Hello Andrew,
I received feedback from our Product team and they have some questions to
help in clarification.
Your original question:
"In MS-ADTS 7.1.6.8.1.2, it states:
This flag indicates that the information stored in the attribute is a Unicode
plaintext password. If this auth type is present, Kerberos can then use this
password to derive additional key types needed to encrypt and decrypt cross
realm TGTs:
DES-CBC [RFC4120] section 8.1
DES-CRC [RFC4120]
RC4HMAC [RFC4757]
Other derivations of the plaintext password are possible using string to key
functionality defined in [RFC3961].
However, it is not stated here or in MS-KILE how to translate between the
'Unicode' strings used in windows trusts (for example, see the
trustAuthIncoming, decrypted and decoded, between two of my domains) and the
expected input encoding for AES and other non-MD4 keys.
Converting these from UTF16 to UTF8 (I'm assuming this is the intended
translation) fails as the randomly created string cannot be translated into
UTF8."
Questions from the Product team:
1. Does the Unicode strings in the request only refer to the plaintext
password as the section referred to indicated?
2. What does the "translation" refer to? Does it mean how the password is
used in the hash function?
3. What section does the example refer to and how is it related?
4. What makes AES and non-MD4 keys stand out on the expected input
encoding in this request?
Thanks
John Dunning
Escalation Engineer Microsoft Corporation
US-CSS DSC PROTOCOL TEAM
Email: [EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>
Tele: (469)775-7008
We're
hiring<http://members.microsoft.com/careers/search/details.aspx?JobID=A976CE32-B0B9-41E3-AF57-05A82B88383E&start=1&interval=10&SortCol=DatePosted>
_______________________________________________
cifs-protocol mailing list
[email protected]
https://lists.samba.org/mailman/listinfo/cifs-protocol
