Hongwei,
>We just found that there is a problem with the logic in step 9 of
> 3.3.4.2.1 (Generating an Initial Netlogon Signature Token) and step 5 of
> 3.3.4.2.2 (Receiving an Initial Netlogon Signature Token). When we encrypt
> or decrypt SequenceNumber, the IV is actually the concatena
Metze,
We just found that there is a problem with the logic in step 9 of 3.3.4.2.1
(Generating an Initial Netlogon Signature Token) and step 5 of 3.3.4.2.2
(Receiving an Initial Netlogon Signature Token). When we encrypt or decrypt
SequenceNumber, the IV is actually the concatenation of ch
Metze,
Yes, your initial observation is right. Checksum is only 8 bytes and the
cofounder follows with 8 bytes of checksum. I filed a request to update the
document.
I will look at the code and compare it with the documentation and Windows
implementation. I will let you know.
Tha
Hi Hongwei,
>I think that Nick already informed you that AES 128 with 8 bit CFB mode
> has to be used. I filed a request to add the information into 3.1.4.4 of
> MS-NRPC. I also noticed that in mxnrpc.c you attached , you used
> AES_cfb128_encrypt() (128 bit CFB mode) for computing serve
Metze,
I think that Nick already informed you that AES 128 with 8 bit CFB mode has
to be used. I filed a request to add the information into 3.1.4.4 of MS-NRPC.
I also noticed that in mxnrpc.c you attached , you used AES_cfb128_encrypt()
(128 bit CFB mode) for computing server credential.
Hi,
>> We confirmed that AesCrypt follows the normative reference of [FIPS197]
>> (http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdf). As far
>> as the statement about AES128 encryption CFB mode, we also confirmed that
>> we do use 0 as Initialize Vector(IV), so in this case
Hongwei,
>A quick clarification for the AES bit in Negotiate Flag, as shown in
> 3.1.4.2. The information in the document regarding this bit is wrong. Bit W
> NETLOGON_NEG_SUPPORTS_AES_SHA2 (0x0040) is not supported in Windows
> 7/Windows Server 2008 R2. The right bit to negotiate A
Metze,
A quick clarification for the AES bit in Negotiate Flag, as shown in
3.1.4.2. The information in the document regarding this bit is wrong. Bit W
NETLOGON_NEG_SUPPORTS_AES_SHA2 (0x0040) is not supported in Windows
7/Windows Server 2008 R2. The right bit to negotiate AES support
Stefan (metze) Metzmacher schrieb:
> Hongwei,
>
>> The SharedSecret used for AES session key computation, as described in
>> 3.1.4.3 MS-NRPC , should be the NTOWF (MD4(UNICODE(Passwd))) of the
>> plaintext password. The section 3.1.1 of MS-NRPC explains what a
>> SharedSecret is used for
