[prev in list] [next in list] [prev in thread] [next in thread]
List: cifs-protocol
Subject: RE: [cifs-protocol] RE: 600634 - RE: salt used for various
From: Hongwei Sun <hongweis () microsoft ! com>
Date: 2008-09-15 20:54:59
Message-ID: B8A3C6EE027AF84086DD3A049CF34A4A2BAA2F6DC9 () NA-EXMSG-C112 ! redmond ! corp ! microsoft ! com
[Download RAW message or body]
Andrew,
We completed the document change regarding the key salt calculation for realm \
trust. The change will appear in the future release of 3.3.1 [MS-KILE] as follows.
3.3 KDC Details
3.3.1 Abstract Data Model
KILE concatenates the following information to use as the key salt \
for realm trusts:
Inbound trusts: <all upper case name of the remote realm> | "krbtgt" | \
<all upper case name of the local realm>
Outbound trusts: <all upper case name of the local realm> | "krbtgt" | \
<all upper case name of the remote realm>
Please let us know if you need further clarification on this subject.
Thanks
----------------------------------------------------------
Hongwei Sun - Sr. Support Escalation Engineer
DSC Protocol Team, Microsoft
hongweis@microsoft.com
Tel: 469-7757027 x 57027
-----------------------------------------------------------
-----Original Message-----
From: cifs-protocol-bounces+hongweis=microsoft.com@cifs.org \
[mailto:cifs-protocol-bounces+hongweis=microsoft.com@cifs.org] On Behalf Of Andrew \
Bartlett
Sent: Tuesday, August 26, 2008 5:07 PM
To: Richard Guthrie
Cc: pfif@tridgell.net; cifs-protocol@samba.org
Subject: [cifs-protocol] RE: 600634 - RE: salt used for various principal types
On Tue, 2008-08-26 at 08:37 -0700, Richard Guthrie wrote:
> Andrew
>
> Microsoft does use different methods of calculating the salt value
> used in encryption depending on the type account that is submitted to
> the salt calculation implementation. For example, in the case of
> interdomain trust accounts, "krbtgt" is appended. In the case of
> machine accounts, "host" is appended to the start of the salt value.
>
> Implementers are free to implement a salt algorithm of their choice, without \
> affecting interoperability.
This would be true, but this applies only to objects of the type normally found under \
cn=users. The salt to use for a password stored in \
trustAuthIncoming/trustAuthOutgoing must be specified in the docs. It is not \
possible to negotiate an alternate salt for the AES or DES keys of interdomain trusts \
in Kerberos.
In any case, the salts as you describe should be included in a discussion of the \
Microsoft KDC.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
[Attachment #3 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.5pt;
font-family:Consolas;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:Consolas;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoPlainText><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>Andrew,<o:p></o:p></span></p>
<p class=MsoPlainText><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p>
<p class=MsoPlainText><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> We \
completed the document change regarding the key salt calculation for realm \
trust. The change will appear in the future release of 3.3.1 [MS-KILE] as \
follows.<o:p></o:p></span></p>
<p class=MsoPlainText><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p>
<p class=MsoPlainText><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> \
3.3 KDC Details <o:p></o:p></span></p>
<p class=MsoPlainText><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p>
<p class=MsoPlainText><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> \
3.3.1 Abstract Data Model<o:p></o:p></span></p>
<p class=MsoPlainText><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p>
<p class=MsoPlainText><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> \
KILE concatenates the following information to use as the key salt for realm \
trusts:<o:p></o:p></span></p>
<p class=MsoPlainText><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>
Inbound trusts: <all upper case name of the remote realm> |
“krbtgt” | <all upper case name of the local \
realm><o:p></o:p></span></p>
<p class=MsoPlainText><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>
Outbound trus</span><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>ts: <all upper case \
name of the local realm> | "krbtgt" | <all upper case name of the \
remote realm><o:p></o:p></span></p>
<p class=MsoPlainText><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p>
<p class=MsoPlainText><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> \
Please let us know if you need further clarification on this \
subject.<o:p></o:p></span></p>
<p class=MsoPlainText><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Thanks<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>----------------------------------------------------------<o:p></o:p></p>
<p class=MsoNormal>Hongwei Sun - Sr. Support Escalation Engineer<o:p></o:p></p>
<p class=MsoNormal>DSC Protocol Team, Microsoft<o:p></o:p></p>
<p class=MsoNormal>hongweis@microsoft.com<o:p></o:p></p>
<p class=MsoNormal>Tel: 469-7757027 x 57027<o:p></o:p></p>
<p class=MsoNormal>-----------------------------------------------------------<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoPlainText><span \
style='font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>-----Original Message-----<br>
From: cifs-protocol-bounces+hongweis=microsoft.com@cifs.org \
[mailto:cifs-protocol-bounces+hongweis=microsoft.com@cifs.org] On Behalf Of Andrew \
Bartlett<br>
Sent: Tuesday, August 26, 2008 5:07 PM<br>
To: Richard Guthrie<br>
Cc: pfif@tridgell.net; cifs-protocol@samba.org<br>
Subject: [cifs-protocol] RE: 600634 - RE: salt used for various principal \
types<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>On Tue, 2008-08-26 at 08:37 -0700, Richard Guthrie \
wrote:<o:p></o:p></p>
<p class=MsoPlainText>> Andrew<o:p></o:p></p>
<p class=MsoPlainText>><o:p> </o:p></p>
<p class=MsoPlainText>> Microsoft does use different methods of calculating
the salt value <o:p></o:p></p>
<p class=MsoPlainText>> used in encryption depending on the type account
that is submitted to <o:p></o:p></p>
<p class=MsoPlainText>> the salt calculation implementation. For
example, in the case of <o:p></o:p></p>
<p class=MsoPlainText>> interdomain trust accounts, "krbtgt" is
appended. In the case of <o:p></o:p></p>
<p class=MsoPlainText>> machine accounts, "host" is appended to
the start of the salt value.<o:p></o:p></p>
<p class=MsoPlainText>><o:p> </o:p></p>
<p class=MsoPlainText>> Implementers are free to implement a salt algorithm
of their choice, without affecting interoperability.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>This would be true, but this applies only to objects of
the type normally found under cn=users. The salt to use for a password
stored in trustAuthIncoming/trustAuthOutgoing must be specified in the
docs. It is not possible to negotiate an alternate salt for the AES or
DES keys of interdomain trusts in Kerberos.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>In any case, the salts as you describe should be included
in a discussion of the Microsoft KDC.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>Andrew Bartlett<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>--<o:p></o:p></p>
<p class=MsoPlainText>Andrew Bartlett<o:p></o:p></p>
<p class=MsoPlainText>http://samba.org/~abartlet/<o:p></o:p></p>
<p class=MsoPlainText>Authentication Developer, Samba
Team
http://samba.org<o:p></o:p></p>
<p class=MsoPlainText>Samba Developer, Red Hat Inc.<o:p></o:p></p>
</div>
</body>
</html>
_______________________________________________
cifs-protocol mailing list
cifs-protocol@cifs.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
--===============0135377261==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic