Andrew,
In Windows implementation, the preferred key GUID is stored along with the
expiration date as a structure of {GUID; FILETIME} in a file “Preferred” under
%APPDATA%\Microsoft\Protect\%UserSID%
For example,
C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-1972584655-1140703441-473452811-500\
This is used during any DPAPI call CryptProtectData() or CryptUnprotectData().
Thanks,
Edgar
-----Original Message-----
From: Andrew Bartlett [mailto:[email protected]]
Sent: Thursday, March 19, 2015 4:30 PM
To: Edgar Olougouna
Cc: [email protected]; MSSolve Case Email
Subject: Re: [REG:115021012380586] Timer events in MS-BKRP - when should we
roll over keys?
On Thu, 2015-03-19 at 21:19 +0000, Edgar Olougouna wrote:
> Andrew,
> MS-BKRP will be updated to reflect the following.
> The current (preferred) key is rolled over 90 days from creation, this
> is non configurable in Windows. When a new key is created, the
> expiration date of 90 days is calculated and saved with the associated
> key guid. Expiration is detected when the key is used (attempted to be
> used) for encryption. If the key has expired, key roll over should
> occur and encryption creates and uses a new key. Expired keys remain
> available for decryption only. Encryption only uses the preferred key.
Thanks.
How specifically is the expiration date stored?
> Thanks again for helping us improve the specs.
My pleasure,
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
_______________________________________________
cifs-protocol mailing list
[email protected]
https://lists.samba.org/mailman/listinfo/cifs-protocol
