[cifs-protocol] [EXTERNAL] [MS-OAPXBC] Incorrect session key instructions

William Brown wbrown at suse.de
Thu Jan 25 04:06:36 UTC 2024



> On 25 Jan 2024, at 13:53, Sreekanth Nadendla <srenaden at microsoft.com> wrote:
> 
> 
> >We have now been able to get a sample of a valid exchange
> >compact-jwt/src/crypto/ms_oapxbc.rs at b13dda1420e527d639f2962f4022609d2a46ae50 · kanidm/compact-jwt · GitHub
> >with a correctly sized CEK (256 bytes). We are still unsure under what conditions MS is sending us a 294 CEK under.
> 
> This means your implementation works fine whenever CEK is 256 bytes ? 

Correct - RSA-OAEP can only work on a CEK of 256 bytes when the key in use is 2048bits. This is part of the RSA OAEP specification. 

> 
> It's unclear how the base64decoded followed by decrypted key varies in size randomly. I will investigate this tomorrow and get back to you.

Thank you, we aren't sure either. 


--
Sincerely,

William Brown

Senior Software Engineer,
Identity and Access Management
SUSE Labs, Australia




More information about the cifs-protocol mailing list