Suggested crypto libs for Diffie-Hellman and Eliptic Curve Diffie-Hellman

Andreas Schneider asn at
Wed Nov 22 11:07:54 UTC 2023

On Thursday, 16 November 2023 07:08:59 CET Andrew Bartlett via samba-technical 
> For Group Managed service accounts, which we are working on, for
> reasons around RODCs and a few other things, Microsoft has decided to
> internally use a key-agreement between a 'root key' and a 'service
> key', both held in AD.
> The password comes, as I understand it, from the key agreement derived
> out of a Diffie-Hellman or Eliptic Curve Diffie-Hellman exchanges.
> This is all in MS-GKDI, referenced from
> 5e-7305-4fb8-b233-2a60bc3eec68
> I just wanted to check if there are particularly cryptographic
> libraries we should consider for this work.
> In the past we have looked to libnettle when gnutls didn't provide the
> functions we wanted, but that was backed out fairly fast as another
> method was found ( 0784
> 4a9a13506b4ca9181cfde05d9e4170208f88).
> Even so, for this case is libnettle still the best first place to look?

If something is missing in GnuTLS you need, open tickets at GnuTLS. They are 
fairly quick implementing the stuff we need.

They implemented all the features we needed for Samba so far. Example:


They also fixed performance issues we discovered ...

Best regards


Andreas Schneider                      asn at
Samba Team                   
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D

More information about the samba-technical mailing list