RE: [cifs-protocol] RE: 600634 - RE: salt used for various principal types

Mon, 15 Sep 2008 13:55:30 -0700 

Andrew,



    We completed the document change regarding the key salt calculation for 
realm trust.  The change will appear in the  future release of 3.3.1 [MS-KILE] 
as follows.



                3.3 KDC Details



                3.3.1 Abstract Data Model



                KILE concatenates the following information to use as the key 
salt for realm trusts:

               Inbound trusts: <all upper case name of the remote realm> | 
"krbtgt" | <all upper case name of the local realm>

               Outbound trusts: <all upper case name of the local realm> | 
"krbtgt" | <all upper case name of the remote realm>



     Please let us know if you need further clarification on this subject.



Thanks

----------------------------------------------------------
Hongwei  Sun - Sr. Support Escalation Engineer
DSC Protocol  Team, Microsoft
[EMAIL PROTECTED]
Tel:  469-7757027 x 57027
-----------------------------------------------------------








-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrew Bartlett
Sent: Tuesday, August 26, 2008 5:07 PM
To: Richard Guthrie
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: [cifs-protocol] RE: 600634 - RE: salt used for various principal types



On Tue, 2008-08-26 at 08:37 -0700, Richard Guthrie wrote:

> Andrew

>

> Microsoft does use different methods of calculating the salt value

> used in encryption depending on the type account that is submitted to

> the salt calculation implementation.  For example, in the case of

> interdomain trust accounts, "krbtgt" is appended.  In the case of

> machine accounts, "host" is appended to the start of the salt value.

>

> Implementers are free to implement a salt algorithm of their choice, without 
> affecting interoperability.



This would be true, but this applies only to objects of the type normally found 
under cn=users.  The salt to use for a password stored in 
trustAuthIncoming/trustAuthOutgoing must be specified in the docs.  It is not 
possible to negotiate an alternate salt for the AES or DES keys of interdomain 
trusts in Kerberos.



In any case, the salts as you describe should be included in a discussion of 
the Microsoft KDC.



Andrew Bartlett



--

Andrew Bartlett

http://samba.org/~abartlet/

Authentication Developer, Samba Team           http://samba.org

Samba Developer, Red Hat Inc.

_______________________________________________
cifs-protocol mailing list
cifs-protocol@cifs.org
https://lists.samba.org/mailman/listinfo/cifs-protocol

Reply via email to