Specifications Team
> > >
> > > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone:
> > > (UTC-08:00) Pacific Time (US and Canada)
> > > Local country phone number found here:
> > > http://support.microsoft.com/globalenglish
> > > | Extension 1138300
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > From: Jeff McCashland (He/him)
> > >
> > > Sent: Thursday, November 10, 2022 8:53 AM
> > >
> > > To: Andrew Bartlett <abartlet at samba.org>
> > >
> > > Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>;
> > > Microsoft Support <supportmail at microsoft.com>
> > >
> > > Subject: RE: [EXTERNAL] What is AES256-CTS-HMAC-SHA1-96-SK -
> > > TrackingID#2211100040001759
> > >
> > >
> > >
> > > [Michael to BCC]
> > >
> > > Hi Andrew,
> > >
> > > I will research the algorithm and let you know what I learn.
> > >
> > >
> > >
> > >
> > >
> > >
> > > Best regards,
> > >
> > > Jeff McCashland (He/him)
> > > | Senior Escalation Engineer | Microsoft
> > > Protocol Open Specifications Team
> > >
> > > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone:
> > > (UTC-08:00) Pacific Time (US and Canada)
> > > Local country phone number found here:
> > > http://support.microsoft.com/globalenglish
> > > | Extension 1138300
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > From: Michael Bowen <Mike.Bowen at microsoft.com>
> > >
> > >
> > > Sent: Wednesday, November 9, 2022 9:38 PM
> > >
> > > To: Andrew Bartlett <abartlet at samba.org>
> > >
> > > Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>;
> > > Microsoft Support <supportmail at microsoft.com>
> > >
> > > Subject: RE: [EXTERNAL] What is AES256-CTS-HMAC-SHA1-96-SK -
> > > TrackingID#2211100040001759
> > >
> > >
> > >
> > > [DocHelp to bcc, Support mail to cc]
> > >
> > > Hi Andrew,
> > >
> > > Thanks for your inquiry. I've created case number
> > > 2211100040001759 to track this issue. In your correspondence,
> > > please leave the case number in the subject line and use reply
> > > all. One of our engineers will contact you soon
> > >
> > > Best regards,
> > >
> > > Mike Bowen
> > >
> > > Escalation Engineer - Microsoft Open Specifications
> > >
> > >
> > >
> > >
> > > From: Andrew Bartlett <abartlet at samba.org>
> > >
> > >
> > > Sent: Wednesday, November 9, 2022 3:03 PM
> > >
> > > To: Interoperability Documentation Help <dochelp at microsoft.com>
> > >
> > > Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>
> > >
> > > Subject: [EXTERNAL] What is AES256-CTS-HMAC-SHA1-96-SK
> > >
> > >
> > >
> > >
> > > Kia Ora Dochelp!
> > >
> > >
> > >
> > >
> > >
> > > In the errata to MS-KILE I see references to AES256-CTS-HMAC-
> > > SHA1-96-SK however I can't find any public references to this
> > > constant, nor further documentation on what it is used for.
> > >
> > >
> > >
> > >
> > >
> > > https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-winerrata/c982f6c4-2f70-4dc7-b252-09092e9f1eed
> > >
> > >
> > >
> > >
> > >
> > > Can you explain what this encryption type is and where to learn
> > > more about it?
> > >
> > >
> > >
> > >
> > >
> > > Thanks,
> > >
> > >
> > >
> > >
> > >
> > > Andrew Bartlett
> > >
> > >
> > > --
> > >
> > >
> > >
> > > Andrew Bartlett (he/him) https://samba.org/~abartlet/
> > >
> > >
> > > Samba Team Member (since 2001)
> > > https://samba.org
> > >
> > >
> > > Samba Team Lead, Catalyst IT
> > > https://catalyst.net.nz/services/samba
> > >
> > >
> > >
> > >
> > >
> > >
> > > Samba Development and Support, Catalyst IT - Expert Open Source
> > > Solutions
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> > --
> >
> >
> > Andrew Bartlett (he/him) https://samba.org/~abartlet/
> >
> >
> > Samba Team Member (since 2001)
> >
> > https://samba.org
> >
> >
> > Samba Team Lead, Catalyst IT
> > https://catalyst.net.nz/services/samba
> >
> >
> >
> >
> >
> > Samba Development and Support, Catalyst IT - Expert Open Source
> >
> >
> > Solutions
> >
> >
>
> --
>
> Andrew Bartlett (he/him) https://samba.org/~abartlet/
>
>
> Samba Team Member (since 2001)
> https://samba.org
>
>
> Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
>
>
>
>
>
>
> Samba Development and Support, Catalyst IT - Expert Open Source
> Solutions
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20221117/61ce2968/attachment.htm>
More information about the cifs-protocol
mailing list