Hongwei, > We confirmed that AesCrypt follows the normative reference of [FIPS197] > (http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdf). As far > as the statement about AES128 encryption CFB mode, we also confirmed that we > do use 0 as Initialize Vector(IV), so in this case all you have to do is set > the IV to the 128-bit quantity consisting of all zeros. The reference we > are using for CFB mode is [SP800-38A] ( > http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf ) which > states that CFB mode requires a valid and unpredictable IV (Section 6.3). > Zero is a valid IV, certainly not unpredictable. However, the > unpredictability is required only to guard against specific types of attacks, > which become possible when a single key is used to encrypt a large number of > related plaintexts. Predictable IVs could be used in applications where this > is not a concern.
thanks I'll try that. AES128 is also used in section 3.3.4.2.1 "Generating an Initial Netlogon Signature Token" under 8., is that the same AesCrypt function (also using CFB mode) with a just IV being contructed by using the sequence number twice? > We will update the document with the correct references to the related > statements in the MS-NRPC document. It would be really nice if you could also add some more example values in secion 4.2 Cryptographic Values for Session Key Validation. metze > Thanks! > > Hongwei > > -----Original Message----- > From: Stefan (metze) Metzmacher [mailto:[email protected]] > Sent: Wednesday, August 26, 2009 12:15 AM > To: Hongwei Sun > Cc: [email protected]; [email protected] > Subject: Re: MS-NRPC: AES Schannel problems > > Hongwei, > >> The SharedSecret used for AES session key computation, as described in >> 3.1.4.3 MS-NRPC , should be the NTOWF (MD4(UNICODE(Passwd))) of the >> plaintext password. The section 3.1.1 of MS-NRPC explains what a >> SharedSecret is used for session key calculation in Windows implementations. >> The SharedSecret is stored in UnicodePwd AD attribute. Please see section >> 3.1.1 and Windows Behavior notes <66>,<67> of MS-NRPC for details. > > Yes, I saw that and that's why I've also done it like this, but I was > wondering why Section 3.4.1 has M4SS := MD4(UNICODE(SharedSecret)) explicit > for the hmac_md5 session key and the des session key. > > I think it would make sense to also add it to the hmac_sha256 section in > order to remove the confusion I had. > >> I will continue working on all questions related to AES encryption. > > Thanks, as it seems I compute the session key correct, this is the place > (netlogon_creds_step_crypt()) where I have a bug, because I'm getting access > denied when I try DCERPC_SCHANNEL_AES against a w2k8r2rc server. > > metze >> -----Original Message----- >> >> From: Stefan (metze) Metzmacher [mailto:[email protected]] >> >> Sent: Tuesday, August 25, 2009 11:13 AM >> >> To: Interoperability Documentation Help >> >> Cc: [email protected]; [email protected] >> >> Subject: MS-NRPC: AES Schannel problems >> >> >> >> Hi, >> >> >> >> I'm currently trying to implement the AES based Netlogon Secure Channel in >> Samba. >> >> >> >> But the documentation is not really clear about the used algorithms. >> >> >> >> I have started with the implementation here: >> >> http://gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads >> /master4-schannel >> >> >> >> And here's the actual commit that tries to add aes support: >> >> http://gitweb.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=50dca9ce >> 0f051c863f00cc949db2c19bf247887b >> >> >> >> In Section "3.1.4.3 Session-Key Computation" the hmac-sha256 base >> computation of the session-key seems to use the plain SharedSecret and not >> the NT-HASH of it (MD4(UNICODE(ShareSecret))), is that correct? >> >> I thought the plain text is never stored in AD by default... >> >> Where should the netlogon server get the plain text from? >> >> I just tried the NT-HASH see my netlogon_creds_init_hmac_sha256() function. >> >> >> >> In Section "3.1.4.4 Netlogon Credential Computation" there's a AesEncrypt >> function used. Can you please document the exact algorithm that's used >> there. You say AES128 is used in CFB mode without initialization vector. >> >> >> >> http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation >> >> says that all modes except ECB require an IV. >> >> >> >> It would also be nice if you could add some more example values in secion >> 4.2 Cryptographic Values for Session Key Validation. >> >> >> >> metze >> >> >> >> >> >> >> >> >> >> > >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
